/src/gnupg/g10/keyserver.c
Line | Count | Source |
1 | | /* keyserver.c - generic keyserver code |
2 | | * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, |
3 | | * 2009, 2011, 2012 Free Software Foundation, Inc. |
4 | | * Copyright (C) 2014 Werner Koch |
5 | | * |
6 | | * This file is part of GnuPG. |
7 | | * |
8 | | * GnuPG is free software; you can redistribute it and/or modify |
9 | | * it under the terms of the GNU General Public License as published by |
10 | | * the Free Software Foundation; either version 3 of the License, or |
11 | | * (at your option) any later version. |
12 | | * |
13 | | * GnuPG is distributed in the hope that it will be useful, |
14 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | | * GNU General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU General Public License |
19 | | * along with this program; if not, see <https://www.gnu.org/licenses/>. |
20 | | */ |
21 | | |
22 | | #include <config.h> |
23 | | #include <ctype.h> |
24 | | #include <stdio.h> |
25 | | #include <string.h> |
26 | | #include <stdlib.h> |
27 | | #include <errno.h> |
28 | | |
29 | | #include "gpg.h" |
30 | | #include "../common/iobuf.h" |
31 | | #include "filter.h" |
32 | | #include "keydb.h" |
33 | | #include "../common/status.h" |
34 | | #include "main.h" |
35 | | #include "../common/i18n.h" |
36 | | #include "../common/ttyio.h" |
37 | | #include "options.h" |
38 | | #include "packet.h" |
39 | | #include "trustdb.h" |
40 | | #include "keyserver-internal.h" |
41 | | #include "../common/util.h" |
42 | | #include "../common/membuf.h" |
43 | | #include "../common/mbox-util.h" |
44 | | #include "call-dirmngr.h" |
45 | | |
46 | | #ifdef HAVE_W32_SYSTEM |
47 | | /* It seems Vista doesn't grok X_OK and so fails access() tests. |
48 | | Previous versions interpreted X_OK as F_OK anyway, so we'll just |
49 | | use F_OK directly. */ |
50 | | #undef X_OK |
51 | | #define X_OK F_OK |
52 | | #endif /* HAVE_W32_SYSTEM */ |
53 | | |
54 | | struct keyrec |
55 | | { |
56 | | KEYDB_SEARCH_DESC desc; |
57 | | u32 createtime,expiretime; |
58 | | int size,flags; |
59 | | byte type; |
60 | | IOBUF uidbuf; |
61 | | unsigned int lines; |
62 | | }; |
63 | | |
64 | | /* Parameters for the search line handler. */ |
65 | | struct search_line_handler_parm_s |
66 | | { |
67 | | ctrl_t ctrl; /* The session control structure. */ |
68 | | char *searchstr_disp; /* Native encoded search string or NULL. */ |
69 | | KEYDB_SEARCH_DESC *desc; /* Array with search descriptions. */ |
70 | | int count; /* Number of keys we are currently prepared to |
71 | | handle. This is the size of the DESC array. If |
72 | | it is too small, it will grow safely. */ |
73 | | int validcount; /* Enable the "Key x-y of z" messages. */ |
74 | | int nkeys; /* Number of processed records. */ |
75 | | int any_lines; /* At least one line has been processed. */ |
76 | | unsigned int numlines; /* Counter for displayed lines. */ |
77 | | int eof_seen; /* EOF encountered. */ |
78 | | int not_found; /* Set if no keys have been found. */ |
79 | | }; |
80 | | |
81 | | |
82 | | enum ks_action {KS_UNKNOWN=0,KS_GET,KS_GETNAME,KS_SEND,KS_SEARCH}; |
83 | | |
84 | | static struct parse_options keyserver_opts[]= |
85 | | { |
86 | | /* some of these options are not real - just for the help |
87 | | message */ |
88 | | {"max-cert-size",0,NULL,NULL}, /* MUST be the first in this array! */ |
89 | | {"http-proxy", KEYSERVER_HTTP_PROXY, NULL, /* MUST be the second! */ |
