search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
typo fixes.
[gnupg.git] / g10 / keyserver.c
bloba54f2d11cee47b7b56cf7e43bf0af7e99518e4b5
1 /* keyserver.c - generic keyserver code
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006,
3 * 2007, 2008 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22 #include <ctype.h>
23 #include <stdio.h>
24 #include <string.h>
25 #include <stdlib.h>
26 #include <assert.h>
27 #include <errno.h>
28
29 #include "gpg.h"
30 #include "iobuf.h"
31 #include "filter.h"
32 #include "keydb.h"
33 #include "status.h"
34 #include "exec.h"
35 #include "main.h"
36 #include "i18n.h"
37 #include "ttyio.h"
38 #include "options.h"
39 #include "packet.h"
40 #include "trustdb.h"
41 #include "keyserver-internal.h"
42 #include "util.h"
43 #include "dns-cert.h"
44 #include "pka.h"
45
46 #ifdef HAVE_W32_SYSTEM
47 /* It seems Vista doesn't grok X_OK and so fails access() tests.
48 Previous versions interpreted X_OK as F_OK anyway, so we'll just
49 use F_OK directly. */
50 #undef X_OK
51 #define X_OK F_OK
52 #endif /* HAVE_W32_SYSTEM */
53
54 struct keyrec
55 {
56 KEYDB_SEARCH_DESC desc;
57 u32 createtime,expiretime;
58 int size,flags;
59 byte type;
60 IOBUF uidbuf;
61 unsigned int lines;
62 };
63
64 enum ks_action {KS_UNKNOWN=0,KS_GET,KS_GETNAME,KS_SEND,KS_SEARCH};
65
66 static struct parse_options keyserver_opts[]=
67 {
68 /* some of these options are not real - just for the help
69 message */
70 {"max-cert-size",0,NULL,NULL},
71 {"include-revoked",0,NULL,N_("include revoked keys in search results")},
72 {"include-subkeys",0,NULL,N_("include subkeys when searching by key ID")},
73 {"use-temp-files",0,NULL,
74 N_("use temporary files to pass data to keyserver helpers")},
75 {"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL,
76 N_("do not delete temporary files after using them")},
77 {"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL,
78 NULL},
79 {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL,
80 N_("automatically retrieve keys when verifying signatures")},
81 {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL,
82 N_("honor the preferred keyserver URL set on the key")},
83 {"honor-pka-record",KEYSERVER_HONOR_PKA_RECORD,NULL,
84 N_("honor the PKA record set on a key when retrieving keys")},
85 {NULL,0,NULL,NULL}
86 };
87
88 static int keyserver_work(enum ks_action action,strlist_t list,
89 KEYDB_SEARCH_DESC *desc,int count,
90 unsigned char **fpr,size_t *fpr_len,
91 struct keyserver_spec *keyserver);
92
93 /* Reasonable guess */
94 #define DEFAULT_MAX_CERT_SIZE 16384
95
96 static size_t max_cert_size=DEFAULT_MAX_CERT_SIZE;
97
98 static void
99 add_canonical_option(char *option,strlist_t *list)
100 {
101 char *arg=argsplit(option);
102
103 if(arg)
104 {
105 char *joined;
106
107 joined=xmalloc(strlen(option)+1+strlen(arg)+1);
108 /* Make a canonical name=value form with no spaces */
109 strcpy(joined,option);
110 strcat(joined,"=");
111 strcat(joined,arg);
112 append_to_strlist(list,joined);
113 xfree(joined);
114 }
115 else
116 append_to_strlist(list,option);
117 }
118
119 int
120 parse_keyserver_options(char *options)
121 {
122 int ret=1;
123 char *tok;
124 char *max_cert=NULL;
125
126 keyserver_opts[0].value=&max_cert;
127
128 while((tok=optsep(&options)))
129 {
130 if(tok[0]=='\0')
131 continue;
132
133 /* For backwards compatibility. 1.2.x used honor-http-proxy and
134 there are a good number of documents published that recommend
135 it. */
136 if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
137 tok="http-proxy";
138 else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
139 tok="no-http-proxy";
140
141 /* We accept quite a few possible options here - some options to
142 handle specially, the keyserver_options list, and import and
143 export options that pertain to keyserver operations. Note
144 that you must use strncasecmp here as there might be an
145 =argument attached which will foil the use of strcasecmp. */
146
147 #ifdef EXEC_TEMPFILE_ONLY
148 if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
149 ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
150 log_info(_("WARNING: keyserver option `%s' is not used"
151 " on this platform\n"),tok);
152 #else
153 if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
154 opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
155 else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
156 opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
157 #endif
158 else if(!parse_options(tok,&opt.keyserver_options.options,
159 keyserver_opts,0)
160 && !parse_import_options(tok,
161 &opt.keyserver_options.import_options,0)
162 && !parse_export_options(tok,
163 &opt.keyserver_options.export_options,0))
164 {
165 /* All of the standard options have failed, so the option is
166 destined for a keyserver plugin. */
167 add_canonical_option(tok,&opt.keyserver_options.other);
168 }
169 }
170
171 if(max_cert)
172 {
173 max_cert_size=strtoul(max_cert,(char **)NULL,10);
174
175 if(max_cert_size==0)
176 max_cert_size=DEFAULT_MAX_CERT_SIZE;
177 }
178
179 return ret;
180 }
181
182 void
183 free_keyserver_spec(struct keyserver_spec *keyserver)
184 {
185 xfree(keyserver->uri);
186 xfree(keyserver->scheme);
187 xfree(keyserver->auth);
188 xfree(keyserver->host);
189 xfree(keyserver->port);
190 xfree(keyserver->path);
191 xfree(keyserver->opaque);
192 free_strlist(keyserver->options);
193 xfree(keyserver);
194 }
195
196 /* Return 0 for match */
197 static int
198 cmp_keyserver_spec(struct keyserver_spec *one,struct keyserver_spec *two)
199 {
200 if(ascii_strcasecmp(one->scheme,two->scheme)==0)
201 {
202 if(one->host && two->host && ascii_strcasecmp(one->host,two->host)==0)
203 {
204 if((one->port && two->port
205 && ascii_strcasecmp(one->port,two->port)==0)
206 || (!one->port && !two->port))
207 return 0;
208 }
209 else if(one->opaque && two->opaque
210 && ascii_strcasecmp(one->opaque,two->opaque)==0)
211 return 0;
212 }
213
214 return 1;
215 }
216
217 /* Try and match one of our keyservers. If we can, return that. If
218 we can't, return our input. */
219 struct keyserver_spec *
220 keyserver_match(struct keyserver_spec *spec)
221 {
222 struct keyserver_spec *ks;
223
224 for(ks=opt.keyserver;ks;ks=ks->next)
225 if(cmp_keyserver_spec(spec,ks)==0)
226 return ks;
227
228 return spec;
229 }
230
231 /* TODO: once we cut over to an all-curl world, we don't need this
232 parser any longer so it can be removed, or at least moved to
233 keyserver/ksutil.c for limited use in gpgkeys_ldap or the like. */
234
235 struct keyserver_spec *
236 parse_keyserver_uri(const char *string,int require_scheme,
237 const char *configname,unsigned int configlineno)
238 {
239 int assume_hkp=0;
240 struct keyserver_spec *keyserver;
241 const char *idx;
242 int count;
243 char *uri,*options;
244
245 assert(string!=NULL);
246
247 keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
248
249 uri=xstrdup(string);
250
251 options=strchr(uri,' ');
252 if(options)
253 {
254 char *tok;
255
256 *options='\0';
257 options++;
258
259 while((tok=optsep(&options)))
260 add_canonical_option(tok,&keyserver->options);
261 }
262
263 /* Get the scheme */
264
265 for(idx=uri,count=0;*idx && *idx!=':';idx++)
266 {
267 count++;
268
269 /* Do we see the start of an RFC-2732 ipv6 address here? If so,
270 there clearly isn't a scheme so get out early. */
271 if(*idx=='[')
272 {
273 /* Was the '[' the first thing in the string? If not, we
274 have a mangled scheme with a [ in it so fail. */
275 if(count==1)
276 break;
277 else
278 goto fail;
279 }
280 }
281
282 if(count==0)
283 goto fail;
284
285 if(*idx=='\0' || *idx=='[')
286 {
287 if(require_scheme)
288 return NULL;
289
290 /* Assume HKP if there is no scheme */
291 assume_hkp=1;
292 keyserver->scheme=xstrdup("hkp");
293
294 keyserver->uri=xmalloc(strlen(keyserver->scheme)+3+strlen(uri)+1);
295 strcpy(keyserver->uri,keyserver->scheme);
296 strcat(keyserver->uri,"://");
297 strcat(keyserver->uri,uri);
298 }
299 else
300 {
301 int i;
302
303 keyserver->uri=xstrdup(uri);
304
305 keyserver->scheme=xmalloc(count+1);
306
307 /* Force to lowercase */
308 for(i=0;i<count;i++)
309 keyserver->scheme[i]=ascii_tolower(uri[i]);
310
311 keyserver->scheme[i]='\0';
312
313 /* Skip past the scheme and colon */
314 uri+=count+1;
315 }
316
317 if(ascii_strcasecmp(keyserver->scheme,"x-broken-hkp")==0)
318 {
319 deprecated_warning(configname,configlineno,"x-broken-hkp",
320 "--keyserver-options ","broken-http-proxy");
321 xfree(keyserver->scheme);
322 keyserver->scheme=xstrdup("hkp");
323 append_to_strlist(&opt.keyserver_options.other,"broken-http-proxy");
324 }
325 else if(ascii_strcasecmp(keyserver->scheme,"x-hkp")==0)
326 {
327 /* Canonicalize this to "hkp" so it works with both the internal
328 and external keyserver interface. */
329 xfree(keyserver->scheme);
330 keyserver->scheme=xstrdup("hkp");
331 }
332
333 if (uri[0]=='/' && uri[1]=='/' && uri[2] == '/')
334 {
335 /* Three slashes means network path with a default host name.
