search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix i18n bug.
[gnupg.git] / g10 / keyserver.c
bloba7c67c00db0287e256e86c7bd06ea1c6ad61aebc
1 /* keyserver.c - generic keyserver code
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
3 * 2009 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22 #include <ctype.h>
23 #include <stdio.h>
24 #include <string.h>
25 #include <stdlib.h>
26 #include <assert.h>
27 #include <errno.h>
28
29 #include "gpg.h"
30 #include "iobuf.h"
31 #include "filter.h"
32 #include "keydb.h"
33 #include "status.h"
34 #include "exec.h"
35 #include "main.h"
36 #include "i18n.h"
37 #include "ttyio.h"
38 #include "options.h"
39 #include "packet.h"
40 #include "trustdb.h"
41 #include "keyserver-internal.h"
42 #include "util.h"
43 #include "dns-cert.h"
44 #include "pka.h"
45
46 #ifdef HAVE_W32_SYSTEM
47 /* It seems Vista doesn't grok X_OK and so fails access() tests.
48 Previous versions interpreted X_OK as F_OK anyway, so we'll just
49 use F_OK directly. */
50 #undef X_OK
51 #define X_OK F_OK
52 #endif /* HAVE_W32_SYSTEM */
53
54 struct keyrec
55 {
56 KEYDB_SEARCH_DESC desc;
57 u32 createtime,expiretime;
58 int size,flags;
59 byte type;
60 IOBUF uidbuf;
61 unsigned int lines;
62 };
63
64 enum ks_action {KS_UNKNOWN=0,KS_GET,KS_GETNAME,KS_SEND,KS_SEARCH};
65
66 static struct parse_options keyserver_opts[]=
67 {
68 /* some of these options are not real - just for the help
69 message */
70 {"max-cert-size",0,NULL,NULL},
71 {"include-revoked",0,NULL,N_("include revoked keys in search results")},
72 {"include-subkeys",0,NULL,N_("include subkeys when searching by key ID")},
73 {"use-temp-files",0,NULL,
74 N_("use temporary files to pass data to keyserver helpers")},
75 {"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL,
76 N_("do not delete temporary files after using them")},
77 {"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL,
78 NULL},
79 {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL,
80 N_("automatically retrieve keys when verifying signatures")},
81 {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL,
82 N_("honor the preferred keyserver URL set on the key")},
83 {"honor-pka-record",KEYSERVER_HONOR_PKA_RECORD,NULL,
84 N_("honor the PKA record set on a key when retrieving keys")},
85 {NULL,0,NULL,NULL}
86 };
87
88 static int keyserver_work(enum ks_action action,strlist_t list,
89 KEYDB_SEARCH_DESC *desc,int count,
90 unsigned char **fpr,size_t *fpr_len,
91 struct keyserver_spec *keyserver);
92
93 /* Reasonable guess */
94 #define DEFAULT_MAX_CERT_SIZE 16384
95
96 static size_t max_cert_size=DEFAULT_MAX_CERT_SIZE;
97
98 static void
99 add_canonical_option(char *option,strlist_t *list)
100 {
101 char *arg=argsplit(option);
102
103 if(arg)
104 {
105 char *joined;
106
107 joined=xmalloc(strlen(option)+1+strlen(arg)+1);
108 /* Make a canonical name=value form with no spaces */
109 strcpy(joined,option);
110 strcat(joined,"=");
111 strcat(joined,arg);
112 append_to_strlist(list,joined);
113 xfree(joined);
114 }
115 else
116 append_to_strlist(list,option);
117 }
118
119 int
120 parse_keyserver_options(char *options)
121 {
122 int ret=1;
123 char *tok;
124 char *max_cert=NULL;
125
126 keyserver_opts[0].value=&max_cert;
127
128 while((tok=optsep(&options)))
129 {
130 if(tok[0]=='\0')
131 continue;
132
133 /* For backwards compatibility. 1.2.x used honor-http-proxy and
134 there are a good number of documents published that recommend
135 it. */
136 if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
137 tok="http-proxy";
138 else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
139 tok="no-http-proxy";
140
141 /* We accept quite a few possible options here - some options to
142 handle specially, the keyserver_options list, and import and
143 export options that pertain to keyserver operations. Note
144 that you must use strncasecmp here as there might be an
145 =argument attached which will foil the use of strcasecmp. */
146
147 #ifdef EXEC_TEMPFILE_ONLY
148 if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
149 ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
150 log_info(_("WARNING: keyserver option `%s' is not used"
151 " on this platform\n"),tok);
152 #else
153 if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
154 opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
155 else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
156 opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
157 #endif
158 else if(!parse_options(tok,&opt.keyserver_options.options,
159 keyserver_opts,0)
160 && !parse_import_options(tok,
161 &opt.keyserver_options.import_options,0)
162 && !parse_export_options(tok,
163 &opt.keyserver_options.export_options,0))
164 {
165 /* All of the standard options have failed, so the option is
166 destined for a keyserver plugin. */
167 add_canonical_option(tok,&opt.keyserver_options.other);
168 }
169 }
170
171 if(max_cert)
172 {
173 max_cert_size=strtoul(max_cert,(char **)NULL,10);
174
175 if(max_cert_size==0)
176 max_cert_size=DEFAULT_MAX_CERT_SIZE;
177 }
178
179 return ret;
180 }
181
182 void
183 free_keyserver_spec(struct keyserver_spec *keyserver)
184 {
185 xfree(keyserver->uri);
186 xfree(keyserver->scheme);
187 xfree(keyserver->auth);
188 xfree(keyserver->host);
189 xfree(keyserver->port);
190 xfree(keyserver->path);
191 xfree(keyserver->opaque);
192 free_strlist(keyserver->options);
193 xfree(keyserver);
194 }
195
196 /* Return 0 for match */
197 static int
198 cmp_keyserver_spec(struct keyserver_spec *one,struct keyserver_spec *two)
199 {
200 if(ascii_strcasecmp(one->scheme,two->scheme)==0)
201 {
202 if(one->host && two->host && ascii_strcasecmp(one->host,two->host)==0)
203 {
204 if((one->port && two->port
205 && ascii_strcasecmp(one->port,two->port)==0)
206 || (!one->port && !two->port))
207 return 0;
208 }
209 else if(one->opaque && two->opaque
210 && ascii_strcasecmp(one->opaque,two->opaque)==0)
211 return 0;
212 }
213
214 return 1;
215 }
216
217 /* Try and match one of our keyservers. If we can, return that. If
218 we can't, return our input. */
219 struct keyserver_spec *
220 keyserver_match(struct keyserver_spec *spec)
221 {
222 struct keyserver_spec *ks;
223
224 for(ks=opt.keyserver;ks;ks=ks->next)
225 if(cmp_keyserver_spec(spec,ks)==0)
226 return ks;
227
228 return spec;
229 }
230
231 /* TODO: once we cut over to an all-curl world, we don't need this
232 parser any longer so it can be removed, or at least moved to
233 keyserver/ksutil.c for limited use in gpgkeys_ldap or the like. */
234
235 struct keyserver_spec *
236 parse_keyserver_uri(const char *string,int require_scheme,
237 const char *configname,unsigned int configlineno)
238 {
239 int assume_hkp=0;
240 struct keyserver_spec *keyserver;
241 const char *idx;
242 int count;
243 char *uri,*options;
244
245 assert(string!=NULL);
246
247 keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
248
249 uri=xstrdup(string);
250
251 options=strchr(uri,' ');
252 if(options)
253 {
254 char *tok;
255
256 *options='\0';
257 options++;
258
259 while((tok=optsep(&options)))
260 add_canonical_option(tok,&keyserver->options);
261 }
262
263 /* Get the scheme */
264
265 for(idx=uri,count=0;*idx && *idx!=':';idx++)
266 {
267 count++;
268
269 /* Do we see the start of an RFC-2732 ipv6 address here? If so,
270 there clearly isn't a scheme so get out early. */
271 if(*idx=='[')
272 {
273 /* Was the '[' the first thing in the string? If not, we
274 have a mangled scheme with a [ in it so fail. */
275 if(count==1)
276 break;
277 else
278 goto fail;
279 }
280 }
281
282 if(count==0)
283 goto fail;
284
285 if(*idx=='\0' || *idx=='[')
286 {
287 if(require_scheme)
288 return NULL;
289
290 /* Assume HKP if there is no scheme */
291 assume_hkp=1;
292 keyserver->scheme=xstrdup("hkp");
293
294 keyserver->uri=xmalloc(strlen(keyserver->scheme)+3+strlen(uri)+1);
295 strcpy(keyserver->uri,keyserver->scheme);
296 strcat(keyserver->uri,"://");
297 strcat(keyserver->uri,uri);
298 }
299 else
300 {
301 int i;
302
303 keyserver->uri=xstrdup(uri);
304
305 keyserver->scheme=xmalloc(count+1);
306
307 /* Force to lowercase */
308 for(i=0;i<count;i++)
309 keyserver->scheme[i]=ascii_tolower(uri[i]);
310
311 keyserver->scheme[i]='\0';
312
313 /* Skip past the scheme and colon */
314 uri+=count+1;
315 }
316
317 if(ascii_strcasecmp(keyserver->scheme,"x-broken-hkp")==0)
318 {
319 deprecated_warning(configname,configlineno,"x-broken-hkp",
320 "--keyserver-options ","broken-http-proxy");
321 xfree(keyserver->scheme);
322 keyserver->scheme=xstrdup("hkp");
323 append_to_strlist(&opt.keyserver_options.other,"broken-http-proxy");
324 }
325 else if(ascii_strcasecmp(keyserver->scheme,"x-hkp")==0)
326 {
327 /* Canonicalize this to "hkp" so it works with both the internal
328 and external keyserver interface. */
329 xfree(keyserver->scheme);
330 keyserver->scheme=xstrdup("hkp");
331 }
332
333 if (uri[0]=='/' && uri[1]=='/' && uri[2] == '/')
334 {
335 /* Three slashes means network path with a default host name.