90 | | N_("override proxy options set for dirmngr")}, |
91 | | |
92 | | {"include-revoked",0,NULL,N_("include revoked keys in search results")}, |
93 | | {"include-subkeys",0,NULL,N_("include subkeys when searching by key ID")}, |
94 | | {"timeout", KEYSERVER_TIMEOUT, NULL, |
95 | | N_("override timeout options set for dirmngr")}, |
96 | | {"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL, |
97 | | NULL}, |
98 | | {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL, |
99 | | N_("automatically retrieve keys when verifying signatures")}, |
100 | | {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL, |
101 | | N_("honor the preferred keyserver URL set on the key")}, |
102 | | {"update-before-send", KEYSERVER_UPDATE_BEFORE_SEND,NULL, |
103 | | N_("update a key before sending it")}, |
104 | | {NULL,0,NULL,NULL} |
105 | | }; |
106 | | |
107 | | static gpg_error_t keyserver_get (ctrl_t ctrl, |
108 | | KEYDB_SEARCH_DESC *desc, int ndesc, |
109 | | struct keyserver_spec *override_keyserver, |
110 | | unsigned int flags, |
111 | | unsigned char **r_fpr, size_t *r_fprlen); |
112 | | static gpg_error_t keyserver_put (ctrl_t ctrl, strlist_t keyspecs, |
113 | | int assume_new_key); |
114 | | |
115 | | |
116 | | /* Reasonable guess. The commonly used test key simon.josefsson.org |
117 | | is larger than 32k, thus we need at least this value. */ |
118 | 0 | #define DEFAULT_MAX_CERT_SIZE 65536 |
119 | | |
120 | | static size_t max_cert_size=DEFAULT_MAX_CERT_SIZE; |
121 | | |
122 | | |
123 | | static void |
124 | | warn_kshelper_option(char *option, int noisy) |
125 | 0 | { |
126 | 0 | char *p; |
127 | |
|
128 | 0 | if ((p=strchr (option, '='))) |
129 | 0 | *p = 0; |
130 | |
|
131 | 0 | if (!strcmp (option, "ca-cert-file")) |
132 | 0 | log_info ("keyserver option '%s' is obsolete; please use " |
133 | 0 | "'%s' in dirmngr.conf\n", |
134 | 0 | "ca-cert-file", "hkp-cacert"); |
135 | 0 | else if (!strcmp (option, "check-cert") |
136 | 0 | || !strcmp (option, "broken-http-proxy")) |
137 | 0 | log_info ("keyserver option '%s' is obsolete\n", option); |
138 | 0 | else if (noisy || opt.verbose) |
139 | 0 | log_info ("keyserver option '%s' is unknown\n", option); |
140 | 0 | } |
141 | | |
142 | | |
143 | | /* Called from main to parse the args for --keyserver-options. */ |
144 | | int |
145 | | parse_keyserver_options(char *options) |
146 | 0 | { |
147 | 0 | int ret=1; |
148 | 0 | char *tok; |
149 | 0 | char *max_cert=NULL; |
150 | |
|
151 | 0 | keyserver_opts[0].value=&max_cert; |
152 | 0 | keyserver_opts[1].value=&opt.keyserver_options.http_proxy; |
153 | |
|
154 | 0 | while((tok=optsep(&options))) |
155 | 0 | { |
156 | 0 | if(tok[0]=='\0') |
157 | 0 | continue; |
158 | | |
159 | | /* We accept quite a few possible options here - some options to |
160 | | handle specially, the keyserver_options list, and import and |
161 | | export options that pertain to keyserver operations. */ |
162 | | |
163 | 0 | if (!parse_options (tok,&opt.keyserver_options.options, keyserver_opts,0) |
164 | 0 | && !parse_import_options(tok,&opt.keyserver_options.import_options,0) |
165 | 0 | && !parse_export_options(tok,&opt.keyserver_options.export_options,0)) |
166 | 0 | { |
167 | | /* All of the standard options have failed, so the option was |
168 | | destined for a keyserver plugin as used by GnuPG < 2.1 */ |
169 | 0 | warn_kshelper_option (tok, 1); |
170 | 0 | } |
171 | 0 | } |
172 | |
|