336 This is a hack because it does not crok all possible
337 combiantions. We should better repalce all code bythe parser
338 from http.c. */
339 keyserver->path = xstrdup (uri+2);
340 }
341 else if(assume_hkp || (uri[0]=='/' && uri[1]=='/'))
342 {
343 /* Two slashes means network path. */
344
345 /* Skip over the "//", if any */
346 if(!assume_hkp)
347 uri+=2;
348
349 /* Do we have userinfo auth data present? */
350 for(idx=uri,count=0;*idx && *idx!='@' && *idx!='/';idx++)
351 count++;
352
353 /* We found a @ before the slash, so that means everything
354 before the @ is auth data. */
355 if(*idx=='@')
356 {
357 if(count==0)
358 goto fail;
359
360 keyserver->auth=xmalloc(count+1);
361 strncpy(keyserver->auth,uri,count);
362 keyserver->auth[count]='\0';
363 uri+=count+1;
364 }
365
366 /* Is it an RFC-2732 ipv6 [literal address] ? */
367 if(*uri=='[')
368 {
369 for(idx=uri+1,count=1;*idx
370 && ((isascii (*idx) && isxdigit(*idx))
371 || *idx==':' || *idx=='.');idx++)
372 count++;
373
374 /* Is the ipv6 literal address terminated? */
375 if(*idx==']')
376 count++;
377 else
378 goto fail;
379 }
380 else
381 for(idx=uri,count=0;*idx && *idx!=':' && *idx!='/';idx++)
382 count++;
383
384 if(count==0)
385 goto fail;
386
387 keyserver->host=xmalloc(count+1);
388 strncpy(keyserver->host,uri,count);
389 keyserver->host[count]='\0';
390
391 /* Skip past the host */
392 uri+=count;
393
394 if(*uri==':')
395 {
396 /* It would seem to be reasonable to limit the range of the
397 ports to values between 1-65535, but RFC 1738 and 1808
398 imply there is no limit. Of course, the real world has
399 limits. */
400
401 for(idx=uri+1,count=0;*idx && *idx!='/';idx++)
402 {
403 count++;
404
405 /* Ports are digits only */
406 if(!digitp(idx))
407 goto fail;
408 }
409
410 keyserver->port=xmalloc(count+1);
411 strncpy(keyserver->port,uri+1,count);
412 keyserver->port[count]='\0';
413
414 /* Skip past the colon and port number */
415 uri+=1+count;
416 }
417
418 /* Everything else is the path */
419 if(*uri)
420 keyserver->path=xstrdup(uri);
421 else
422 keyserver->path=xstrdup("/");
423
424 if(keyserver->path[1])
425 keyserver->flags.direct_uri=1;
426 }
427 else if(uri[0]!='/')
428 {
429 /* No slash means opaque. Just record the opaque blob and get
430 out. */
431 keyserver->opaque=xstrdup(uri);
432 }
433 else
434 {
435 /* One slash means absolute path. We don't need to support that
436 yet. */
437 goto fail;
438 }
439
440 return keyserver;
441
442 fail:
443 free_keyserver_spec(keyserver);
444
445 return NULL;
446 }
447
448 struct keyserver_spec *
449 parse_preferred_keyserver(PKT_signature *sig)
450 {
451 struct keyserver_spec *spec=NULL;
452 const byte *p;
453 size_t plen;
454
455 p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&plen);
456 if(p && plen)
457 {
458 byte *dupe=xmalloc(plen+1);
459
460 memcpy(dupe,p,plen);
461 dupe[plen]='\0';
462 spec=parse_keyserver_uri(dupe,1,NULL,0);
463 xfree(dupe);
464 }
465
466 return spec;
467 }
468
469 static void
470 print_keyrec(int number,struct keyrec *keyrec)
471 {
472 int i;
473
474 iobuf_writebyte(keyrec->uidbuf,0);
475 iobuf_flush_temp(keyrec->uidbuf);
476 printf("(%d)\t%s ",number,iobuf_get_temp_buffer(keyrec->uidbuf));
477
478 if(keyrec->size>0)
479 printf("%d bit ",keyrec->size);
480
481 if(keyrec->type)
482 {
483 const char *str = gcry_pk_algo_name (keyrec->type);
484
485 if(str)
486 printf("%s ",str);
487 else
488 printf("unknown ");
489 }
490
491 switch(keyrec->desc.mode)
492 {
493 /* If the keyserver helper gave us a short keyid, we have no
494 choice but to use it. Do check --keyid-format to add a 0x if
495 needed. */
496 case KEYDB_SEARCH_MODE_SHORT_KID:
497 printf("key %s%08lX",
498 (opt.keyid_format==KF_0xSHORT
499 || opt.keyid_format==KF_0xLONG)?"0x":"",
500 (ulong)keyrec->desc.u.kid[1]);
501 break;
502
503 /* However, if it gave us a long keyid, we can honor
504 --keyid-format */
505 case KEYDB_SEARCH_MODE_LONG_KID:
506 printf("key %s",keystr(keyrec->desc.u.kid));
507 break;
508
509 case KEYDB_SEARCH_MODE_FPR16:
510 printf("key ");
511 for(i=0;i<16;i++)
512 printf("%02X",keyrec->desc.u.fpr[i]);
513 break;
514
515 case KEYDB_SEARCH_MODE_FPR20:
516 printf("key ");
517 for(i=0;i<20;i++)
518 printf("%02X",keyrec->desc.u.fpr[i]);
519 break;
520
521 default:
522 BUG();
523 break;
524 }
525
526 if(keyrec->createtime>0)
527 {
528 printf(", ");
529 printf(_("created: %s"),strtimestamp(keyrec->createtime));
530 }
531
532 if(keyrec->expiretime>0)
533 {
534 printf(", ");
535 printf(_("expires: %s"),strtimestamp(keyrec->expiretime));
536 }
537
538 if(keyrec->flags&1)
539 printf(" (%s)",_("revoked"));
540 if(keyrec->flags&2)
541 printf(" (%s)",_("disabled"));
542 if(keyrec->flags&4)
543 printf(" (%s)",_("expired"));
544
545 printf("\n");
546 }
547
548 /* Returns a keyrec (which must be freed) once a key is complete, and
549 NULL otherwise. Call with a NULL keystring once key parsing is
550 complete to return any unfinished keys. */
551 static struct keyrec *
552 parse_keyrec(char *keystring)
553 {
554 static struct keyrec *work=NULL;
555 struct keyrec *ret=NULL;
556 char *record;
557 int i;
558
559 if(keystring==NULL)
560 {
561 if(work==NULL)
562 return NULL;
563 else if(work->desc.mode==KEYDB_SEARCH_MODE_NONE)
564 {
565 xfree(work);
566 return NULL;
567 }
568 else
569 {
570 ret=work;
571 work=NULL;
572 return ret;
573 }
574 }
575
576 if(work==NULL)
577 {
578 work=xmalloc_clear(sizeof(struct keyrec));
579 work->uidbuf=iobuf_temp();
580 }
581
582 /* Remove trailing whitespace */
583 for(i=strlen(keystring);i>0;i--)
584 if(ascii_isspace(keystring[i-1]))
585 keystring[i-1]='\0';
586 else
587 break;
588
589 if((record=strsep(&keystring,":"))==NULL)
590 return ret;
591
592 if(ascii_strcasecmp("pub",record)==0)
593 {
594 char *tok;
595
596 if(work->desc.mode)
597 {
598 ret=work;
599 work=xmalloc_clear(sizeof(struct keyrec));
600 work->uidbuf=iobuf_temp();
601 }
602
603 if((tok=strsep(&keystring,":"))==NULL)
604 return ret;
605
606 classify_user_id(tok,&work->desc);
607 if(work->desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID
608 && work->desc.mode!=KEYDB_SEARCH_MODE_LONG_KID
609 && work->desc.mode!=KEYDB_SEARCH_MODE_FPR16
610 && work->desc.mode!=KEYDB_SEARCH_MODE_FPR20)
611 {
612 work->desc.mode=KEYDB_SEARCH_MODE_NONE;
613 return ret;
614 }
615
616 /* Note all items after this are optional. This allows us to
617 have a pub line as simple as pub:keyid and nothing else. */
618
619 work->lines++;
620
621 if((tok=strsep(&keystring,":"))==NULL)
622 return ret;
623