336 This is a hack because it does not crok all possible
337 combiantions. We should better repalce all code bythe parser
338 from http.c. */
339 keyserver->path = xstrdup (uri+2);
340 }
341 else if(assume_hkp || (uri[0]=='/' && uri[1]=='/'))
342 {
343 /* Two slashes means network path. */
344
345 /* Skip over the "//", if any */
346 if(!assume_hkp)
347 uri+=2;
348
349 /* Do we have userinfo auth data present? */
350 for(idx=uri,count=0;*idx && *idx!='@' && *idx!='/';idx++)
351 count++;
352
353 /* We found a @ before the slash, so that means everything
354 before the @ is auth data. */
355 if(*idx=='@')
356 {
357 if(count==0)
358 goto fail;
359
360 keyserver->auth=xmalloc(count+1);
361 strncpy(keyserver->auth,uri,count);
362 keyserver->auth[count]='\0';
363 uri+=count+1;
364 }
365
366 /* Is it an RFC-2732 ipv6 [literal address] ? */
367 if(*uri=='[')
368 {
369 for(idx=uri+1,count=1;*idx
370 && ((isascii (*idx) && isxdigit(*idx))
371 || *idx==':' || *idx=='.');idx++)
372 count++;
373
374 /* Is the ipv6 literal address terminated? */
375 if(*idx==']')
376 count++;
377 else
378 goto fail;
379 }
380 else
381 for(idx=uri,count=0;*idx && *idx!=':' && *idx!='/';idx++)
382 count++;
383
384 if(count==0)
385 goto fail;
386
387 keyserver->host=xmalloc(count+1);
388 strncpy(keyserver->host,uri,count);
389 keyserver->host[count]='\0';
390
391 /* Skip past the host */
392 uri+=count;
393
394 if(*uri==':')
395 {
396 /* It would seem to be reasonable to limit the range of the
397 ports to values between 1-65535, but RFC 1738 and 1808
398 imply there is no limit. Of course, the real world has
399 limits. */
400
401 for(idx=uri+1,count=0;*idx && *idx!='/';idx++)
402 {
403 count++;
404
405 /* Ports are digits only */
406 if(!digitp(idx))
407 goto fail;
408 }
409
410 keyserver->port=xmalloc(count+1);
411 strncpy(keyserver->port,uri+1,count);
412 keyserver->port[count]='\0';
413
414 /* Skip past the colon and port number */
415 uri+=1+count;
416 }
417
418 /* Everything else is the path */
419 if(*uri)
420 keyserver->path=xstrdup(uri);
421 else
422 keyserver->path=xstrdup("/");
423
424 if(keyserver->path[1])
425 keyserver->flags.direct_uri=1;
426 }
427 else if(uri[0]!='/')
428 {
429 /* No slash means opaque. Just record the opaque blob and get
430 out. */
431 keyserver->opaque=xstrdup(uri);
432 }
433 else
434 {
435 /* One slash means absolute path. We don't need to support that
436 yet. */
437 goto fail;
438 }
439
440 return keyserver;
441
442 fail:
443 free_keyserver_spec(keyserver);
444
445 return NULL;
446 }
447
448 struct keyserver_spec *
449 parse_preferred_keyserver(PKT_signature *sig)
450 {
451 struct keyserver_spec *spec=NULL;
452 const byte *p;
453 size_t plen;
454
455 p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&plen);
456 if(p && plen)
457 {
458 byte *dupe=xmalloc(plen+1);
459
460 memcpy(dupe,p,plen);
461 dupe[plen]='\0';
462 spec=parse_keyserver_uri(dupe,1,NULL,0);
463 xfree(dupe);
464 }
465
466 return spec;
467 }
468
469 static void
470 print_keyrec(int number,struct keyrec *keyrec)
471 {
472 int i;
473
474 iobuf_writebyte(keyrec->uidbuf,0);
475 iobuf_flush_temp(keyrec->uidbuf);
476 printf("(%d)\t%s ",number,iobuf_get_temp_buffer(keyrec->uidbuf));
477
478 if(keyrec->size>0)
479 printf("%d bit ",keyrec->size);
480
481 if(keyrec->type)
482 {
483 const char *str = gcry_pk_algo_name (keyrec->type);
484
485 if(str)
486 printf("%s ",str);
487 else
488 printf("unknown ");
489 }
490
491 switch(keyrec->desc.mode)
492 {
493 /* If the keyserver helper gave us a short keyid, we have no
494 choice but to use it. Do check --keyid-format to add a 0x if
495 needed. */
496 case KEYDB_SEARCH_MODE_SHORT_KID:
497 printf("key %s%08lX",
498 (opt.keyid_format==KF_0xSHORT
499 || opt.keyid_format==KF_0xLONG)?"0x":"",
500 (ulong)keyrec->desc.u.kid[1]);
501 break;
502
503 /* However, if it gave us a long keyid, we can honor
504 --keyid-format */
505 case KEYDB_SEARCH_MODE_LONG_KID:
506 printf("key %s",keystr(keyrec->desc.u.kid));
507 break;
508
509 case KEYDB_SEARCH_MODE_FPR16:
510 printf("key ");
511 for(i=0;i<16;i++)
512 printf("%02X",keyrec->desc.u.fpr[i]);
513 break;
514
515 case KEYDB_SEARCH_MODE_FPR20:
516 printf("key ");
517 for(i=0;i<20;i++)
518 printf("%02X",keyrec->desc.u.fpr[i]);
519 break;
520
521 default:
522 BUG();
523 break;
524 }
525
526 if(keyrec->createtime>0)
527 {
528 printf(", ");
529 printf(_("created: %s"),strtimestamp(keyrec->createtime));
530 }
531
532 if(keyrec->expiretime>0)
533 {
534 printf(", ");
535 printf(_("expires: %s"),strtimestamp(keyrec->expiretime));
536 }
537
538 if(keyrec->flags&1)
539 printf(" (%s)",_("revoked"));
540 if(keyrec->flags&2)
541 printf(" (%s)",_("disabled"));
542 if(keyrec->flags&4)
543 printf(" (%s)",_("expired"));
544
545 printf("\n");
546 }
547
548 /* Returns a keyrec (which must be freed) once a key is complete, and
549 NULL otherwise. Call with a NULL keystring once key parsing is
550 complete to return any unfinished keys. */
551 static struct keyrec *
552 parse_keyrec(char *keystring)
553 {
554 static struct keyrec *work=NULL;
555 struct keyrec *ret=NULL;
556 char *record;
557 int i;
558
559 if(keystring==NULL)
560 {
561 if(work==NULL)
562 return NULL;
563 else if(work->desc.mode==KEYDB_SEARCH_MODE_NONE)
564 {
565 xfree(work);
566 return NULL;
567 }
568 else
569 {
570 ret=work;
571 work=NULL;
572 return ret;
573 }
574 }
575
576 if(work==NULL)
577 {
578 work=xmalloc_clear(sizeof(struct keyrec));
579 work->uidbuf=iobuf_temp();
580 }
581
582 /* Remove trailing whitespace */
583 for(i=strlen(keystring);i>0;i--)
584 if(ascii_isspace(keystring[i-1]))
585 keystring[i-1]='\0';
586 else
587 break;
588
589 if((record=strsep(&keystring,":"))==NULL)
590 return ret;
591
592 if(ascii_strcasecmp("pub",record)==0)
593 {
594 char *tok;
595
596 if(work->desc.mode)
597 {
598 ret=work;
599 work=xmalloc_clear(sizeof(struct keyrec));
600 work->uidbuf=iobuf_temp();
601 }
602
603 if((tok=strsep(&keystring,":"))==NULL)
604 return ret;
605
606 classify_user_id(tok,&work->desc);
607 if(work->desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID
608 && work->desc.mode!=KEYDB_SEARCH_MODE_LONG_KID
609 && work->desc.mode!=KEYDB_SEARCH_MODE_FPR16
610 && work->desc.mode!=KEYDB_SEARCH_MODE_FPR20)
611 {
612 work->desc.mode=KEYDB_SEARCH_MODE_NONE;
613 return ret;
614 }
615
616 /* Note all items after this are optional. This allows us to
617 have a pub line as simple as pub:keyid and nothing else. */
618
619 work->lines++;
620
621 if((tok=strsep(&keystring,":"))==NULL)
622 return ret;
623
624 work->type=atoi(tok);