173 | 0 | if(max_cert) |
174 | 0 | { |
175 | 0 | max_cert_size=strtoul(max_cert,(char **)NULL,10); |
176 | |
|
177 | 0 | if(max_cert_size==0) |
178 | 0 | max_cert_size=DEFAULT_MAX_CERT_SIZE; |
179 | 0 | } |
180 | |
|
181 | 0 | return ret; |
182 | 0 | } |
183 | | |
184 | | |
185 | | void |
186 | | free_keyserver_spec(struct keyserver_spec *keyserver) |
187 | 0 | { |
188 | 0 | xfree(keyserver->uri); |
189 | 0 | xfree(keyserver); |
190 | 0 | } |
191 | | |
192 | | /* Return 0 for match */ |
193 | | static int |
194 | | cmp_keyserver_spec(struct keyserver_spec *one, struct keyserver_spec *two) |
195 | 0 | { |
196 | 0 | return !!ascii_strcasecmp(one->uri, two->uri); |
197 | 0 | } |
198 | | |
199 | | |
200 | | /* Try and match one of our keyservers. If we can, return that. If |
201 | | we can't, return our input. */ |
202 | | struct keyserver_spec * |
203 | | keyserver_match(struct keyserver_spec *spec) |
204 | 0 | { |
205 | 0 | struct keyserver_spec *ks; |
206 | |
|
207 | 0 | for(ks=opt.keyserver;ks;ks=ks->next) |
208 | 0 | if(cmp_keyserver_spec(spec,ks)==0) |
209 | 0 | return ks; |
210 | | |
211 | 0 | return spec; |
212 | 0 | } |
213 | | |
214 | | |
215 | | /* Create a new keyserver object from STRING. Unless REQUIRE_SCHEME |
216 | | * is set a missing scheme is replaced by "hkp://". The data structure |
217 | | * could be much easier but in the past we parsed the URI here for the |
218 | | * old 2.0 keyserver helpers - which is not anymore needed. */ |
219 | | keyserver_spec_t |
220 | | parse_keyserver_uri (const char *string, int require_scheme) |
221 | 0 | { |
222 | 0 | struct keyserver_spec *keyserver; |
223 | 0 | const char *idx; |
224 | 0 | int count; |
225 | |
|
226 | 0 | log_assert (string); |
227 | | |
228 | 0 | keyserver = xcalloc (1, sizeof *keyserver); |
229 | | |
230 | | /* Get the scheme */ |
231 | 0 | for(idx=string, count=0; *idx && *idx!=':';idx++) |
232 | 0 | { |
233 | 0 | count++; |
234 | | |
235 | | /* Do we see the start of an RFC-2732 ipv6 address here? If so, |
236 | | there clearly isn't a scheme so get out early. */ |
237 | 0 | if(*idx=='[') |
238 | 0 | { |
239 | | /* Was the '[' the first thing in the string? If not, we |
240 | | have a mangled scheme with a [ in it so fail. */ |
241 | 0 | if(count==1) |
242 | 0 | break; |
243 | 0 | else |
244 | 0 | goto fail; |
245 | 0 | } |
246 | 0 | } |
247 | | |
248 | 0 | if(count==0) |
249 | 0 | goto fail; |
250 | | |
251 | 0 | if(*idx=='\0' || *idx=='[') |
252 | 0 | { |
253 | 0 | if(require_scheme) |
254 | 0 | goto fail; |
255 | | |
256 | | /* Assume HKP if there is no scheme */ |
257 | 0 | keyserver->uri = xstrconcat ("hkp://", string, NULL); |
258 | 0 | } |
259 | 0 | else |
260 | 0 | { |
261 | 0 | keyserver->uri = xstrdup (string); |
262 | 0 | } |
263 | | |
264 | 0 | return keyserver; |
265 | | |
266 | 0 | fail: |
267 | 0 | free_keyserver_spec(keyserver); |
268 | 0 | return NULL; |
269 | 0 | } |
270 | | |
271 | | |
272 | | struct keyserver_spec * |
273 | | parse_preferred_keyserver(PKT_signature *sig) |
274 | 0 | { |
275 | 0 | struct keyserver_spec *spec=NULL; |
276 | 0 | const byte *p; |
277 | 0 | size_t plen; |
278 | |
|
279 | 0 | p = parse_sig_subpkt (sig, 1, SIGSUBPKT_PREF_KS, &plen); |
280 | 0 | if(p && plen) |
281 | 0 | { |
282 | 0 | byte *dupe=xmalloc(plen+1); |
283 | |
|
284 | 0 | memcpy(dupe,p,plen); |
285 | 0 | dupe[plen]='\0'; |
286 | 0 | spec = parse_keyserver_uri (dupe, 1); |
287 | 0 | xfree(dupe); |
288 | 0 | } |
289 | |
|