624 work->type=atoi(tok);
625
626 if((tok=strsep(&keystring,":"))==NULL)
627 return ret;
628
629 work->size=atoi(tok);
630
631 if((tok=strsep(&keystring,":"))==NULL)
632 return ret;
633
634 if(atoi(tok)<=0)
635 work->createtime=0;
636 else
637 work->createtime=atoi(tok);
638
639 if((tok=strsep(&keystring,":"))==NULL)
640 return ret;
641
642 if(atoi(tok)<=0)
643 work->expiretime=0;
644 else
645 {
646 work->expiretime=atoi(tok);
647 /* Force the 'e' flag on if this key is expired. */
648 if(work->expiretime<=make_timestamp())
649 work->flags|=4;
650 }
651
652 if((tok=strsep(&keystring,":"))==NULL)
653 return ret;
654
655 while(*tok)
656 switch(*tok++)
657 {
658 case 'r':
659 case 'R':
660 work->flags|=1;
661 break;
662
663 case 'd':
664 case 'D':
665 work->flags|=2;
666 break;
667
668 case 'e':
669 case 'E':
670 work->flags|=4;
671 break;
672 }
673 }
674 else if(ascii_strcasecmp("uid",record)==0 && work->desc.mode)
675 {
676 char *userid,*tok,*decoded;
677
678 if((tok=strsep(&keystring,":"))==NULL)
679 return ret;
680
681 if(strlen(tok)==0)
682 return ret;
683
684 userid=tok;
685
686 /* By definition, de-%-encoding is always smaller than the
687 original string so we can decode in place. */
688
689 i=0;
690
691 while(*tok)
692 if(tok[0]=='%' && tok[1] && tok[2])
693 {
694 int c;
695
696 userid[i] = (c=hextobyte(&tok[1])) == -1 ? '?' : c;
697 i++;
698 tok+=3;
699 }
700 else
701 userid[i++]=*tok++;
702
703 /* We don't care about the other info provided in the uid: line
704 since no keyserver supports marking userids with timestamps
705 or revoked/expired/disabled yet. */
706
707 /* No need to check for control characters, as utf8_to_native
708 does this for us. */
709
710 decoded=utf8_to_native(userid,i,0);
711 if(strlen(decoded)>opt.screen_columns-10)
712 decoded[opt.screen_columns-10]='\0';
713 iobuf_writestr(work->uidbuf,decoded);
714 xfree(decoded);
715 iobuf_writestr(work->uidbuf,"\n\t");
716 work->lines++;
717 }
718
719 /* Ignore any records other than "pri" and "uid" for easy future
720 growth. */
721
722 return ret;
723 }
724
725 /* TODO: do this as a list sent to keyserver_work rather than calling
726 it once for each key to get the correct counts after the import
727 (cosmetics, really) and to better take advantage of the keyservers
728 that can do multiple fetches in one go (LDAP). */
729 static int
730 show_prompt(KEYDB_SEARCH_DESC *desc,int numdesc,int count,const char *search)
731 {
732 char *answer;
733
734 if(count && opt.command_fd==-1)
735 {
736 static int from=1;
737 tty_printf("Keys %d-%d of %d for \"%s\". ",from,numdesc,count,search);
738 from=numdesc+1;
739 }
740
741 answer=cpr_get_no_help("keysearch.prompt",
742 _("Enter number(s), N)ext, or Q)uit > "));
743 /* control-d */
744 if(answer[0]=='\x04')
745 {
746 printf("Q\n");
747 answer[0]='q';
748 }
749
750 if(answer[0]=='q' || answer[0]=='Q')
751 {
752 xfree(answer);
753 return 1;
754 }
755 else if(atoi(answer)>=1 && atoi(answer)<=numdesc)
756 {
757 char *split=answer,*num;
758
759 while((num=strsep(&split," ,"))!=NULL)
760 if(atoi(num)>=1 && atoi(num)<=numdesc)
761 keyserver_work(KS_GET,NULL,&desc[atoi(num)-1],1,
762 NULL,NULL,opt.keyserver);
763
764 xfree(answer);
765 return 1;
766 }
767
768 return 0;
769 }
770
771 /* Count and searchstr are just for cosmetics. If the count is too
772 small, it will grow safely. If negative it disables the "Key x-y
773 of z" messages. searchstr should be UTF-8 (rather than native). */
774 static void
775 keyserver_search_prompt(IOBUF buffer,const char *searchstr)
776 {
777 int i=0,validcount=0,started=0,header=0,count=1;
778 unsigned int maxlen,buflen,numlines=0;
779 KEYDB_SEARCH_DESC *desc;
780 byte *line=NULL;
781 char *localstr=NULL;
782
783 if(searchstr)
784 localstr=utf8_to_native(searchstr,strlen(searchstr),0);
785
786 desc=xmalloc(count*sizeof(KEYDB_SEARCH_DESC));
787
788 for(;;)
789 {
790 struct keyrec *keyrec;
791 int rl;
792
793 maxlen=1024;
794 rl=iobuf_read_line(buffer,&line,&buflen,&maxlen);
795
796 if(opt.with_colons)
797 {
798 if(!header && ascii_strncasecmp("SEARCH ",line,7)==0
799 && ascii_strncasecmp(" BEGIN",&line[strlen(line)-7],6)==0)
800 {
801 header=1;
802 continue;
803 }
804 else if(ascii_strncasecmp("SEARCH ",line,7)==0
805 && ascii_strncasecmp(" END",&line[strlen(line)-5],4)==0)
806 continue;
807
808 printf("%s",line);
809 }
810
811 /* Look for an info: line. The only current info: values
812 defined are the version and key count. */
813 if(!started && rl>0 && ascii_strncasecmp("info:",line,5)==0)
814 {
815 char *tok,*str=&line[5];
816
817 if((tok=strsep(&str,":"))!=NULL)
818 {
819 int version;
820
821 if(sscanf(tok,"%d",&version)!=1)
822 version=1;
823
824 if(version!=1)
825 {
826 log_error(_("invalid keyserver protocol "
827 "(us %d!=handler %d)\n"),1,version);
828 break;
829 }
830 }
831
832 if((tok=strsep(&str,":"))!=NULL && sscanf(tok,"%d",&count)==1)
833 {
834 if(count==0)
835 goto notfound;
836 else if(count<0)
837 count=10;
838 else
839 validcount=1;
840
841 desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
842 }
843
844 started=1;
845 continue;
846 }
847
848 if(rl==0)
849 {
850 keyrec=parse_keyrec(NULL);
851
852 if(keyrec==NULL)
853 {
854 if(i==0)
855 {
856 count=0;
857 break;
858 }
859
860 if(i!=count)
861 validcount=0;
862
863 for(;;)
864 {
865 if(show_prompt(desc,i,validcount?count:0,localstr))
866 break;
867 validcount=0;
868 }
869
870 break;
871 }
872 }
873 else
874 keyrec=parse_keyrec(line);
875
876 if(i==count)
877 {
878 /* keyserver helper sent more keys than they claimed in the
879 info: line. */
880 count+=10;
881 desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
882 validcount=0;
883 }
884
885 if(keyrec)
886 {
887 desc[i]=keyrec->desc;
888
889 if(!opt.with_colons)
890 {
891 /* screen_lines - 1 for the prompt. */
892 if(numlines+keyrec->lines>opt.screen_lines-1)
893 {
894 if(show_prompt(desc,i,validcount?count:0,localstr))
895 break;
896 else
897 numlines=0;
898 }
899
900 print_keyrec(i+1,keyrec);
901 }
902
903 numlines+=keyrec->lines;
904 iobuf_close(keyrec->uidbuf);
905 xfree(keyrec);
906
907 started=1;
908 i++;
909 }
910 }
911
912 notfound:
913 /* Leave this commented out or now, and perhaps for a very long
914 time. All HKPish servers return HTML error messages for
915 no-key-found. */
916 /*
917 if(!started)
918 log_info(_("keyserver does not support searching\n"));
919 else
920 */
921 if(count==0)
922 {
923 if(localstr)
924 log_info(_("key \"%s\" not found on keyserver\n"),localstr);
925 else
926 log_info(_("key not found on keyserver\n"));