625
626 if((tok=strsep(&keystring,":"))==NULL)
627 return ret;
628
629 work->size=atoi(tok);
630
631 if((tok=strsep(&keystring,":"))==NULL)
632 return ret;
633
634 if(atoi(tok)<=0)
635 work->createtime=0;
636 else
637 work->createtime=atoi(tok);
638
639 if((tok=strsep(&keystring,":"))==NULL)
640 return ret;
641
642 if(atoi(tok)<=0)
643 work->expiretime=0;
644 else
645 {
646 work->expiretime=atoi(tok);
647 /* Force the 'e' flag on if this key is expired. */
648 if(work->expiretime<=make_timestamp())
649 work->flags|=4;
650 }
651
652 if((tok=strsep(&keystring,":"))==NULL)
653 return ret;
654
655 while(*tok)
656 switch(*tok++)
657 {
658 case 'r':
659 case 'R':
660 work->flags|=1;
661 break;
662
663 case 'd':
664 case 'D':
665 work->flags|=2;
666 break;
667
668 case 'e':
669 case 'E':
670 work->flags|=4;
671 break;
672 }
673 }
674 else if(ascii_strcasecmp("uid",record)==0 && work->desc.mode)
675 {
676 char *userid,*tok,*decoded;
677
678 if((tok=strsep(&keystring,":"))==NULL)
679 return ret;
680
681 if(strlen(tok)==0)
682 return ret;
683
684 userid=tok;
685
686 /* By definition, de-%-encoding is always smaller than the
687 original string so we can decode in place. */
688
689 i=0;
690
691 while(*tok)
692 if(tok[0]=='%' && tok[1] && tok[2])
693 {
694 int c;
695
696 userid[i] = (c=hextobyte(&tok[1])) == -1 ? '?' : c;
697 i++;
698 tok+=3;
699 }
700 else
701 userid[i++]=*tok++;
702
703 /* We don't care about the other info provided in the uid: line
704 since no keyserver supports marking userids with timestamps
705 or revoked/expired/disabled yet. */
706
707 /* No need to check for control characters, as utf8_to_native
708 does this for us. */
709
710 decoded=utf8_to_native(userid,i,0);
711 if(strlen(decoded)>opt.screen_columns-10)
712 decoded[opt.screen_columns-10]='\0';
713 iobuf_writestr(work->uidbuf,decoded);
714 xfree(decoded);
715 iobuf_writestr(work->uidbuf,"\n\t");
716 work->lines++;
717 }
718
719 /* Ignore any records other than "pri" and "uid" for easy future
720 growth. */
721
722 return ret;
723 }
724
725 /* TODO: do this as a list sent to keyserver_work rather than calling
726 it once for each key to get the correct counts after the import
727 (cosmetics, really) and to better take advantage of the keyservers
728 that can do multiple fetches in one go (LDAP). */
729 static int
730 show_prompt(KEYDB_SEARCH_DESC *desc,int numdesc,int count,const char *search)
731 {
732 char *answer;
733
734 fflush (stdout);
735
736 if(count && opt.command_fd==-1)
737 {
738 static int from=1;
739 tty_printf("Keys %d-%d of %d for \"%s\". ",from,numdesc,count,search);
740 from=numdesc+1;
741 }
742
743 answer=cpr_get_no_help("keysearch.prompt",
744 _("Enter number(s), N)ext, or Q)uit > "));
745 /* control-d */
746 if(answer[0]=='\x04')
747 {
748 printf("Q\n");
749 answer[0]='q';
750 }
751
752 if(answer[0]=='q' || answer[0]=='Q')
753 {
754 xfree(answer);
755 return 1;
756 }
757 else if(atoi(answer)>=1 && atoi(answer)<=numdesc)
758 {
759 char *split=answer,*num;
760
761 while((num=strsep(&split," ,"))!=NULL)
762 if(atoi(num)>=1 && atoi(num)<=numdesc)
763 keyserver_work(KS_GET,NULL,&desc[atoi(num)-1],1,
764 NULL,NULL,opt.keyserver);
765
766 xfree(answer);
767 return 1;
768 }
769
770 return 0;
771 }
772
773 /* Count and searchstr are just for cosmetics. If the count is too
774 small, it will grow safely. If negative it disables the "Key x-y
775 of z" messages. searchstr should be UTF-8 (rather than native). */
776 static void
777 keyserver_search_prompt(IOBUF buffer,const char *searchstr)
778 {
779 int i=0,validcount=0,started=0,header=0,count=1;
780 unsigned int maxlen,buflen,numlines=0;
781 KEYDB_SEARCH_DESC *desc;
782 byte *line=NULL;
783 char *localstr=NULL;
784
785 if(searchstr)
786 localstr=utf8_to_native(searchstr,strlen(searchstr),0);
787
788 desc=xmalloc(count*sizeof(KEYDB_SEARCH_DESC));
789
790 for(;;)
791 {
792 struct keyrec *keyrec;
793 int rl;
794
795 maxlen=1024;
796 rl=iobuf_read_line(buffer,&line,&buflen,&maxlen);
797
798 if(opt.with_colons)
799 {
800 if(!header && ascii_strncasecmp("SEARCH ",line,7)==0
801 && ascii_strncasecmp(" BEGIN",&line[strlen(line)-7],6)==0)
802 {
803 header=1;
804 continue;
805 }
806 else if(ascii_strncasecmp("SEARCH ",line,7)==0
807 && ascii_strncasecmp(" END",&line[strlen(line)-5],4)==0)
808 continue;
809
810 printf("%s",line);
811 }
812
813 /* Look for an info: line. The only current info: values
814 defined are the version and key count. */
815 if(!started && rl>0 && ascii_strncasecmp("info:",line,5)==0)
816 {
817 char *tok,*str=&line[5];
818
819 if((tok=strsep(&str,":"))!=NULL)
820 {
821 int version;
822
823 if(sscanf(tok,"%d",&version)!=1)
824 version=1;
825
826 if(version!=1)
827 {
828 log_error(_("invalid keyserver protocol "
829 "(us %d!=handler %d)\n"),1,version);
830 break;
831 }
832 }
833
834 if((tok=strsep(&str,":"))!=NULL && sscanf(tok,"%d",&count)==1)
835 {
836 if(count==0)
837 goto notfound;
838 else if(count<0)
839 count=10;
840 else
841 validcount=1;
842
843 desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
844 }
845
846 started=1;
847 continue;
848 }
849
850 if(rl==0)
851 {
852 keyrec=parse_keyrec(NULL);
853
854 if(keyrec==NULL)
855 {
856 if(i==0)
857 {
858 count=0;
859 break;
860 }
861
862 if(i!=count)
863 validcount=0;
864
865 if (opt.with_colons && opt.batch)
866 break;
867
868 for(;;)
869 {
870 if(show_prompt(desc,i,validcount?count:0,localstr))
871 break;
872 validcount=0;
873 }
874
875 break;
876 }
877 }
878 else
879 keyrec=parse_keyrec(line);
880
881 if(i==count)
882 {
883 /* keyserver helper sent more keys than they claimed in the
884 info: line. */
885 count+=10;
886 desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
887 validcount=0;
888 }
889
890 if(keyrec)
891 {
892 desc[i]=keyrec->desc;
893
894 if(!opt.with_colons)
895 {
896 /* screen_lines - 1 for the prompt. */
897 if(numlines+keyrec->lines>opt.screen_lines-1)
898 {
899 if(show_prompt(desc,i,validcount?count:0,localstr))
900 break;
901 else
902 numlines=0;
903 }
904
905 print_keyrec(i+1,keyrec);
906 }
907
908 numlines+=keyrec->lines;
909 iobuf_close(keyrec->uidbuf);
910 xfree(keyrec);
911
912 started=1;
913 i++;
914 }
915 }
916
917 notfound:
918 /* Leave this commented out or now, and perhaps for a very long
919 time. All HKPish servers return HTML error messages for
920 no-key-found. */
921 /*
922 if(!started)
923 log_info(_("keyserver does not support searching\n"));
924 else
925 */
926 if(count==0)
927 {
928 if(localstr)
929 log_info(_("key \"%s\" not found on keyserver\n"),localstr);
930 else