290 | 0 | return spec; |
291 | 0 | } |
292 | | |
293 | | static void |
294 | | print_keyrec (ctrl_t ctrl, int number,struct keyrec *keyrec) |
295 | 0 | { |
296 | |
|
297 | 0 | iobuf_writebyte(keyrec->uidbuf,0); |
298 | 0 | iobuf_flush_temp(keyrec->uidbuf); |
299 | 0 | es_printf ("(%d)\t%s ", number, iobuf_get_temp_buffer (keyrec->uidbuf)); |
300 | |
|
301 | 0 | if (keyrec->size>0) |
302 | 0 | es_printf ("%d bit ", keyrec->size); |
303 | |
|
304 | 0 | if(keyrec->type) |
305 | 0 | { |
306 | 0 | const char *str; |
307 | |
|
308 | 0 | str = openpgp_pk_algo_name (keyrec->type); |
309 | |
|
310 | 0 | if (str && strcmp (str, "?")) |
311 | 0 | es_printf ("%s ",str); |
312 | 0 | else |
313 | 0 | es_printf ("unknown "); |
314 | 0 | } |
315 | |
|
316 | 0 | switch(keyrec->desc.mode) |
317 | 0 | { |
318 | | /* If the keyserver helper gave us a short keyid, we have no |
319 | | choice but to use it. Do check --keyid-format to add a 0x if |
320 | | needed. */ |
321 | 0 | case KEYDB_SEARCH_MODE_SHORT_KID: |
322 | 0 | es_printf ("key %s%08lX", |
323 | 0 | (opt.keyid_format==KF_0xSHORT |
324 | 0 | || opt.keyid_format==KF_0xLONG)?"0x":"", |
325 | 0 | (ulong)keyrec->desc.u.kid[1]); |
326 | 0 | break; |
327 | | |
328 | | /* However, if it gave us a long keyid, we can honor |
329 | | --keyid-format via keystr(). */ |
330 | 0 | case KEYDB_SEARCH_MODE_LONG_KID: |
331 | 0 | es_printf ("key %s",keystr(keyrec->desc.u.kid)); |
332 | 0 | break; |
333 | | |
334 | 0 | case KEYDB_SEARCH_MODE_FPR: |
335 | 0 | { |
336 | 0 | u32 kid[2]; |
337 | 0 | keyid_from_fingerprint (ctrl, keyrec->desc.u.fpr, keyrec->desc.fprlen, |
338 | 0 | kid); |
339 | 0 | es_printf("key %s",keystr(kid)); |
340 | 0 | } |
341 | 0 | break; |
342 | | |
343 | 0 | default: |
344 | 0 | BUG(); |
345 | 0 | break; |
346 | 0 | } |
347 | | |
348 | 0 | if(keyrec->createtime>0) |
349 | 0 | { |
350 | 0 | es_printf (", "); |
351 | 0 | es_printf (_("created: %s"), strtimestamp(keyrec->createtime)); |
352 | 0 | } |
353 | |
|
354 | 0 | if(keyrec->expiretime>0) |
355 | 0 | { |
356 | 0 | es_printf (", "); |
357 | 0 | es_printf (_("expires: %s"), strtimestamp(keyrec->expiretime)); |
358 | 0 | } |
359 | |
|
360 | 0 | if (keyrec->flags&1) |
361 | 0 | es_printf (" (%s)", _("revoked")); |
362 | 0 | if(keyrec->flags&2) |
363 | 0 | es_printf (" (%s)", _("disabled")); |
364 | 0 | if(keyrec->flags&4) |
365 | 0 | es_printf (" (%s)", _("expired")); |
366 | |
|
367 | 0 | es_printf ("\n"); |
368 | 0 | } |
369 | | |
370 | | /* Returns a keyrec (which must be freed) once a key is complete, and |
371 | | NULL otherwise. Call with a NULL keystring once key parsing is |
372 | | complete to return any unfinished keys. */ |
373 | | static struct keyrec * |
374 | | parse_keyrec(char *keystring) |
375 | 0 | { |
376 | | /* FIXME: Remove the static and put the data into the parms we use |
377 | | for the caller anyway. */ |
378 | 0 | static struct keyrec *work=NULL; |
379 | 0 | struct keyrec *ret=NULL; |
380 | 0 | char *record; |
381 | 0 | int i; |
382 | |
|
383 | 0 | if(keystring==NULL) |
384 | 0 | { |
385 | 0 | if(work==NULL) |
386 | 0 | return NULL; |
387 | 0 | else if(work->desc.mode==KEYDB_SEARCH_MODE_NONE) |
388 | 0 | { |
389 | 0 | xfree(work); |
390 | 0 | return NULL; |
391 | 0 | } |
392 | 0 | else |
393 | 0 | { |
394 | 0 | ret=work; |
395 | 0 | work=NULL; |
396 | 0 | return ret; |
397 | 0 | } |
398 | 0 | } |
399 | | |
400 | 0 | if(work==NULL) |
401 | 0 | { |