927 }
928
929 xfree(localstr);
930 xfree(desc);
931 xfree(line);
932 }
933
934 /* We sometimes want to use a different gpgkeys_xxx for a given
935 protocol (for example, ldaps is handled by gpgkeys_ldap). Map
936 these here. */
937 static const char *
938 keyserver_typemap(const char *type)
939 {
940 if(strcmp(type,"ldaps")==0)
941 return "ldap";
942 else
943 return type;
944 }
945
946 /* The PGP LDAP and the curl fetch-a-LDAP-object methodologies are
947 sufficiently different that we can't use curl to do LDAP. */
948 static int
949 direct_uri_map(const char *scheme,unsigned int is_direct)
950 {
951 if(is_direct && strcmp(scheme,"ldap")==0)
952 return 1;
953
954 return 0;
955 }
956
957 #if GNUPG_MAJOR_VERSION == 2
958 #define GPGKEYS_PREFIX "gpg2keys_"
959 #else
960 #define GPGKEYS_PREFIX "gpgkeys_"
961 #endif
962 #define GPGKEYS_CURL GPGKEYS_PREFIX "curl" EXEEXT
963 #define GPGKEYS_PREFIX_LEN (strlen(GPGKEYS_CURL))
964 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
965 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
966
967 static int
968 keyserver_spawn(enum ks_action action,strlist_t list,KEYDB_SEARCH_DESC *desc,
969 int count,int *prog,unsigned char **fpr,size_t *fpr_len,
970 struct keyserver_spec *keyserver)
971 {
972 int ret=0,i,gotversion=0,outofband=0;
973 strlist_t temp;
974 unsigned int maxlen,buflen;
975 char *command,*end,*searchstr=NULL;
976 byte *line=NULL;
977 struct exec_info *spawn;
978 const char *scheme;
979 const char *libexecdir = gnupg_libexecdir ();
980
981 assert(keyserver);
982
983 #ifdef EXEC_TEMPFILE_ONLY
984 opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
985 #endif
986
987 /* Build the filename for the helper to execute */
988 scheme=keyserver_typemap(keyserver->scheme);
989
990 #ifdef DISABLE_KEYSERVER_PATH
991 /* Destroy any path we might have. This is a little tricky,
992 portability-wise. It's not correct to delete the PATH
993 environment variable, as that may fall back to a system built-in
994 PATH. Similarly, it is not correct to set PATH to the null
995 string (PATH="") since this actually deletes the PATH environment
996 variable under MinGW. The safest thing to do here is to force
997 PATH to be GNUPG_LIBEXECDIR. All this is not that meaningful on
998 Unix-like systems (since we're going to give a full path to
999 gpgkeys_foo), but on W32 it prevents loading any DLLs from
1000 directories in %PATH%.
1001
1002 After some more thinking about this we came to the conclusion
1003 that it is better to load the helpers from the directory where
1004 the program of this process lives. Fortunately Windows provides
1005 a way to retrieve this and our gnupg_libexecdir function has been
1006 modified to return just this. Setting the exec-path is not
1007 anymore required.
1008 set_exec_path(libexecdir);
1009 */
1010 #else
1011 if(opt.exec_path_set)
1012 {
1013 /* If exec-path was set, and DISABLE_KEYSERVER_PATH is
1014 undefined, then don't specify a full path to gpgkeys_foo, so
1015 that the PATH can work. */
1016 command=xmalloc(GPGKEYS_PREFIX_LEN+strlen(scheme)+3+strlen(EXEEXT)+1);
1017 command[0]='\0';
1018 }
1019 else
1020 #endif
1021 {
1022 /* Specify a full path to gpgkeys_foo. */
1023 command=xmalloc(strlen(libexecdir)+strlen(DIRSEP_S)+
1024 GPGKEYS_PREFIX_LEN+strlen(scheme)+3+strlen(EXEEXT)+1);
1025 strcpy(command,libexecdir);
1026 strcat(command,DIRSEP_S);
1027 }
1028
1029 end=command+strlen(command);
1030
1031 /* Build a path for the keyserver helper. If it is direct_uri
1032 (i.e. an object fetch and not a keyserver), then add "_uri" to
1033 the end to distinguish the keyserver helper from an object
1034 fetcher that can speak that protocol (this is a problem for
1035 LDAP). */
1036
1037 strcat(command,GPGKEYS_PREFIX);
1038 strcat(command,scheme);
1039
1040 /* This "_uri" thing is in case we need to call a direct handler
1041 instead of the keyserver handler. This lets us use gpgkeys_curl
1042 or gpgkeys_ldap_uri (we don't provide it, but a user might)
1043 instead of gpgkeys_ldap to fetch things like
1044 ldap://keyserver.pgp.com/o=PGP%20keys?pgpkey?sub?pgpkeyid=99242560 */
1045
1046 if(direct_uri_map(scheme,keyserver->flags.direct_uri))
1047 strcat(command,"_uri");
1048
1049 strcat(command,EXEEXT);
1050
1051 /* Can we execute it? If not, try curl as our catchall. */
1052 if(path_access(command,X_OK)!=0)
1053 strcpy(end,GPGKEYS_CURL);
1054
1055 if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES)
1056 {
1057 if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES)
1058 {
1059 command=xrealloc(command,strlen(command)+
1060 strlen(KEYSERVER_ARGS_KEEP)+1);
1061 strcat(command,KEYSERVER_ARGS_KEEP);
1062 }
1063 else
1064 {
1065 command=xrealloc(command,strlen(command)+
1066 strlen(KEYSERVER_ARGS_NOKEEP)+1);
1067 strcat(command,KEYSERVER_ARGS_NOKEEP);
1068 }
1069
1070 ret=exec_write(&spawn,NULL,command,NULL,0,0);
1071 }
1072 else
1073 ret=exec_write(&spawn,command,NULL,NULL,0,0);
1074
1075 xfree(command);
1076
1077 if(ret)
1078 return ret;
1079
1080 fprintf(spawn->tochild,
1081 "# This is a GnuPG %s keyserver communications file\n",VERSION);
1082 fprintf(spawn->tochild,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
1083 fprintf(spawn->tochild,"PROGRAM %s\n",VERSION);
1084 fprintf(spawn->tochild,"SCHEME %s\n",keyserver->scheme);
1085
1086 if(keyserver->opaque)
1087 fprintf(spawn->tochild,"OPAQUE %s\n",keyserver->opaque);
1088 else
1089 {
1090 if(keyserver->auth)
1091 fprintf(spawn->tochild,"AUTH %s\n",keyserver->auth);
1092
1093 if(keyserver->host)
1094 fprintf(spawn->tochild,"HOST %s\n",keyserver->host);
1095
1096 if(keyserver->port)
1097 fprintf(spawn->tochild,"PORT %s\n",keyserver->port);
1098
1099 if(keyserver->path)
1100 fprintf(spawn->tochild,"PATH %s\n",keyserver->path);
1101 }
1102
1103 /* Write global options */
1104
1105 for(temp=opt.keyserver_options.other;temp;temp=temp->next)
1106 fprintf(spawn->tochild,"OPTION %s\n",temp->d);
1107
1108 /* Write per-keyserver options */
1109
1110 for(temp=keyserver->options;temp;temp=temp->next)
1111 fprintf(spawn->tochild,"OPTION %s\n",temp->d);
1112
1113 switch(action)
1114 {
1115 case KS_GET:
1116 {
1117 fprintf(spawn->tochild,"COMMAND GET\n\n");
1118
1119 /* Which keys do we want? */
1120
1121 for(i=0;i<count;i++)
1122 {
1123 int quiet=0;
1124
1125 if(desc[i].mode==KEYDB_SEARCH_MODE_FPR20)
1126 {
1127 int f;
1128
1129 fprintf(spawn->tochild,"0x");
1130
1131 for(f=0;f<MAX_FINGERPRINT_LEN;f++)
1132 fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1133