931 log_info(_("key not found on keyserver\n"));
932 }
933
934 xfree(localstr);
935 xfree(desc);
936 xfree(line);
937 }
938
939 /* We sometimes want to use a different gpgkeys_xxx for a given
940 protocol (for example, ldaps is handled by gpgkeys_ldap). Map
941 these here. */
942 static const char *
943 keyserver_typemap(const char *type)
944 {
945 if(strcmp(type,"ldaps")==0)
946 return "ldap";
947 else if(strcmp(type,"hkps")==0)
948 return "hkp";
949 else
950 return type;
951 }
952
953 /* The PGP LDAP and the curl fetch-a-LDAP-object methodologies are
954 sufficiently different that we can't use curl to do LDAP. */
955 static int
956 direct_uri_map(const char *scheme,unsigned int is_direct)
957 {
958 if(is_direct && strcmp(scheme,"ldap")==0)
959 return 1;
960
961 return 0;
962 }
963
964 #if GNUPG_MAJOR_VERSION == 2
965 #define GPGKEYS_PREFIX "gpg2keys_"
966 #else
967 #define GPGKEYS_PREFIX "gpgkeys_"
968 #endif
969 #define GPGKEYS_CURL GPGKEYS_PREFIX "curl" EXEEXT
970 #define GPGKEYS_PREFIX_LEN (strlen(GPGKEYS_CURL))
971 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
972 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
973
974 static int
975 keyserver_spawn(enum ks_action action,strlist_t list,KEYDB_SEARCH_DESC *desc,
976 int count,int *prog,unsigned char **fpr,size_t *fpr_len,
977 struct keyserver_spec *keyserver)
978 {
979 int ret=0,i,gotversion=0,outofband=0;
980 strlist_t temp;
981 unsigned int maxlen,buflen;
982 char *command,*end,*searchstr=NULL;
983 byte *line=NULL;
984 struct exec_info *spawn;
985 const char *scheme;
986 const char *libexecdir = gnupg_libexecdir ();
987
988 assert(keyserver);
989
990 #ifdef EXEC_TEMPFILE_ONLY
991 opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
992 #endif
993
994 /* Build the filename for the helper to execute */
995 scheme=keyserver_typemap(keyserver->scheme);
996
997 #ifdef DISABLE_KEYSERVER_PATH
998 /* Destroy any path we might have. This is a little tricky,
999 portability-wise. It's not correct to delete the PATH
1000 environment variable, as that may fall back to a system built-in
1001 PATH. Similarly, it is not correct to set PATH to the null
1002 string (PATH="") since this actually deletes the PATH environment
1003 variable under MinGW. The safest thing to do here is to force
1004 PATH to be GNUPG_LIBEXECDIR. All this is not that meaningful on
1005 Unix-like systems (since we're going to give a full path to
1006 gpgkeys_foo), but on W32 it prevents loading any DLLs from
1007 directories in %PATH%.
1008
1009 After some more thinking about this we came to the conclusion
1010 that it is better to load the helpers from the directory where
1011 the program of this process lives. Fortunately Windows provides
1012 a way to retrieve this and our gnupg_libexecdir function has been
1013 modified to return just this. Setting the exec-path is not
1014 anymore required.
1015 set_exec_path(libexecdir);
1016 */
1017 #else
1018 if(opt.exec_path_set)
1019 {
1020 /* If exec-path was set, and DISABLE_KEYSERVER_PATH is
1021 undefined, then don't specify a full path to gpgkeys_foo, so
1022 that the PATH can work. */
1023 command=xmalloc(GPGKEYS_PREFIX_LEN+strlen(scheme)+3+strlen(EXEEXT)+1);
1024 command[0]='\0';
1025 }
1026 else
1027 #endif
1028 {
1029 /* Specify a full path to gpgkeys_foo. */
1030 command=xmalloc(strlen(libexecdir)+strlen(DIRSEP_S)+
1031 GPGKEYS_PREFIX_LEN+strlen(scheme)+3+strlen(EXEEXT)+1);
1032 strcpy(command,libexecdir);
1033 strcat(command,DIRSEP_S);
1034 }
1035
1036 end=command+strlen(command);
1037
1038 /* Build a path for the keyserver helper. If it is direct_uri
1039 (i.e. an object fetch and not a keyserver), then add "_uri" to
1040 the end to distinguish the keyserver helper from an object
1041 fetcher that can speak that protocol (this is a problem for
1042 LDAP). */
1043
1044 strcat(command,GPGKEYS_PREFIX);
1045 strcat(command,scheme);
1046
1047 /* This "_uri" thing is in case we need to call a direct handler
1048 instead of the keyserver handler. This lets us use gpgkeys_curl
1049 or gpgkeys_ldap_uri (we don't provide it, but a user might)
1050 instead of gpgkeys_ldap to fetch things like
1051 ldap://keyserver.pgp.com/o=PGP%20keys?pgpkey?sub?pgpkeyid=99242560 */
1052
1053 if(direct_uri_map(scheme,keyserver->flags.direct_uri))
1054 strcat(command,"_uri");
1055
1056 strcat(command,EXEEXT);
1057
1058 /* Can we execute it? If not, try curl as our catchall. */
1059 if(path_access(command,X_OK)!=0)
1060 strcpy(end,GPGKEYS_CURL);
1061
1062 if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES)
1063 {
1064 if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES)
1065 {
1066 command=xrealloc(command,strlen(command)+
1067 strlen(KEYSERVER_ARGS_KEEP)+1);
1068 strcat(command,KEYSERVER_ARGS_KEEP);
1069 }
1070 else
1071 {
1072 command=xrealloc(command,strlen(command)+
1073 strlen(KEYSERVER_ARGS_NOKEEP)+1);
1074 strcat(command,KEYSERVER_ARGS_NOKEEP);
1075 }
1076
1077 ret=exec_write(&spawn,NULL,command,NULL,0,0);
1078 }
1079 else
1080 ret=exec_write(&spawn,command,NULL,NULL,0,0);
1081
1082 xfree(command);
1083
1084 if(ret)
1085 return ret;
1086
1087 fprintf(spawn->tochild,
1088 "# This is a GnuPG %s keyserver communications file\n",VERSION);
1089 fprintf(spawn->tochild,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
1090 fprintf(spawn->tochild,"PROGRAM %s\n",VERSION);
1091 fprintf(spawn->tochild,"SCHEME %s\n",keyserver->scheme);
1092
1093 if(keyserver->opaque)
1094 fprintf(spawn->tochild,"OPAQUE %s\n",keyserver->opaque);
1095 else
1096 {
1097 if(keyserver->auth)
1098 fprintf(spawn->tochild,"AUTH %s\n",keyserver->auth);
1099
1100 if(keyserver->host)
1101 fprintf(spawn->tochild,"HOST %s\n",keyserver->host);
1102
1103 if(keyserver->port)
1104 fprintf(spawn->tochild,"PORT %s\n",keyserver->port);
1105
1106 if(keyserver->path)
1107 fprintf(spawn->tochild,"PATH %s\n",keyserver->path);
1108 }
1109
1110 /* Write global options */
1111
1112 for(temp=opt.keyserver_options.other;temp;temp=temp->next)
1113 fprintf(spawn->tochild,"OPTION %s\n",temp->d);
1114
1115 /* Write per-keyserver options */
1116
1117 for(temp=keyserver->options;temp;temp=temp->next)
1118 fprintf(spawn->tochild,"OPTION %s\n",temp->d);
1119
1120 switch(action)
1121 {
1122 case KS_GET:
1123 {
1124 fprintf(spawn->tochild,"COMMAND GET\n\n");
1125
1126 /* Which keys do we want? */
1127
1128 for(i=0;i<count;i++)
1129 {
1130 int quiet=0;
1131
1132 if(desc[i].mode==KEYDB_SEARCH_MODE_FPR20)
1133 {
1134 int f;
1135
1136 fprintf(spawn->tochild,"0x");
1137
1138 for(f=0;f<MAX_FINGERPRINT_LEN;f++)