402 | 0 | work=xmalloc_clear(sizeof(struct keyrec)); |
403 | 0 | work->uidbuf=iobuf_temp(); |
404 | 0 | } |
405 | |
|
406 | 0 | trim_trailing_ws (keystring, strlen (keystring)); |
407 | |
|
408 | 0 | if((record=strsep(&keystring,":"))==NULL) |
409 | 0 | return ret; |
410 | | |
411 | 0 | if(ascii_strcasecmp("pub",record)==0) |
412 | 0 | { |
413 | 0 | char *tok; |
414 | 0 | gpg_error_t err; |
415 | |
|
416 | 0 | if(work->desc.mode) |
417 | 0 | { |
418 | 0 | ret=work; |
419 | 0 | work=xmalloc_clear(sizeof(struct keyrec)); |
420 | 0 | work->uidbuf=iobuf_temp(); |
421 | 0 | } |
422 | |
|
423 | 0 | if((tok=strsep(&keystring,":"))==NULL) |
424 | 0 | return ret; |
425 | | |
426 | 0 | err = classify_user_id (tok, &work->desc, 1); |
427 | 0 | if (err || (work->desc.mode != KEYDB_SEARCH_MODE_SHORT_KID |
428 | 0 | && work->desc.mode != KEYDB_SEARCH_MODE_LONG_KID |
429 | 0 | && work->desc.mode != KEYDB_SEARCH_MODE_FPR)) |
430 | 0 | { |
431 | 0 | work->desc.mode=KEYDB_SEARCH_MODE_NONE; |
432 | 0 | return ret; |
433 | 0 | } |
434 | | |
435 | | /* Note all items after this are optional. This allows us to |
436 | | have a pub line as simple as pub:keyid and nothing else. */ |
437 | | |
438 | 0 | work->lines++; |
439 | |
|
440 | 0 | if((tok=strsep(&keystring,":"))==NULL) |
441 | 0 | return ret; |
442 | | |
443 | 0 | work->type=atoi(tok); |
444 | |
|
445 | 0 | if((tok=strsep(&keystring,":"))==NULL) |
446 | 0 | return ret; |
447 | | |
448 | 0 | work->size=atoi(tok); |
449 | |
|
450 | 0 | if((tok=strsep(&keystring,":"))==NULL) |
451 | 0 | return ret; |
452 | | |
453 | 0 | if(atoi(tok)<=0) |
454 | 0 | work->createtime=0; |
455 | 0 | else |
456 | 0 | work->createtime=atoi(tok); |
457 | |
|
458 | 0 | if((tok=strsep(&keystring,":"))==NULL) |
459 | 0 | return ret; |
460 | | |
461 | 0 | if(atoi(tok)<=0) |
462 | 0 | work->expiretime=0; |
463 | 0 | else |
464 | 0 | { |
465 | 0 | work->expiretime=atoi(tok); |
466 | | /* Force the 'e' flag on if this key is expired. */ |
467 | 0 | if(work->expiretime<=make_timestamp()) |
468 | 0 | work->flags|=4; |
469 | 0 | } |
470 | |
|
471 | 0 | if((tok=strsep(&keystring,":"))==NULL) |
472 | 0 | return ret; |
473 | | |
474 | 0 | while(*tok) |
475 | 0 | switch(*tok++) |
476 | 0 | { |
477 | 0 | case 'r': |
478 | 0 | case 'R': |
479 | 0 | work->flags|=1; |
480 | 0 | break; |
481 | | |
482 | 0 | case 'd': |
483 | 0 | case 'D': |
484 | 0 | work->flags|=2; |
485 | 0 | break; |
486 | | |
487 | 0 | case 'e': |
488 | 0 | case 'E': |
489 | 0 | work->flags|=4; |
490 | 0 | break; |
491 | 0 | } |
492 | 0 | } |
493 | 0 | else if(ascii_strcasecmp("uid",record)==0 && work->desc.mode) |
494 | 0 | { |
495 | 0 | char *userid,*tok,*decoded; |
496 | |
|
497 | 0 | if((tok=strsep(&keystring,":"))==NULL) |
498 | 0 | return ret; |
499 | | |
500 | 0 | if(strlen(tok)==0) |
501 | 0 | return ret; |
502 | | |
503 | 0 | userid=tok; |
504 | | |
505 | | /* By definition, de-%-encoding is always smaller than the |
506 | | original string so we can decode in place. */ |
507 | |
|
508 | 0 | i=0; |
509 | |
|
510 | 0 | while(*tok) |
511 | 0 | if(tok[0]=='%' && tok[1] && tok[2]) |
512 | 0 | { |
513 | 0 | int c; |
514 | |
|
515 | 0 | userid[i] = (c=hextobyte(&tok[1])) == -1 ? '?' : c; |
516 | 0 | i++; |
517 | 0 | tok+=3; |
518 | 0 | } |
519 | 0 | else |
520 | 0 | userid[i++]=*tok++; |
521 | | |
522 | | /* We don't care about the other info provided in the uid: line |
523 | | since no keyserver supports marking userids with timestamps |