1134 fprintf(spawn->tochild,"\n");
1135 }
1136 else if(desc[i].mode==KEYDB_SEARCH_MODE_FPR16)
1137 {
1138 int f;
1139
1140 fprintf(spawn->tochild,"0x");
1141
1142 for(f=0;f<16;f++)
1143 fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1144
1145 fprintf(spawn->tochild,"\n");
1146 }
1147 else if(desc[i].mode==KEYDB_SEARCH_MODE_LONG_KID)
1148 fprintf(spawn->tochild,"0x%08lX%08lX\n",
1149 (ulong)desc[i].u.kid[0],
1150 (ulong)desc[i].u.kid[1]);
1151 else if(desc[i].mode==KEYDB_SEARCH_MODE_SHORT_KID)
1152 fprintf(spawn->tochild,"0x%08lX\n",
1153 (ulong)desc[i].u.kid[1]);
1154 else if(desc[i].mode==KEYDB_SEARCH_MODE_EXACT)
1155 {
1156 fprintf(spawn->tochild,"0x0000000000000000\n");
1157 quiet=1;
1158 }
1159 else if(desc[i].mode==KEYDB_SEARCH_MODE_NONE)
1160 continue;
1161 else
1162 BUG();
1163
1164 if(!quiet)
1165 {
1166 if(keyserver->host)
1167 log_info(_("requesting key %s from %s server %s\n"),
1168 keystr_from_desc(&desc[i]),
1169 keyserver->scheme,keyserver->host);
1170 else
1171 log_info(_("requesting key %s from %s\n"),
1172 keystr_from_desc(&desc[i]),keyserver->uri);
1173 }
1174 }
1175
1176 fprintf(spawn->tochild,"\n");
1177
1178 break;
1179 }
1180
1181 case KS_GETNAME:
1182 {
1183 strlist_t key;
1184
1185 fprintf(spawn->tochild,"COMMAND GETNAME\n\n");
1186
1187 /* Which names do we want? */
1188
1189 for(key=list;key!=NULL;key=key->next)
1190 fprintf(spawn->tochild,"%s\n",key->d);
1191
1192 fprintf(spawn->tochild,"\n");
1193
1194 if(keyserver->host)
1195 log_info(_("searching for names from %s server %s\n"),
1196 keyserver->scheme,keyserver->host);
1197 else
1198 log_info(_("searching for names from %s\n"),keyserver->uri);
1199
1200 break;
1201 }
1202
1203 case KS_SEND:
1204 {
1205 strlist_t key;
1206
1207 /* Note the extra \n here to send an empty keylist block */
1208 fprintf(spawn->tochild,"COMMAND SEND\n\n\n");
1209
1210 for(key=list;key!=NULL;key=key->next)
1211 {
1212 armor_filter_context_t *afx;
1213 IOBUF buffer = iobuf_temp ();
1214 KBNODE block;
1215
1216 temp=NULL;
1217 add_to_strlist(&temp,key->d);
1218
1219 afx = new_armor_context ();
1220 afx->what = 1;
1221 /* Tell the armor filter to use Unix-style \n line
1222 endings, since we're going to fprintf this to a file
1223 that (on Win32) is open in text mode. The win32 stdio
1224 will transform the \n to \r\n and we'll end up with the
1225 proper line endings on win32. This is a no-op on
1226 Unix. */
1227 afx->eol[0] = '\n';
1228 push_armor_filter (afx, buffer);
1229 release_armor_context (afx);
1230
1231 /* TODO: Remove Comment: lines from keys exported this
1232 way? */
1233
1234 if(export_pubkeys_stream(buffer,temp,&block,
1235 opt.keyserver_options.export_options)==-1)
1236 iobuf_close(buffer);
1237 else
1238 {
1239 KBNODE node;
1240
1241 iobuf_flush_temp(buffer);
1242
1243 merge_keys_and_selfsig(block);
1244
1245 fprintf(spawn->tochild,"INFO %08lX%08lX BEGIN\n",
1246 (ulong)block->pkt->pkt.public_key->keyid[0],
1247 (ulong)block->pkt->pkt.public_key->keyid[1]);
1248
1249 for(node=block;node;node=node->next)
1250 {
1251 switch(node->pkt->pkttype)
1252 {
1253 default:
1254 continue;
1255
1256 case PKT_PUBLIC_KEY:
1257 case PKT_PUBLIC_SUBKEY:
1258 {
1259 PKT_public_key *pk=node->pkt->pkt.public_key;
1260
1261 keyid_from_pk(pk,NULL);
1262
1263 fprintf(spawn->tochild,"%sb:%08lX%08lX:%u:%u:%u:%u:",
1264 node->pkt->pkttype==PKT_PUBLIC_KEY?"pu":"su",
1265 (ulong)pk->keyid[0],(ulong)pk->keyid[1],
1266 pk->pubkey_algo,
1267 nbits_from_pk(pk),
1268 pk->timestamp,
1269 pk->expiredate);
1270
1271 if(pk->is_revoked)
1272 fprintf(spawn->tochild,"r");
1273 if(pk->has_expired)
1274 fprintf(spawn->tochild,"e");
1275
1276 fprintf(spawn->tochild,"\n");
1277 }
1278 break;
1279
1280 case PKT_USER_ID:
1281 {
1282 PKT_user_id *uid=node->pkt->pkt.user_id;
1283 int r;
1284
1285 if(uid->attrib_data)
1286 continue;
1287
1288 fprintf(spawn->tochild,"uid:");
1289
1290 /* Quote ':', '%', and any 8-bit
1291 characters */
1292 for(r=0;r<uid->len;r++)
1293 {
1294 if(uid->name[r]==':' || uid->name[r]=='%'
1295 || uid->name[r]&0x80)
1296 fprintf(spawn->tochild,"%%%02X",
1297 (byte)uid->name[r]);
1298 else
1299 fprintf(spawn->tochild,"%c",uid->name[r]);
1300 }
1301
1302 fprintf(spawn->tochild,":%u:%u:",
1303 uid->created,uid->expiredate);
1304
1305 if(uid->is_revoked)
1306 fprintf(spawn->tochild,"r");
1307 if(uid->is_expired)
1308 fprintf(spawn->tochild,"e");
1309
1310 fprintf(spawn->tochild,"\n");
1311 }
1312 break;
1313
1314 /* This bit is really for the benefit of
1315 people who store their keys in LDAP
1316 servers. It makes it easy to do queries
1317 for things like "all keys signed by
1318 Isabella". */
1319 case PKT_SIGNATURE:
1320 {
1321 PKT_signature *sig=node->pkt->pkt.signature;
1322
1323 if(!IS_UID_SIG(sig))
1324 continue;
1325
1326 fprintf(spawn->tochild,"sig:%08lX%08lX:%X:%u:%u\n",
1327 (ulong)sig->keyid[0],(ulong)sig->keyid[1],
1328 sig->sig_class,sig->timestamp,
1329 sig->expiredate);
1330 }
1331 break;
1332 }
1333 }
1334
1335 fprintf(spawn->tochild,"INFO %08lX%08lX END\n",
1336 (ulong)block->pkt->pkt.public_key->keyid[0],
1337 (ulong)block->pkt->pkt.public_key->keyid[1]);
1338
1339 fprintf(spawn->tochild,"KEY %08lX%08lX BEGIN\n",
1340 (ulong)block->pkt->pkt.public_key->keyid[0],
1341 (ulong)block->pkt->pkt.public_key->keyid[1]);
1342 fwrite(iobuf_get_temp_buffer(buffer),
1343 iobuf_get_temp_length(buffer),1,spawn->tochild);
1344 fprintf(spawn->tochild,"KEY %08lX%08lX END\n",
1345 (ulong)block->pkt->pkt.public_key->keyid[0],
1346 (ulong)block->pkt->pkt.public_key->keyid[1]);
1347
1348 iobuf_close(buffer);
1349
1350 if(keyserver->host)
1351 log_info(_("sending key %s to %s server %s\n"),
1352 keystr(block->pkt->pkt.public_key->keyid),
1353 keyserver->scheme,keyserver->host);
1354 else
1355 log_info(_("sending key %s to %s\n"),
1356 keystr(block->pkt->pkt.public_key->keyid),
1357 keyserver->uri);
1358
1359 release_kbnode(block);
1360 }
1361
1362 free_strlist(temp);
1363 }
1364
1365 break;
1366 }
1367
1368 case KS_SEARCH:
1369 {
1370 strlist_t key;
1371
1372 fprintf(spawn->tochild,"COMMAND SEARCH\n\n");
1373
1374 /* Which keys do we want? Remember that the gpgkeys_ program
1375 is going to lump these together into a search string. */
1376
1377 for(key=list;key!=NULL;key=key->next)
1378 {
1379 fprintf(spawn->tochild,"%s\n",key->d);
1380 if(key!=list)
1381 {
1382 searchstr=xrealloc(searchstr,
1383 strlen(searchstr)+strlen(key->d)+2);
1384 strcat(searchstr," ");
1385 }
1386 else
1387 {
1388 searchstr=xmalloc(strlen(key->d)+1);
1389 searchstr[0]='\0';
1390 }