1139 fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1140
1141 fprintf(spawn->tochild,"\n");
1142 }
1143 else if(desc[i].mode==KEYDB_SEARCH_MODE_FPR16)
1144 {
1145 int f;
1146
1147 fprintf(spawn->tochild,"0x");
1148
1149 for(f=0;f<16;f++)
1150 fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1151
1152 fprintf(spawn->tochild,"\n");
1153 }
1154 else if(desc[i].mode==KEYDB_SEARCH_MODE_LONG_KID)
1155 fprintf(spawn->tochild,"0x%08lX%08lX\n",
1156 (ulong)desc[i].u.kid[0],
1157 (ulong)desc[i].u.kid[1]);
1158 else if(desc[i].mode==KEYDB_SEARCH_MODE_SHORT_KID)
1159 fprintf(spawn->tochild,"0x%08lX\n",
1160 (ulong)desc[i].u.kid[1]);
1161 else if(desc[i].mode==KEYDB_SEARCH_MODE_EXACT)
1162 {
1163 fprintf(spawn->tochild,"0x0000000000000000\n");
1164 quiet=1;
1165 }
1166 else if(desc[i].mode==KEYDB_SEARCH_MODE_NONE)
1167 continue;
1168 else
1169 BUG();
1170
1171 if(!quiet)
1172 {
1173 if(keyserver->host)
1174 log_info(_("requesting key %s from %s server %s\n"),
1175 keystr_from_desc(&desc[i]),
1176 keyserver->scheme,keyserver->host);
1177 else
1178 log_info(_("requesting key %s from %s\n"),
1179 keystr_from_desc(&desc[i]),keyserver->uri);
1180 }
1181 }
1182
1183 fprintf(spawn->tochild,"\n");
1184
1185 break;
1186 }
1187
1188 case KS_GETNAME:
1189 {
1190 strlist_t key;
1191
1192 fprintf(spawn->tochild,"COMMAND GETNAME\n\n");
1193
1194 /* Which names do we want? */
1195
1196 for(key=list;key!=NULL;key=key->next)
1197 fprintf(spawn->tochild,"%s\n",key->d);
1198
1199 fprintf(spawn->tochild,"\n");
1200
1201 if(keyserver->host)
1202 log_info(_("searching for names from %s server %s\n"),
1203 keyserver->scheme,keyserver->host);
1204 else
1205 log_info(_("searching for names from %s\n"),keyserver->uri);
1206
1207 break;
1208 }
1209
1210 case KS_SEND:
1211 {
1212 strlist_t key;
1213
1214 /* Note the extra \n here to send an empty keylist block */
1215 fprintf(spawn->tochild,"COMMAND SEND\n\n\n");
1216
1217 for(key=list;key!=NULL;key=key->next)
1218 {
1219 armor_filter_context_t *afx;
1220 IOBUF buffer = iobuf_temp ();
1221 KBNODE block;
1222
1223 temp=NULL;
1224 add_to_strlist(&temp,key->d);
1225
1226 afx = new_armor_context ();
1227 afx->what = 1;
1228 /* Tell the armor filter to use Unix-style \n line
1229 endings, since we're going to fprintf this to a file
1230 that (on Win32) is open in text mode. The win32 stdio
1231 will transform the \n to \r\n and we'll end up with the
1232 proper line endings on win32. This is a no-op on
1233 Unix. */
1234 afx->eol[0] = '\n';
1235 push_armor_filter (afx, buffer);
1236 release_armor_context (afx);
1237
1238 /* TODO: Remove Comment: lines from keys exported this
1239 way? */
1240
1241 if(export_pubkeys_stream(buffer,temp,&block,
1242 opt.keyserver_options.export_options)==-1)
1243 iobuf_close(buffer);
1244 else
1245 {
1246 KBNODE node;
1247
1248 iobuf_flush_temp(buffer);
1249
1250 merge_keys_and_selfsig(block);
1251
1252 fprintf(spawn->tochild,"INFO %08lX%08lX BEGIN\n",
1253 (ulong)block->pkt->pkt.public_key->keyid[0],
1254 (ulong)block->pkt->pkt.public_key->keyid[1]);
1255
1256 for(node=block;node;node=node->next)
1257 {
1258 switch(node->pkt->pkttype)
1259 {
1260 default:
1261 continue;
1262
1263 case PKT_PUBLIC_KEY:
1264 case PKT_PUBLIC_SUBKEY:
1265 {
1266 PKT_public_key *pk=node->pkt->pkt.public_key;
1267
1268 keyid_from_pk(pk,NULL);
1269
1270 fprintf(spawn->tochild,"%sb:%08lX%08lX:%u:%u:%u:%u:",
1271 node->pkt->pkttype==PKT_PUBLIC_KEY?"pu":"su",
1272 (ulong)pk->keyid[0],(ulong)pk->keyid[1],
1273 pk->pubkey_algo,
1274 nbits_from_pk(pk),
1275 pk->timestamp,
1276 pk->expiredate);
1277
1278 if(pk->is_revoked)
1279 fprintf(spawn->tochild,"r");
1280 if(pk->has_expired)
1281 fprintf(spawn->tochild,"e");
1282
1283 fprintf(spawn->tochild,"\n");
1284 }
1285 break;
1286
1287 case PKT_USER_ID:
1288 {
1289 PKT_user_id *uid=node->pkt->pkt.user_id;
1290 int r;
1291
1292 if(uid->attrib_data)
1293 continue;
1294
1295 fprintf(spawn->tochild,"uid:");
1296
1297 /* Quote ':', '%', and any 8-bit
1298 characters */
1299 for(r=0;r<uid->len;r++)
1300 {
1301 if(uid->name[r]==':' || uid->name[r]=='%'
1302 || uid->name[r]&0x80)
1303 fprintf(spawn->tochild,"%%%02X",
1304 (byte)uid->name[r]);
1305 else
1306 fprintf(spawn->tochild,"%c",uid->name[r]);
1307 }
1308
1309 fprintf(spawn->tochild,":%u:%u:",
1310 uid->created,uid->expiredate);
1311
1312 if(uid->is_revoked)
1313 fprintf(spawn->tochild,"r");
1314 if(uid->is_expired)
1315 fprintf(spawn->tochild,"e");
1316
1317 fprintf(spawn->tochild,"\n");
1318 }
1319 break;
1320
1321 /* This bit is really for the benefit of
1322 people who store their keys in LDAP
1323 servers. It makes it easy to do queries
1324 for things like "all keys signed by
1325 Isabella". */
1326 case PKT_SIGNATURE:
1327 {
1328 PKT_signature *sig=node->pkt->pkt.signature;
1329
1330 if(!IS_UID_SIG(sig))
1331 continue;
1332
1333 fprintf(spawn->tochild,"sig:%08lX%08lX:%X:%u:%u\n",
1334 (ulong)sig->keyid[0],(ulong)sig->keyid[1],
1335 sig->sig_class,sig->timestamp,
1336 sig->expiredate);
1337 }
1338 break;
1339 }
1340 }
1341
1342 fprintf(spawn->tochild,"INFO %08lX%08lX END\n",
1343 (ulong)block->pkt->pkt.public_key->keyid[0],
1344 (ulong)block->pkt->pkt.public_key->keyid[1]);
1345
1346 fprintf(spawn->tochild,"KEY %08lX%08lX BEGIN\n",
1347 (ulong)block->pkt->pkt.public_key->keyid[0],
1348 (ulong)block->pkt->pkt.public_key->keyid[1]);
1349 fwrite(iobuf_get_temp_buffer(buffer),
1350 iobuf_get_temp_length(buffer),1,spawn->tochild);
1351 fprintf(spawn->tochild,"KEY %08lX%08lX END\n",
1352 (ulong)block->pkt->pkt.public_key->keyid[0],
1353 (ulong)block->pkt->pkt.public_key->keyid[1]);
1354
1355 iobuf_close(buffer);
1356
1357 if(keyserver->host)
1358 log_info(_("sending key %s to %s server %s\n"),
1359 keystr(block->pkt->pkt.public_key->keyid),
1360 keyserver->scheme,keyserver->host);
1361 else
1362 log_info(_("sending key %s to %s\n"),
1363 keystr(block->pkt->pkt.public_key->keyid),
1364 keyserver->uri);
1365
1366 release_kbnode(block);
1367 }
1368
1369 free_strlist(temp);
1370 }
1371
1372 break;
1373 }
1374
1375 case KS_SEARCH:
1376 {
1377 strlist_t key;
1378
1379 fprintf(spawn->tochild,"COMMAND SEARCH\n\n");
1380
1381 /* Which keys do we want? Remember that the gpgkeys_ program
1382 is going to lump these together into a search string. */
1383
1384 for(key=list;key!=NULL;key=key->next)
1385 {
1386 fprintf(spawn->tochild,"%s\n",key->d);
1387 if(key!=list)
1388 {
1389 searchstr=xrealloc(searchstr,
1390 strlen(searchstr)+strlen(key->d)+2);
1391 strcat(searchstr," ");
1392 }
1393 else
1394 {
1395 searchstr=xmalloc(strlen(key->d)+1);