524 | | or revoked/expired/disabled yet. */ |
525 | | |
526 | | /* No need to check for control characters, as utf8_to_native |
527 | | does this for us. */ |
528 | |
|
529 | 0 | decoded=utf8_to_native(userid,i,0); |
530 | 0 | if(strlen(decoded)>opt.screen_columns-10) |
531 | 0 | decoded[opt.screen_columns-10]='\0'; |
532 | 0 | iobuf_writestr(work->uidbuf,decoded); |
533 | 0 | xfree(decoded); |
534 | 0 | iobuf_writestr(work->uidbuf,"\n\t"); |
535 | 0 | work->lines++; |
536 | 0 | } |
537 | | |
538 | | /* Ignore any records other than "pri" and "uid" for easy future |
539 | | growth. */ |
540 | | |
541 | 0 | return ret; |
542 | 0 | } |
543 | | |
544 | | /* Show a prompt and allow the user to select keys for retrieval. */ |
545 | | static gpg_error_t |
546 | | show_prompt (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int numdesc, |
547 | | int count, const char *search) |
548 | 0 | { |
549 | 0 | gpg_error_t err; |
550 | 0 | char *answer = NULL; |
551 | |
|
552 | 0 | es_fflush (es_stdout); |
553 | |
|
554 | 0 | if (count && opt.command_fd == -1) |
555 | 0 | { |
556 | 0 | static int from = 1; |
557 | 0 | tty_printf ("Keys %d-%d of %d for \"%s\". ", |
558 | 0 | from, numdesc, count, search); |
559 | 0 | from = numdesc + 1; |
560 | 0 | } |
561 | |
|
562 | 0 | again: |
563 | 0 | err = 0; |
564 | 0 | xfree (answer); |
565 | 0 | answer = cpr_get_no_help ("keysearch.prompt", |
566 | 0 | _("Enter number(s), N)ext, or Q)uit > ")); |
567 | | /* control-d */ |
568 | 0 | if (answer[0]=='\x04') |
569 | 0 | { |
570 | 0 | tty_printf ("Q\n"); |
571 | 0 | answer[0] = 'q'; |
572 | 0 | } |
573 | |
|
574 | 0 | if (answer[0]=='q' || answer[0]=='Q') |
575 | 0 | err = gpg_error (GPG_ERR_CANCELED); |
576 | 0 | else if (atoi (answer) >= 1 && atoi (answer) <= numdesc) |
577 | 0 | { |
578 | 0 | char *split = answer; |
579 | 0 | char *num; |
580 | 0 | int numarray[50]; |
581 | 0 | int numidx = 0; |
582 | 0 | int idx; |
583 | |
|
584 | 0 | while ((num = strsep (&split, " ,"))) |
585 | 0 | if (atoi (num) >= 1 && atoi (num) <= numdesc) |
586 | 0 | { |
587 | 0 | if (numidx >= DIM (numarray)) |
588 | 0 | { |
589 | 0 | tty_printf ("Too many keys selected\n"); |
590 | 0 | goto again; |
591 | 0 | } |
592 | 0 | numarray[numidx++] = atoi (num); |
593 | 0 | } |
594 | | |
595 | 0 | if (!numidx) |
596 | 0 | goto again; |
597 | | |
598 | 0 | { |
599 | 0 | KEYDB_SEARCH_DESC *selarray; |
600 | |
|
601 | 0 | selarray = xtrymalloc (numidx * sizeof *selarray); |
602 | 0 | if (!selarray) |
603 | 0 | { |
604 | 0 | err = gpg_error_from_syserror (); |
605 | 0 | goto leave; |
606 | 0 | } |
607 | 0 | for (idx = 0; idx < numidx; idx++) |
608 | 0 | selarray[idx] = desc[numarray[idx]-1]; |
609 | 0 | err = keyserver_get (ctrl, selarray, numidx, NULL, 0, NULL, NULL); |
610 | 0 | xfree (selarray); |
611 | 0 | } |
612 | 0 | } |
613 | | |
614 | 0 | leave: |
615 | 0 | xfree (answer); |
616 | 0 | return err; |
617 | 0 | } |
618 | | |
619 | | |
620 | | /* This is a callback used by call-dirmngr.c to process the result of |
621 | | KS_SEARCH command. If SPECIAL is 0, LINE is the actual data line |
622 | | received with all escaping removed and guaranteed to be exactly one |
623 | | line with stripped LF; an EOF is indicated by LINE passed as NULL. |
624 | | If special is 1, the line contains the source of the information |
625 | | (usually an URL). LINE may be modified after return. */ |
626 | | static gpg_error_t |
627 | | search_line_handler (void *opaque, int special, char *line) |