1391
1392 strcat(searchstr,key->d);
1393 }
1394
1395 fprintf(spawn->tochild,"\n");
1396
1397 if(keyserver->host)
1398 log_info(_("searching for \"%s\" from %s server %s\n"),
1399 searchstr,keyserver->scheme,keyserver->host);
1400 else
1401 log_info(_("searching for \"%s\" from %s\n"),
1402 searchstr,keyserver->uri);
1403
1404 break;
1405 }
1406
1407 default:
1408 log_fatal(_("no keyserver action!\n"));
1409 break;
1410 }
1411
1412 /* Done sending, so start reading. */
1413 ret=exec_read(spawn);
1414 if(ret)
1415 goto fail;
1416
1417 /* Now handle the response */
1418
1419 for(;;)
1420 {
1421 int plen;
1422 char *ptr;
1423
1424 maxlen=1024;
1425 if(iobuf_read_line(spawn->fromchild,&line,&buflen,&maxlen)==0)
1426 {
1427 ret = gpg_error_from_syserror ();
1428 goto fail; /* i.e. EOF */
1429 }
1430
1431 ptr=line;
1432
1433 /* remove trailing whitespace */
1434 plen=strlen(ptr);
1435 while(plen>0 && ascii_isspace(ptr[plen-1]))
1436 plen--;
1437 plen[ptr]='\0';
1438
1439 if(*ptr=='\0')
1440 break;
1441
1442 if(ascii_strncasecmp(ptr,"VERSION ",8)==0)
1443 {
1444 gotversion=1;
1445
1446 if(atoi(&ptr[8])!=KEYSERVER_PROTO_VERSION)
1447 {
1448 log_error(_("invalid keyserver protocol (us %d!=handler %d)\n"),
1449 KEYSERVER_PROTO_VERSION,atoi(&ptr[8]));
1450 goto fail;
1451 }
1452 }
1453 else if(ascii_strncasecmp(ptr,"PROGRAM ",8)==0)
1454 {
1455 if(ascii_strncasecmp(&ptr[8],VERSION,strlen(VERSION))!=0)
1456 log_info(_("WARNING: keyserver handler from a different"
1457 " version of GnuPG (%s)\n"),&ptr[8]);
1458 }
1459 else if(ascii_strncasecmp(ptr,"OPTION OUTOFBAND",16)==0)
1460 outofband=1; /* Currently the only OPTION */
1461 }
1462
1463 if(!gotversion)
1464 {
1465 log_error(_("keyserver did not send VERSION\n"));
1466 goto fail;
1467 }
1468
1469 if(!outofband)
1470 switch(action)
1471 {
1472 case KS_GET:
1473 case KS_GETNAME:
1474 {
1475 void *stats_handle;
1476
1477 stats_handle=import_new_stats_handle();
1478
1479 /* Slurp up all the key data. In the future, it might be
1480 nice to look for KEY foo OUTOFBAND and FAILED indicators.
1481 It's harmless to ignore them, but ignoring them does make
1482 gpg complain about "no valid OpenPGP data found". One
1483 way to do this could be to continue parsing this
1484 line-by-line and make a temp iobuf for each key. */
1485
1486 import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len,
1487 opt.keyserver_options.import_options);
1488
1489 import_print_stats(stats_handle);
1490 import_release_stats_handle(stats_handle);
1491
1492 break;
1493 }
1494
1495 /* Nothing to do here */
1496 case KS_SEND:
1497 break;
1498
1499 case KS_SEARCH:
1500 keyserver_search_prompt(spawn->fromchild,searchstr);
1501 break;
1502
1503 default:
1504 log_fatal(_("no keyserver action!\n"));
1505 break;
1506 }
1507
1508 fail:
1509 xfree(line);
1510 xfree(searchstr);
1511
1512
1513 *prog=exec_finish(spawn);
1514
1515 return ret;
1516 }
1517
1518 static int
1519 keyserver_work(enum ks_action action,strlist_t list,KEYDB_SEARCH_DESC *desc,
1520 int count,unsigned char **fpr,size_t *fpr_len,
1521 struct keyserver_spec *keyserver)
1522 {
1523 int rc=0,ret=0;
1524
1525 if(!keyserver)
1526 {
1527 log_error(_("no keyserver known (use option --keyserver)\n"));
1528 return G10ERR_BAD_URI;
1529 }
1530
1531 #ifdef DISABLE_KEYSERVER_HELPERS
1532
1533 log_error(_("external keyserver calls are not supported in this build\n"));
1534 return G10ERR_KEYSERVER;
1535
1536 #else
1537 /* Spawn a handler */
1538
1539 rc=keyserver_spawn(action,list,desc,count,&ret,fpr,fpr_len,keyserver);
1540 if(ret)
1541 {
1542 switch(ret)
1543 {
1544 case KEYSERVER_SCHEME_NOT_FOUND:
1545 log_error(_("no handler for keyserver scheme `%s'\n"),
1546 keyserver->scheme);
1547 break;
1548
1549 case KEYSERVER_NOT_SUPPORTED:
1550 log_error(_("action `%s' not supported with keyserver "
1551 "scheme `%s'\n"),
1552 action==KS_GET?"get":action==KS_SEND?"send":
1553 action==KS_SEARCH?"search":"unknown",
1554 keyserver->scheme);
1555 break;
1556
1557 case KEYSERVER_VERSION_ERROR:
1558 log_error(_(GPGKEYS_PREFIX "%s does not support"
1559 " handler version %d\n"),
1560 keyserver_typemap(keyserver->scheme),
1561 KEYSERVER_PROTO_VERSION);
1562 break;
1563
1564 case KEYSERVER_TIMEOUT:
1565 log_error(_("keyserver timed out\n"));
1566 break;
1567
1568 case KEYSERVER_INTERNAL_ERROR:
1569 default:
1570 log_error(_("keyserver internal error\n"));
1571 break;
1572 }
1573
1574 return G10ERR_KEYSERVER;
1575 }
1576
1577 if(rc)
1578 {
1579 log_error(_("keyserver communications error: %s\n"),g10_errstr(rc));
1580
1581 return rc;
1582 }
1583
1584 return 0;
1585 #endif /* ! DISABLE_KEYSERVER_HELPERS*/
1586 }
1587
1588 int
1589 keyserver_export(strlist_t users)
1590 {
1591 strlist_t sl=NULL;
1592 KEYDB_SEARCH_DESC desc;
1593 int rc=0;
1594
1595 /* Weed out descriptors that we don't support sending */
1596 for(;users;users=users->next)
1597 {
1598 classify_user_id (users->d, &desc);
1599 if(desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1600 desc.mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1601 desc.mode!=KEYDB_SEARCH_MODE_FPR16 &&
1602 desc.mode!=KEYDB_SEARCH_MODE_FPR20)
1603 {
1604 log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1605 continue;
1606 }
1607 else
1608 append_to_strlist(&sl,users->d);
1609 }
1610
1611 if(sl)
1612 {
1613 rc=keyserver_work(KS_SEND,sl,NULL,0,NULL,NULL,opt.keyserver);
1614 free_strlist(sl);
1615 }
1616
1617 return rc;
1618 }
1619
1620 int
1621 keyserver_import(strlist_t users)
1622 {
1623 KEYDB_SEARCH_DESC *desc;
1624 int num=100,count=0;
1625 int rc=0;
1626
1627 /* Build a list of key ids */
1628 desc=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1629
1630 for(;users;users=users->next)
1631 {
1632 classify_user_id (users->d, &desc[count]);
1633 if(desc[count].mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1634 desc[count].mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1635 desc[count].mode!=KEYDB_SEARCH_MODE_FPR16 &&
1636 desc[count].mode!=KEYDB_SEARCH_MODE_FPR20)
1637 {
1638 log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1639 continue;
1640 }
1641
1642 count++;
1643 if(count==num)
1644 {
1645 num+=100;
1646 desc=xrealloc(desc,sizeof(KEYDB_SEARCH_DESC)*num);
1647 }
1648 }
1649
1650 if(count>0)
1651 rc=keyserver_work(KS_GET,NULL,desc,count,NULL,NULL,opt.keyserver);
1652
1653 xfree(desc);
1654
1655 return rc;
1656 }
1657
1658 int
1659 keyserver_import_fprint(const byte *fprint,size_t fprint_len,
1660 struct keyserver_spec *keyserver)
1661 {
1662 KEYDB_SEARCH_DESC desc;