1396 searchstr[0]='\0';
1397 }
1398
1399 strcat(searchstr,key->d);
1400 }
1401
1402 fprintf(spawn->tochild,"\n");
1403
1404 if(keyserver->host)
1405 log_info(_("searching for \"%s\" from %s server %s\n"),
1406 searchstr,keyserver->scheme,keyserver->host);
1407 else
1408 log_info(_("searching for \"%s\" from %s\n"),
1409 searchstr,keyserver->uri);
1410
1411 break;
1412 }
1413
1414 default:
1415 log_fatal(_("no keyserver action!\n"));
1416 break;
1417 }
1418
1419 /* Done sending, so start reading. */
1420 ret=exec_read(spawn);
1421 if(ret)
1422 goto fail;
1423
1424 /* Now handle the response */
1425
1426 for(;;)
1427 {
1428 int plen;
1429 char *ptr;
1430
1431 maxlen=1024;
1432 if(iobuf_read_line(spawn->fromchild,&line,&buflen,&maxlen)==0)
1433 {
1434 ret = gpg_error_from_syserror ();
1435 goto fail; /* i.e. EOF */
1436 }
1437
1438 ptr=line;
1439
1440 /* remove trailing whitespace */
1441 plen=strlen(ptr);
1442 while(plen>0 && ascii_isspace(ptr[plen-1]))
1443 plen--;
1444 plen[ptr]='\0';
1445
1446 if(*ptr=='\0')
1447 break;
1448
1449 if(ascii_strncasecmp(ptr,"VERSION ",8)==0)
1450 {
1451 gotversion=1;
1452
1453 if(atoi(&ptr[8])!=KEYSERVER_PROTO_VERSION)
1454 {
1455 log_error(_("invalid keyserver protocol (us %d!=handler %d)\n"),
1456 KEYSERVER_PROTO_VERSION,atoi(&ptr[8]));
1457 goto fail;
1458 }
1459 }
1460 else if(ascii_strncasecmp(ptr,"PROGRAM ",8)==0)
1461 {
1462 if(ascii_strncasecmp(&ptr[8],VERSION,strlen(VERSION))!=0)
1463 log_info(_("WARNING: keyserver handler from a different"
1464 " version of GnuPG (%s)\n"),&ptr[8]);
1465 }
1466 else if(ascii_strncasecmp(ptr,"OPTION OUTOFBAND",16)==0)
1467 outofband=1; /* Currently the only OPTION */
1468 }
1469
1470 if(!gotversion)
1471 {
1472 log_error(_("keyserver did not send VERSION\n"));
1473 goto fail;
1474 }
1475
1476 if(!outofband)
1477 switch(action)
1478 {
1479 case KS_GET:
1480 case KS_GETNAME:
1481 {
1482 void *stats_handle;
1483
1484 stats_handle=import_new_stats_handle();
1485
1486 /* Slurp up all the key data. In the future, it might be
1487 nice to look for KEY foo OUTOFBAND and FAILED indicators.
1488 It's harmless to ignore them, but ignoring them does make
1489 gpg complain about "no valid OpenPGP data found". One
1490 way to do this could be to continue parsing this
1491 line-by-line and make a temp iobuf for each key. */
1492
1493 import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len,
1494 opt.keyserver_options.import_options);
1495
1496 import_print_stats(stats_handle);
1497 import_release_stats_handle(stats_handle);
1498
1499 break;
1500 }
1501
1502 /* Nothing to do here */
1503 case KS_SEND:
1504 break;
1505
1506 case KS_SEARCH:
1507 keyserver_search_prompt(spawn->fromchild,searchstr);
1508 break;
1509
1510 default:
1511 log_fatal(_("no keyserver action!\n"));
1512 break;
1513 }
1514
1515 fail:
1516 xfree(line);
1517 xfree(searchstr);
1518
1519
1520 *prog=exec_finish(spawn);
1521
1522 return ret;
1523 }
1524
1525 static int
1526 keyserver_work(enum ks_action action,strlist_t list,KEYDB_SEARCH_DESC *desc,
1527 int count,unsigned char **fpr,size_t *fpr_len,
1528 struct keyserver_spec *keyserver)
1529 {
1530 int rc=0,ret=0;
1531
1532 if(!keyserver)
1533 {
1534 log_error(_("no keyserver known (use option --keyserver)\n"));
1535 return G10ERR_BAD_URI;
1536 }
1537
1538 #ifdef DISABLE_KEYSERVER_HELPERS
1539
1540 log_error(_("external keyserver calls are not supported in this build\n"));
1541 return G10ERR_KEYSERVER;
1542
1543 #else
1544 /* Spawn a handler */
1545
1546 rc=keyserver_spawn(action,list,desc,count,&ret,fpr,fpr_len,keyserver);
1547 if(ret)
1548 {
1549 switch(ret)
1550 {
1551 case KEYSERVER_SCHEME_NOT_FOUND:
1552 log_error(_("no handler for keyserver scheme `%s'\n"),
1553 keyserver->scheme);
1554 break;
1555
1556 case KEYSERVER_NOT_SUPPORTED:
1557 log_error(_("action `%s' not supported with keyserver "
1558 "scheme `%s'\n"),
1559 action==KS_GET?"get":action==KS_SEND?"send":
1560 action==KS_SEARCH?"search":"unknown",
1561 keyserver->scheme);
1562 break;
1563
1564 case KEYSERVER_VERSION_ERROR:
1565 log_error(_(GPGKEYS_PREFIX "%s does not support"
1566 " handler version %d\n"),
1567 keyserver_typemap(keyserver->scheme),
1568 KEYSERVER_PROTO_VERSION);
1569 break;
1570
1571 case KEYSERVER_TIMEOUT:
1572 log_error(_("keyserver timed out\n"));
1573 break;
1574
1575 case KEYSERVER_INTERNAL_ERROR:
1576 default:
1577 log_error(_("keyserver internal error\n"));
1578 break;
1579 }
1580
1581 return G10ERR_KEYSERVER;
1582 }
1583
1584 if(rc)
1585 {
1586 log_error(_("keyserver communications error: %s\n"),g10_errstr(rc));
1587
1588 return rc;
1589 }
1590
1591 return 0;
1592 #endif /* ! DISABLE_KEYSERVER_HELPERS*/
1593 }
1594
1595 int
1596 keyserver_export(strlist_t users)
1597 {
1598 strlist_t sl=NULL;
1599 KEYDB_SEARCH_DESC desc;
1600 int rc=0;
1601
1602 /* Weed out descriptors that we don't support sending */
1603 for(;users;users=users->next)
1604 {
1605 classify_user_id (users->d, &desc);
1606 if(desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1607 desc.mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1608 desc.mode!=KEYDB_SEARCH_MODE_FPR16 &&
1609 desc.mode!=KEYDB_SEARCH_MODE_FPR20)
1610 {
1611 log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1612 continue;
1613 }
1614 else
1615 append_to_strlist(&sl,users->d);
1616 }
1617
1618 if(sl)
1619 {
1620 rc=keyserver_work(KS_SEND,sl,NULL,0,NULL,NULL,opt.keyserver);
1621 free_strlist(sl);
1622 }
1623
1624 return rc;
1625 }
1626
1627 int
1628 keyserver_import(strlist_t users)
1629 {
1630 KEYDB_SEARCH_DESC *desc;
1631 int num=100,count=0;
1632 int rc=0;
1633
1634 /* Build a list of key ids */
1635 desc=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1636
1637 for(;users;users=users->next)
1638 {
1639 classify_user_id (users->d, &desc[count]);
1640 if(desc[count].mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1641 desc[count].mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1642 desc[count].mode!=KEYDB_SEARCH_MODE_FPR16 &&
1643 desc[count].mode!=KEYDB_SEARCH_MODE_FPR20)
1644 {
1645 log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1646 continue;
1647 }
1648
1649 count++;
1650 if(count==num)
1651 {
1652 num+=100;
1653 desc=xrealloc(desc,sizeof(KEYDB_SEARCH_DESC)*num);
1654 }
1655 }
1656
1657 if(count>0)
1658 rc=keyserver_work(KS_GET,NULL,desc,count,NULL,NULL,opt.keyserver);
1659
1660 xfree(desc);
1661
1662 return rc;
1663 }
1664
1665 int
1666 keyserver_import_fprint(const byte *fprint,size_t fprint_len,
1667 struct keyserver_spec *keyserver)
1668 {