628 | 0 | { |
629 | 0 | struct search_line_handler_parm_s *parm = opaque; |
630 | 0 | gpg_error_t err = 0; |
631 | 0 | struct keyrec *keyrec; |
632 | |
|
633 | 0 | if (special == 1) |
634 | 0 | { |
635 | 0 | log_info ("data source: %s\n", line); |
636 | 0 | return 0; |
637 | 0 | } |
638 | 0 | else if (special) |
639 | 0 | { |
640 | 0 | log_debug ("unknown value %d for special search callback", special); |
641 | 0 | return 0; |
642 | 0 | } |
643 | | |
644 | 0 | if (parm->eof_seen && line) |
645 | 0 | { |
646 | 0 | log_debug ("ooops: unexpected data after EOF\n"); |
647 | 0 | line = NULL; |
648 | 0 | } |
649 | | |
650 | | /* Print the received line. */ |
651 | 0 | if (opt.with_colons && line) |
652 | 0 | { |
653 | 0 | es_printf ("%s\n", line); |
654 | 0 | } |
655 | | |
656 | | /* Look for an info: line. The only current info: values defined |
657 | | are the version and key count. */ |
658 | 0 | if (line && !parm->any_lines && !ascii_strncasecmp ("info:", line, 5)) |
659 | 0 | { |
660 | 0 | char *str = line + 5; |
661 | 0 | char *tok; |
662 | |
|
663 | 0 | if ((tok = strsep (&str, ":"))) |
664 | 0 | { |
665 | 0 | int version; |
666 | |
|
667 | 0 | if (sscanf (tok, "%d", &version) !=1 ) |
668 | 0 | version = 1; |
669 | |
|
670 | 0 | if (version !=1 ) |
671 | 0 | { |
672 | 0 | log_error (_("invalid keyserver protocol " |
673 | 0 | "(us %d!=handler %d)\n"), 1, version); |
674 | 0 | return gpg_error (GPG_ERR_UNSUPPORTED_PROTOCOL); |
675 | 0 | } |
676 | 0 | } |
677 | | |
678 | 0 | if ((tok = strsep (&str, ":")) |
679 | 0 | && sscanf (tok, "%d", &parm->count) == 1) |
680 | 0 | { |
681 | 0 | if (!parm->count) |
682 | 0 | parm->not_found = 1;/* Server indicated that no items follow. */ |
683 | 0 | else if (parm->count < 0) |
684 | 0 | parm->count = 10; /* Bad value - assume something reasonable. */ |
685 | 0 | else |
686 | 0 | parm->validcount = 1; /* COUNT seems to be okay. */ |
687 | 0 | } |
688 | |
|
689 | 0 | parm->any_lines = 1; |
690 | 0 | return 0; /* Line processing finished. */ |
691 | 0 | } |
692 | | |
693 | 0 | again: |
694 | 0 | if (line) |
695 | 0 | keyrec = parse_keyrec (line); |
696 | 0 | else |
697 | 0 | { |
698 | | /* Received EOF - flush data */ |
699 | 0 | parm->eof_seen = 1; |
700 | 0 | keyrec = parse_keyrec (NULL); |
701 | 0 | if (!keyrec) |
702 | 0 | { |
703 | 0 | if (!parm->nkeys) |
704 | 0 | parm->not_found = 1; /* No keys at all. */ |
705 | 0 | else |
706 | 0 | { |
707 | 0 | if (parm->nkeys != parm->count) |
708 | 0 | parm->validcount = 0; |
709 | |
|
710 | 0 | if (!(opt.with_colons && opt.batch)) |
711 | 0 | { |
712 | 0 | err = show_prompt (parm->ctrl, parm->desc, parm->nkeys, |
713 | 0 | parm->validcount? parm->count : 0, |
714 | 0 | parm->searchstr_disp); |
715 | 0 | return err; |
716 | 0 | } |
717 | 0 | } |
718 | 0 | } |
719 | 0 | } |
720 | | |
721 | | /* Save the key in the key array. */ |
722 | 0 | if (keyrec) |
723 | 0 | { |
724 | | /* Allocate or enlarge the key array if needed. */ |
725 | 0 | if (!parm->desc) |
726 | 0 | { |
727 | 0 | if (parm->count < 1) |
728 | 0 | { |
729 | 0 | parm->count = 10; |
730 | 0 | parm->validcount = 0; |
731 | 0 | } |
732 | 0 | parm->desc = xtrymalloc (parm->count * sizeof *parm->desc); |
733 | 0 | if (!parm->desc) |
734 | 0 | { |
735 | 0 | err = gpg_error_from_syserror (); |
736 | 0 | iobuf_close (keyrec->uidbuf); |
737 | 0 | xfree (keyrec); |
738 | 0 | return err; |
739 | 0 | } |
740 | 0 | } |