1663
1664 memset(&desc,0,sizeof(desc));
1665
1666 if(fprint_len==16)
1667 desc.mode=KEYDB_SEARCH_MODE_FPR16;
1668 else if(fprint_len==20)
1669 desc.mode=KEYDB_SEARCH_MODE_FPR20;
1670 else
1671 return -1;
1672
1673 memcpy(desc.u.fpr,fprint,fprint_len);
1674
1675 /* TODO: Warn here if the fingerprint we got doesn't match the one
1676 we asked for? */
1677 return keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,keyserver);
1678 }
1679
1680 int
1681 keyserver_import_keyid(u32 *keyid,struct keyserver_spec *keyserver)
1682 {
1683 KEYDB_SEARCH_DESC desc;
1684
1685 memset(&desc,0,sizeof(desc));
1686
1687 desc.mode=KEYDB_SEARCH_MODE_LONG_KID;
1688 desc.u.kid[0]=keyid[0];
1689 desc.u.kid[1]=keyid[1];
1690
1691 return keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,keyserver);
1692 }
1693
1694 /* code mostly stolen from do_export_stream */
1695 static int
1696 keyidlist(strlist_t users,KEYDB_SEARCH_DESC **klist,int *count,int fakev3)
1697 {
1698 int rc=0,ndesc,num=100;
1699 KBNODE keyblock=NULL,node;
1700 KEYDB_HANDLE kdbhd;
1701 KEYDB_SEARCH_DESC *desc;
1702 strlist_t sl;
1703
1704 *count=0;
1705
1706 *klist=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1707
1708 kdbhd=keydb_new(0);
1709
1710 if(!users)
1711 {
1712 ndesc = 1;
1713 desc = xmalloc_clear ( ndesc * sizeof *desc);
1714 desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
1715 }
1716 else
1717 {
1718 for (ndesc=0, sl=users; sl; sl = sl->next, ndesc++)
1719 ;
1720 desc = xmalloc ( ndesc * sizeof *desc);
1721
1722 for (ndesc=0, sl=users; sl; sl = sl->next)
1723 {
1724 if(classify_user_id (sl->d, desc+ndesc))
1725 ndesc++;
1726 else
1727 log_error (_("key \"%s\" not found: %s\n"),
1728 sl->d, g10_errstr (G10ERR_INV_USER_ID));
1729 }
1730 }
1731
1732 while (!(rc = keydb_search (kdbhd, desc, ndesc)))
1733 {
1734 if (!users)
1735 desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
1736
1737 /* read the keyblock */
1738 rc = keydb_get_keyblock (kdbhd, &keyblock );
1739 if( rc )
1740 {
1741 log_error (_("error reading keyblock: %s\n"), g10_errstr(rc) );
1742 goto leave;
1743 }
1744
1745 if((node=find_kbnode(keyblock,PKT_PUBLIC_KEY)))
1746 {
1747 /* This is to work around a bug in some keyservers (pksd and
1748 OKS) that calculate v4 RSA keyids as if they were v3 RSA.
1749 The answer is to refresh both the correct v4 keyid
1750 (e.g. 99242560) and the fake v3 keyid (e.g. 68FDDBC7).
1751 This only happens for key refresh using the HKP scheme
1752 and if the refresh-add-fake-v3-keyids keyserver option is
1753 set. */
1754 if(fakev3 && is_RSA(node->pkt->pkt.public_key->pubkey_algo) &&
1755 node->pkt->pkt.public_key->version>=4)
1756 {
1757 (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1758 v3_keyid (node->pkt->pkt.public_key->pkey[0],
1759 (*klist)[*count].u.kid);
1760 (*count)++;
1761
1762 if(*count==num)
1763 {
1764 num+=100;
1765 *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1766 }
1767 }
1768
1769 /* v4 keys get full fingerprints. v3 keys get long keyids.
1770 This is because it's easy to calculate any sort of keyid
1771 from a v4 fingerprint, but not a v3 fingerprint. */
1772
1773 if(node->pkt->pkt.public_key->version<4)
1774 {
1775 (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1776 keyid_from_pk(node->pkt->pkt.public_key,
1777 (*klist)[*count].u.kid);
1778 }
1779 else
1780 {
1781 size_t dummy;
1782
1783 (*klist)[*count].mode=KEYDB_SEARCH_MODE_FPR20;
1784 fingerprint_from_pk(node->pkt->pkt.public_key,
1785 (*klist)[*count].u.fpr,&dummy);
1786 }
1787
1788 /* This is a little hackish, using the skipfncvalue as a
1789 void* pointer to the keyserver spec, but we don't need
1790 the skipfnc here, and it saves having an additional field
1791 for this (which would be wasted space most of the
1792 time). */
1793
1794 (*klist)[*count].skipfncvalue=NULL;
1795
1796 /* Are we honoring preferred keyservers? */
1797 if(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1798 {
1799 PKT_user_id *uid=NULL;
1800 PKT_signature *sig=NULL;
1801
1802 merge_keys_and_selfsig(keyblock);
1803
1804 for(node=node->next;node;node=node->next)
1805 {
1806 if(node->pkt->pkttype==PKT_USER_ID
1807 && node->pkt->pkt.user_id->is_primary)
1808 uid=node->pkt->pkt.user_id;
1809 else if(node->pkt->pkttype==PKT_SIGNATURE
1810 && node->pkt->pkt.signature->
1811 flags.chosen_selfsig && uid)
1812 {
1813 sig=node->pkt->pkt.signature;
1814 break;
1815 }
1816 }
1817
1818 /* Try and parse the keyserver URL. If it doesn't work,
1819 then we end up writing NULL which indicates we are
1820 the same as any other key. */
1821 if(sig)
1822 (*klist)[*count].skipfncvalue=parse_preferred_keyserver(sig);
1823 }
1824
1825 (*count)++;
1826
1827 if(*count==num)
1828 {
1829 num+=100;
1830 *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1831 }
1832 }
1833 }
1834
1835 if(rc==-1)
1836 rc=0;
1837
1838 leave:
1839 if(rc)
1840 xfree(*klist);
1841 xfree(desc);
1842 keydb_release(kdbhd);
1843 release_kbnode(keyblock);
1844
1845 return rc;
1846 }
1847
1848 /* Note this is different than the original HKP refresh. It allows
1849 usernames to refresh only part of the keyring. */
1850
1851 int
1852 keyserver_refresh(strlist_t users)
1853 {
1854 int rc,count,numdesc,fakev3=0;
1855 KEYDB_SEARCH_DESC *desc;
1856 unsigned int options=opt.keyserver_options.import_options;
1857
1858 /* We switch merge-only on during a refresh, as 'refresh' should
1859 never import new keys, even if their keyids match. */
1860 opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
1861
1862 /* Similarly, we switch on fast-import, since refresh may make
1863 multiple import sets (due to preferred keyserver URLs). We don't
1864 want each set to rebuild the trustdb. Instead we do it once at
1865 the end here. */
1866 opt.keyserver_options.import_options|=IMPORT_FAST;
1867
1868 /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
1869 scheme, then enable fake v3 keyid generation. */
1870 if((opt.keyserver_options.options&KEYSERVER_ADD_FAKE_V3) && opt.keyserver
1871 && (ascii_strcasecmp(opt.keyserver->scheme,"hkp")==0 ||
1872 ascii_strcasecmp(opt.keyserver->scheme,"mailto")==0))
1873 fakev3=1;
1874
1875 rc=keyidlist(users,&desc,&numdesc,fakev3);
1876 if(rc)
1877 return rc;
1878
1879 count=numdesc;
1880 if(count>0)
1881 {
1882 int i;
1883
1884 /* Try to handle preferred keyserver keys first */
1885 for(i=0;i<numdesc;i++)
1886 {
1887 if(desc[i].skipfncvalue)
1888 {
1889 struct keyserver_spec *keyserver=desc[i].skipfncvalue;
1890
1891 /* We use the keyserver structure we parsed out before.