1669 KEYDB_SEARCH_DESC desc;
1670
1671 memset(&desc,0,sizeof(desc));
1672
1673 if(fprint_len==16)
1674 desc.mode=KEYDB_SEARCH_MODE_FPR16;
1675 else if(fprint_len==20)
1676 desc.mode=KEYDB_SEARCH_MODE_FPR20;
1677 else
1678 return -1;
1679
1680 memcpy(desc.u.fpr,fprint,fprint_len);
1681
1682 /* TODO: Warn here if the fingerprint we got doesn't match the one
1683 we asked for? */
1684 return keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,keyserver);
1685 }
1686
1687 int
1688 keyserver_import_keyid(u32 *keyid,struct keyserver_spec *keyserver)
1689 {
1690 KEYDB_SEARCH_DESC desc;
1691
1692 memset(&desc,0,sizeof(desc));
1693
1694 desc.mode=KEYDB_SEARCH_MODE_LONG_KID;
1695 desc.u.kid[0]=keyid[0];
1696 desc.u.kid[1]=keyid[1];
1697
1698 return keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,keyserver);
1699 }
1700
1701 /* code mostly stolen from do_export_stream */
1702 static int
1703 keyidlist(strlist_t users,KEYDB_SEARCH_DESC **klist,int *count,int fakev3)
1704 {
1705 int rc=0,ndesc,num=100;
1706 KBNODE keyblock=NULL,node;
1707 KEYDB_HANDLE kdbhd;
1708 KEYDB_SEARCH_DESC *desc;
1709 strlist_t sl;
1710
1711 *count=0;
1712
1713 *klist=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1714
1715 kdbhd=keydb_new(0);
1716
1717 if(!users)
1718 {
1719 ndesc = 1;
1720 desc = xmalloc_clear ( ndesc * sizeof *desc);
1721 desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
1722 }
1723 else
1724 {
1725 for (ndesc=0, sl=users; sl; sl = sl->next, ndesc++)
1726 ;
1727 desc = xmalloc ( ndesc * sizeof *desc);
1728
1729 for (ndesc=0, sl=users; sl; sl = sl->next)
1730 {
1731 if(classify_user_id (sl->d, desc+ndesc))
1732 ndesc++;
1733 else
1734 log_error (_("key \"%s\" not found: %s\n"),
1735 sl->d, g10_errstr (G10ERR_INV_USER_ID));
1736 }
1737 }
1738
1739 while (!(rc = keydb_search (kdbhd, desc, ndesc)))
1740 {
1741 if (!users)
1742 desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
1743
1744 /* read the keyblock */
1745 rc = keydb_get_keyblock (kdbhd, &keyblock );
1746 if( rc )
1747 {
1748 log_error (_("error reading keyblock: %s\n"), g10_errstr(rc) );
1749 goto leave;
1750 }
1751
1752 if((node=find_kbnode(keyblock,PKT_PUBLIC_KEY)))
1753 {
1754 /* This is to work around a bug in some keyservers (pksd and
1755 OKS) that calculate v4 RSA keyids as if they were v3 RSA.
1756 The answer is to refresh both the correct v4 keyid
1757 (e.g. 99242560) and the fake v3 keyid (e.g. 68FDDBC7).
1758 This only happens for key refresh using the HKP scheme
1759 and if the refresh-add-fake-v3-keyids keyserver option is
1760 set. */
1761 if(fakev3 && is_RSA(node->pkt->pkt.public_key->pubkey_algo) &&
1762 node->pkt->pkt.public_key->version>=4)
1763 {
1764 (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1765 v3_keyid (node->pkt->pkt.public_key->pkey[0],
1766 (*klist)[*count].u.kid);
1767 (*count)++;
1768
1769 if(*count==num)
1770 {
1771 num+=100;
1772 *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1773 }
1774 }
1775
1776 /* v4 keys get full fingerprints. v3 keys get long keyids.
1777 This is because it's easy to calculate any sort of keyid
1778 from a v4 fingerprint, but not a v3 fingerprint. */
1779
1780 if(node->pkt->pkt.public_key->version<4)
1781 {
1782 (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1783 keyid_from_pk(node->pkt->pkt.public_key,
1784 (*klist)[*count].u.kid);
1785 }
1786 else
1787 {
1788 size_t dummy;
1789
1790 (*klist)[*count].mode=KEYDB_SEARCH_MODE_FPR20;
1791 fingerprint_from_pk(node->pkt->pkt.public_key,
1792 (*klist)[*count].u.fpr,&dummy);
1793 }
1794
1795 /* This is a little hackish, using the skipfncvalue as a
1796 void* pointer to the keyserver spec, but we don't need
1797 the skipfnc here, and it saves having an additional field
1798 for this (which would be wasted space most of the
1799 time). */
1800
1801 (*klist)[*count].skipfncvalue=NULL;
1802
1803 /* Are we honoring preferred keyservers? */
1804 if(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1805 {
1806 PKT_user_id *uid=NULL;
1807 PKT_signature *sig=NULL;
1808
1809 merge_keys_and_selfsig(keyblock);
1810
1811 for(node=node->next;node;node=node->next)
1812 {
1813 if(node->pkt->pkttype==PKT_USER_ID
1814 && node->pkt->pkt.user_id->is_primary)
1815 uid=node->pkt->pkt.user_id;
1816 else if(node->pkt->pkttype==PKT_SIGNATURE
1817 && node->pkt->pkt.signature->
1818 flags.chosen_selfsig && uid)
1819 {
1820 sig=node->pkt->pkt.signature;
1821 break;
1822 }
1823 }
1824
1825 /* Try and parse the keyserver URL. If it doesn't work,
1826 then we end up writing NULL which indicates we are
1827 the same as any other key. */
1828 if(sig)
1829 (*klist)[*count].skipfncvalue=parse_preferred_keyserver(sig);
1830 }
1831
1832 (*count)++;
1833
1834 if(*count==num)
1835 {
1836 num+=100;
1837 *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1838 }
1839 }
1840 }
1841
1842 if(rc==-1)
1843 rc=0;
1844
1845 leave:
1846 if(rc)
1847 xfree(*klist);
1848 xfree(desc);
1849 keydb_release(kdbhd);
1850 release_kbnode(keyblock);
1851
1852 return rc;
1853 }
1854
1855 /* Note this is different than the original HKP refresh. It allows
1856 usernames to refresh only part of the keyring. */
1857
1858 int
1859 keyserver_refresh(strlist_t users)
1860 {
1861 int rc,count,numdesc,fakev3=0;
1862 KEYDB_SEARCH_DESC *desc;
1863 unsigned int options=opt.keyserver_options.import_options;
1864
1865 /* We switch merge-only on during a refresh, as 'refresh' should
1866 never import new keys, even if their keyids match. */
1867 opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
1868
1869 /* Similarly, we switch on fast-import, since refresh may make
1870 multiple import sets (due to preferred keyserver URLs). We don't
1871 want each set to rebuild the trustdb. Instead we do it once at
1872 the end here. */
1873 opt.keyserver_options.import_options|=IMPORT_FAST;
1874
1875 /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
1876 scheme, then enable fake v3 keyid generation. */
1877 if((opt.keyserver_options.options&KEYSERVER_ADD_FAKE_V3) && opt.keyserver
1878 && (ascii_strcasecmp(opt.keyserver->scheme,"hkp")==0 ||
1879 ascii_strcasecmp(opt.keyserver->scheme,"mailto")==0))
1880 fakev3=1;
1881
1882 rc=keyidlist(users,&desc,&numdesc,fakev3);
1883 if(rc)
1884 return rc;
1885
1886 count=numdesc;
1887 if(count>0)
1888 {
1889 int i;
1890
1891 /* Try to handle preferred keyserver keys first */
1892 for(i=0;i<numdesc;i++)
1893 {
1894 if(desc[i].skipfncvalue)
1895 {
1896 struct keyserver_spec *keyserver=desc[i].skipfncvalue;
1897
1898 /* We use the keyserver structure we parsed out before.
1899 Note that a preferred keyserver without a scheme://
1900 will be interpreted as hkp:// */
1901
1902 rc=keyserver_work(KS_GET,NULL,&desc[i],1,NULL,NULL,keyserver);
1903 if(rc)
1904 log_info(_("WARNING: unable to refresh key %s"
1905 " via %s: %s\n"),keystr_from_desc(&desc[i]),
1906 keyserver->uri,g10_errstr(rc));
1907 else
1908 {
1909 /* We got it, so mark it as NONE so we don't try and
1910 get it again from the regular keyserver. */
1911
1912 desc[i].mode=KEYDB_SEARCH_MODE_NONE;
1913 count--;
1914 }
1915
1916 free_keyserver_spec(keyserver);
1917 }
1918 }
1919 }
1920
1921 if(count>0)
1922 {
1923 if(opt.keyserver)
1924 {
1925 if(count==1)
1926 log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
1927 else
1928 log_info(_("refreshing %d keys from %s\n"),
1929 count,opt.keyserver->uri);
1930 }
1931
1932 rc=keyserver_work(KS_GET,NULL,desc,numdesc,NULL,NULL,opt.keyserver);
1933 }
1934
1935 xfree(desc);
1936
1937 opt.keyserver_options.import_options=options;
1938
1939 /* If the original options didn't have fast import, and the trustdb
1940 is dirty, rebuild. */
1941 if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1942 trustdb_check_or_update();
1943
1944 return rc;
1945 }
1946
1947 int
1948 keyserver_search(strlist_t tokens)
1949 {
1950 if(tokens)
1951 return keyserver_work(KS_SEARCH,tokens,NULL,0,NULL,NULL,opt.keyserver);
1952 else
1953 return 0;
1954 }
1955
1956 int
1957 keyserver_fetch(strlist_t urilist)
1958 {
1959 KEYDB_SEARCH_DESC desc;
1960 strlist_t sl;
1961 unsigned int options=opt.keyserver_options.import_options;
1962
1963 /* Switch on fast-import, since fetch can handle more than one
1964 import and we don't want each set to rebuild the trustdb.
1965 Instead we do it once at the end. */
1966 opt.keyserver_options.import_options|=IMPORT_FAST;
1967
1968 /* A dummy desc since we're not actually fetching a particular key
1969 ID */
1970 memset(&desc,0,sizeof(desc));
1971 desc.mode=KEYDB_SEARCH_MODE_EXACT;
1972
1973 for(sl=urilist;sl;sl=sl->next)
1974 {
1975 struct keyserver_spec *spec;
1976
1977 spec=parse_keyserver_uri(sl->d,1,NULL,0);
1978 if(spec)
1979 {
1980 int rc;
1981
1982 rc=keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,spec);
1983 if(rc)
1984 log_info (_("WARNING: unable to fetch URI %s: %s\n"),
1985 sl->d,g10_errstr(rc));
1986
1987 free_keyserver_spec(spec);
1988 }
1989 else
1990 log_info (_("WARNING: unable to parse URI %s\n"),sl->d);
1991 }
1992
1993 opt.keyserver_options.import_options=options;
1994
1995 /* If the original options didn't have fast import, and the trustdb
1996 is dirty, rebuild. */
1997 if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1998 trustdb_check_or_update();
1999
2000 return 0;
2001 }
2002
2003 /* Import key in a CERT or pointed to by a CERT */
2004 int
2005 keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
2006 {
2007 char *domain,*look,*url;
2008 IOBUF key;
2009 int type,rc=G10ERR_GENERAL;
2010
2011 look=xstrdup(name);
2012
2013 domain=strrchr(look,'@');
2014 if(domain)
2015 *domain='.';
2016
2017 type=get_dns_cert(look,max_cert_size,&key,fpr,fpr_len,&url);
2018 if (!type || type == -1)
2019 {
2020 /* There might be an error in res_query which leads to an error
2021 return (-1) in the case that nothing was found. Thus we take
2022 all errors as key not found. */
2023 rc = G10ERR_NO_PUBKEY;
2024 }
2025 else if (type==1)
2026 {
2027 int armor_status=opt.no_armor;
2028
2029 /* CERTs are always in binary format */
2030 opt.no_armor=1;
2031
2032 rc=import_keys_stream(key,NULL,fpr,fpr_len,
2033 opt.keyserver_options.import_options);
2034
2035 opt.no_armor=armor_status;
2036
2037 iobuf_close(key);
2038 }
2039 else if(type==2 && *fpr)
2040 {
2041 /* We only consider the IPGP type if a fingerprint was provided.
2042 This lets us select the right key regardless of what a URL
2043 points to, or get the key from a keyserver. */
2044 if(url)
2045 {
2046 struct keyserver_spec *spec;
2047
2048 spec=parse_keyserver_uri(url,1,NULL,0);
2049 if(spec)
2050 {
2051 rc=keyserver_import_fprint(*fpr,*fpr_len,spec);
2052 free_keyserver_spec(spec);
2053 }
2054 }
2055 else if(opt.keyserver)
2056 {
2057 /* If only a fingerprint is provided, try and fetch it from
2058 our --keyserver */
2059
2060 rc=keyserver_import_fprint(*fpr,*fpr_len,opt.keyserver);
2061 }
2062 else
2063 log_info(_("no keyserver known (use option --keyserver)\n"));
2064
2065 /* Give a better string here? "CERT fingerprint for \"%s\"
2066 found, but no keyserver" " known (use option
2067 --keyserver)\n" ? */
2068
2069 xfree(url);
2070 }
2071
2072 xfree(look);
2073
2074 return rc;
2075 }
2076
2077 /* Import key pointed to by a PKA record. Return the requested
2078 fingerprint in fpr. */
2079 int
2080 keyserver_import_pka(const char *name,unsigned char **fpr,size_t *fpr_len)
2081 {
2082 char *uri;
2083 int rc = G10ERR_NO_PUBKEY;
2084
2085 *fpr = xmalloc (20);
2086 *fpr_len = 20;
2087
2088 uri = get_pka_info (name, *fpr);
2089 if (uri && *uri)
2090 {
2091 /* An URI is available. Lookup the key. */
2092 struct keyserver_spec *spec;
2093 spec = parse_keyserver_uri (uri, 1, NULL, 0);
2094 if (spec)
2095 {
2096 rc = keyserver_import_fprint (*fpr, 20, spec);
2097 free_keyserver_spec (spec);
2098 }
2099 xfree (uri);
2100 }
2101
2102 if (rc)
2103 {
2104 xfree(*fpr);
2105 *fpr = NULL;
2106 }
2107
2108 return rc;
2109 }
2110
2111 /* Import all keys that match name */
2112 int
2113 keyserver_import_name(const char *name,unsigned char **fpr,size_t *fpr_len,
2114 struct keyserver_spec *keyserver)
2115 {
2116 strlist_t list=NULL;
2117 int rc;
2118
2119 append_to_strlist(&list,name);
2120
2121 rc=keyserver_work(KS_GETNAME,list,NULL,0,fpr,fpr_len,keyserver);
2122
2123 free_strlist(list);
2124
2125 return rc;
2126 }
2127
2128 /* Use the PGP Universal trick of asking ldap://keys.(maildomain) for
2129 the key. */
2130 int
2131 keyserver_import_ldap(const char *name,unsigned char **fpr,size_t *fpr_len)
2132 {
2133 char *domain;
2134 struct keyserver_spec *keyserver;
2135 strlist_t list=NULL;
2136 int rc;
2137
2138 append_to_strlist(&list,name);
2139
2140 /* Parse out the domain */
2141 domain=strrchr(name,'@');
2142 if(!domain)
2143 return G10ERR_GENERAL;
2144
2145 domain++;
2146
2147 keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
2148
2149 keyserver->scheme=xstrdup("ldap");
2150 keyserver->host=xmalloc(5+strlen(domain)+1);
2151 strcpy(keyserver->host,"keys.");
2152 strcat(keyserver->host,domain);
2153 keyserver->uri=xmalloc(strlen(keyserver->scheme)+
2154 3+strlen(keyserver->host)+1);
2155 strcpy(keyserver->uri,keyserver->scheme);
2156 strcat(keyserver->uri,"://");
2157 strcat(keyserver->uri,keyserver->host);
2158
2159 rc=keyserver_work(KS_GETNAME,list,NULL,0,fpr,fpr_len,keyserver);
2160
2161 free_strlist(list);
2162
2163 free_keyserver_spec(keyserver);
2164
2165 return rc;
2166 }
gnupg svn clone