1892 Note that a preferred keyserver without a scheme://
1893 will be interpreted as hkp:// */
1894
1895 rc=keyserver_work(KS_GET,NULL,&desc[i],1,NULL,NULL,keyserver);
1896 if(rc)
1897 log_info(_("WARNING: unable to refresh key %s"
1898 " via %s: %s\n"),keystr_from_desc(&desc[i]),
1899 keyserver->uri,g10_errstr(rc));
1900 else
1901 {
1902 /* We got it, so mark it as NONE so we don't try and
1903 get it again from the regular keyserver. */
1904
1905 desc[i].mode=KEYDB_SEARCH_MODE_NONE;
1906 count--;
1907 }
1908
1909 free_keyserver_spec(keyserver);
1910 }
1911 }
1912 }
1913
1914 if(count>0)
1915 {
1916 if(opt.keyserver)
1917 {
1918 if(count==1)
1919 log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
1920 else
1921 log_info(_("refreshing %d keys from %s\n"),
1922 count,opt.keyserver->uri);
1923 }
1924
1925 rc=keyserver_work(KS_GET,NULL,desc,numdesc,NULL,NULL,opt.keyserver);
1926 }
1927
1928 xfree(desc);
1929
1930 opt.keyserver_options.import_options=options;
1931
1932 /* If the original options didn't have fast import, and the trustdb
1933 is dirty, rebuild. */
1934 if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1935 trustdb_check_or_update();
1936
1937 return rc;
1938 }
1939
1940 int
1941 keyserver_search(strlist_t tokens)
1942 {
1943 if(tokens)
1944 return keyserver_work(KS_SEARCH,tokens,NULL,0,NULL,NULL,opt.keyserver);
1945 else
1946 return 0;
1947 }
1948
1949 int
1950 keyserver_fetch(strlist_t urilist)
1951 {
1952 KEYDB_SEARCH_DESC desc;
1953 strlist_t sl;
1954 unsigned int options=opt.keyserver_options.import_options;
1955
1956 /* Switch on fast-import, since fetch can handle more than one
1957 import and we don't want each set to rebuild the trustdb.
1958 Instead we do it once at the end. */
1959 opt.keyserver_options.import_options|=IMPORT_FAST;
1960
1961 /* A dummy desc since we're not actually fetching a particular key
1962 ID */
1963 memset(&desc,0,sizeof(desc));
1964 desc.mode=KEYDB_SEARCH_MODE_EXACT;
1965
1966 for(sl=urilist;sl;sl=sl->next)
1967 {
1968 struct keyserver_spec *spec;
1969
1970 spec=parse_keyserver_uri(sl->d,1,NULL,0);
1971 if(spec)
1972 {
1973 int rc;
1974
1975 rc=keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,spec);
1976 if(rc)
1977 log_info (_("WARNING: unable to fetch URI %s: %s\n"),
1978 sl->d,g10_errstr(rc));
1979
1980 free_keyserver_spec(spec);
1981 }
1982 else
1983 log_info (_("WARNING: unable to parse URI %s\n"),sl->d);
1984 }
1985
1986 opt.keyserver_options.import_options=options;
1987
1988 /* If the original options didn't have fast import, and the trustdb
1989 is dirty, rebuild. */
1990 if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1991 trustdb_check_or_update();
1992
1993 return 0;
1994 }
1995
1996 /* Import key in a CERT or pointed to by a CERT */
1997 int
1998 keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
1999 {
2000 char *domain,*look,*url;
2001 IOBUF key;
2002 int type,rc=G10ERR_GENERAL;
2003
2004 look=xstrdup(name);
2005
2006 domain=strrchr(look,'@');
2007 if(domain)
2008 *domain='.';
2009
2010 type=get_dns_cert(look,max_cert_size,&key,fpr,fpr_len,&url);
2011 if (!type || type == -1)
2012 {
2013 /* There might be an error in res_query which leads to an error
2014 return (-1) in the case that nothing was found. Thus we take
2015 all errors as key not found. */
2016 rc = G10ERR_NO_PUBKEY;
2017 }
2018 else if (type==1)
2019 {
2020 int armor_status=opt.no_armor;
2021
2022 /* CERTs are always in binary format */
2023 opt.no_armor=1;
2024
2025 rc=import_keys_stream(key,NULL,fpr,fpr_len,
2026 opt.keyserver_options.import_options);
2027
2028 opt.no_armor=armor_status;
2029
2030 iobuf_close(key);
2031 }
2032 else if(type==2 && *fpr)
2033 {
2034 /* We only consider the IPGP type if a fingerprint was provided.
2035 This lets us select the right key regardless of what a URL
2036 points to, or get the key from a keyserver. */
2037 if(url)
2038 {
2039 struct keyserver_spec *spec;
2040
2041 spec=parse_keyserver_uri(url,1,NULL,0);
2042 if(spec)
2043 {
2044 rc=keyserver_import_fprint(*fpr,*fpr_len,spec);
2045 free_keyserver_spec(spec);
2046 }
2047 }
2048 else if(opt.keyserver)
2049 {
2050 /* If only a fingerprint is provided, try and fetch it from
2051 our --keyserver */
2052
2053 rc=keyserver_import_fprint(*fpr,*fpr_len,opt.keyserver);
2054 }
2055 else
2056 log_info(_("no keyserver known (use option --keyserver)\n"));
2057
2058 /* Give a better string here? "CERT fingerprint for \"%s\"
2059 found, but no keyserver" " known (use option
2060 --keyserver)\n" ? */
2061
2062 xfree(url);
2063 }
2064
2065 xfree(look);
2066
2067 return rc;
2068 }
2069
2070 /* Import key pointed to by a PKA record. Return the requested
2071 fingerprint in fpr. */
2072 int
2073 keyserver_import_pka(const char *name,unsigned char **fpr,size_t *fpr_len)
2074 {
2075 char *uri;
2076 int rc = G10ERR_NO_PUBKEY;
2077
2078 *fpr = xmalloc (20);
2079 *fpr_len = 20;
2080
2081 uri = get_pka_info (name, *fpr);
2082 if (uri && *uri)
2083 {
2084 /* An URI is available. Lookup the key. */
2085 struct keyserver_spec *spec;
2086 spec = parse_keyserver_uri (uri, 1, NULL, 0);
2087 if (spec)
2088 {
2089 rc = keyserver_import_fprint (*fpr, 20, spec);
2090 free_keyserver_spec (spec);
2091 }
2092 xfree (uri);
2093 }
2094
2095 if (rc)
2096 {
2097 xfree(*fpr);
2098 *fpr = NULL;
2099 }
2100
2101 return rc;
2102 }
2103
2104 /* Import all keys that match name */
2105 int
2106 keyserver_import_name(const char *name,unsigned char **fpr,size_t *fpr_len,
2107 struct keyserver_spec *keyserver)
2108 {
2109 strlist_t list=NULL;
2110 int rc;
2111
2112 append_to_strlist(&list,name);
2113
2114 rc=keyserver_work(KS_GETNAME,list,NULL,0,fpr,fpr_len,keyserver);
2115
2116 free_strlist(list);
2117
2118 return rc;
2119 }
2120
2121 /* Use the PGP Universal trick of asking ldap://keys.(maildomain) for
2122 the key. */
2123 int
2124 keyserver_import_ldap(const char *name,unsigned char **fpr,size_t *fpr_len)
2125 {
2126 char *domain;
2127 struct keyserver_spec *keyserver;
2128 strlist_t list=NULL;
2129 int rc;
2130
2131 append_to_strlist(&list,name);
2132
2133 /* Parse out the domain */
2134 domain=strrchr(name,'@');
2135 if(!domain)
2136 return G10ERR_GENERAL;
2137
2138 domain++;
2139
2140 keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
2141
2142 keyserver->scheme=xstrdup("ldap");
2143 keyserver->host=xmalloc(5+strlen(domain)+1);
2144 strcpy(keyserver->host,"keys.");
2145 strcat(keyserver->host,domain);
2146 keyserver->uri=xmalloc(strlen(keyserver->scheme)+
2147 3+strlen(keyserver->host)+1);
2148 strcpy(keyserver->uri,keyserver->scheme);
2149 strcat(keyserver->uri,"://");
2150 strcat(keyserver->uri,keyserver->host);
2151
2152 rc=keyserver_work(KS_GETNAME,list,NULL,0,fpr,fpr_len,keyserver);
2153
2154 free_strlist(list);
2155
2156 free_keyserver_spec(keyserver);
2157
2158 return rc;
2159 }
gnupg svn clone