741 | 0 | else if (parm->nkeys == parm->count) |
742 | 0 | { |
743 | | /* Keyserver sent more keys than claimed in the info: line. */ |
744 | 0 | KEYDB_SEARCH_DESC *tmp; |
745 | 0 | int newcount = parm->count + 10; |
746 | |
|
747 | 0 | tmp = xtryrealloc (parm->desc, newcount * sizeof *parm->desc); |
748 | 0 | if (!tmp) |
749 | 0 | { |
750 | 0 | err = gpg_error_from_syserror (); |
751 | 0 | iobuf_close (keyrec->uidbuf); |
752 | 0 | xfree (keyrec); |
753 | 0 | return err; |
754 | 0 | } |
755 | 0 | parm->count = newcount; |
756 | 0 | parm->desc = tmp; |
757 | 0 | parm->validcount = 0; |
758 | 0 | } |
759 | | |
760 | 0 | parm->desc[parm->nkeys] = keyrec->desc; |
761 | |
|
762 | 0 | if (!opt.with_colons) |
763 | 0 | { |
764 | | /* SCREEN_LINES - 1 for the prompt. */ |
765 | 0 | if (parm->numlines + keyrec->lines > opt.screen_lines - 1) |
766 | 0 | { |
767 | 0 | err = show_prompt (parm->ctrl, parm->desc, parm->nkeys, |
768 | 0 | parm->validcount ? parm->count:0, |
769 | 0 | parm->searchstr_disp); |
770 | 0 | if (err) |
771 | 0 | return err; |
772 | 0 | parm->numlines = 0; |
773 | 0 | } |
774 | | |
775 | 0 | print_keyrec (parm->ctrl, parm->nkeys+1, keyrec); |
776 | 0 | } |
777 | | |
778 | 0 | parm->numlines += keyrec->lines; |
779 | 0 | iobuf_close (keyrec->uidbuf); |
780 | 0 | xfree (keyrec); |
781 | |
|
782 | 0 | parm->any_lines = 1; |
783 | 0 | parm->nkeys++; |
784 | | |
785 | | /* If we are here due to a flush after the EOF, run again for |
786 | | the last prompt. Fixme: Make this code better readable. */ |
787 | 0 | if (parm->eof_seen) |
788 | 0 | goto again; |
789 | 0 | } |
790 | | |
791 | 0 | return 0; |
792 | 0 | } |
793 | | |
794 | | |
795 | | |
796 | | /* Send all keys specified by USERS to the configured keyserver. If |
797 | | * ASSUME_NEW_KEY is true the KEYSERVER_UPDATE_BEFORE_SEND option will |
798 | | * be ignored. */ |
799 | | gpg_error_t |
800 | | keyserver_export (ctrl_t ctrl, strlist_t users, int assume_new_key) |
801 | 0 | { |
802 | 0 | gpg_error_t err; |
803 | 0 | strlist_t sl=NULL; |
804 | 0 | KEYDB_SEARCH_DESC desc; |
805 | 0 | int rc=0; |
806 | | |
807 | | /* Weed out descriptors that we don't support sending */ |
808 | 0 | for(;users;users=users->next) |
809 | 0 | { |
810 | 0 | err = classify_user_id (users->d, &desc, 1); |
811 | 0 | if (err || (desc.mode != KEYDB_SEARCH_MODE_SHORT_KID |
812 | 0 | && desc.mode != KEYDB_SEARCH_MODE_LONG_KID |
813 | 0 | && desc.mode != KEYDB_SEARCH_MODE_FPR)) |
814 | 0 | { |
815 | 0 | log_error(_("\"%s\" not a key ID: skipping\n"),users->d); |
816 | 0 | continue; |
817 | 0 | } |
818 | 0 | else |
819 | 0 | append_to_strlist(&sl,users->d); |
820 | 0 | } |
821 | |
|
822 | 0 | if(sl) |
823 | 0 | { |
824 | 0 | rc = keyserver_put (ctrl, sl, assume_new_key); |
825 | 0 | free_strlist(sl); |
826 | 0 | } |
827 | |
|
828 | 0 | return rc; |
829 | 0 | } |
830 | | |
831 | | |
832 | | /* Send the public key specified by PK to the configured keyserver. |
833 | | * If ASSUME_NEW_KEY is true the KEYSERVER_UPDATE_BEFORE_SEND option |
834 | | * will be ignored. */ |
835 | | gpg_error_t |
836 | | keyserver_export_pubkey (ctrl_t ctrl, PKT_public_key *pk, int assume_new_key) |
837 | 0 | { |
838 | 0 | gpg_error_t err; |
839 | 0 | strlist_t keyspec = NULL; |
840 | 0 | char fpr[2*MAX_FINGERPRINT_LEN+1]; |
841 | |
|
842 | 0 | hexfingerprint (pk, fpr, sizeof fpr); |
843 | 0 | add_to_strlist (&keyspec, fpr); |
844 | 0 | err = keyserver_put (ctrl, keyspec, assume_new_key); |
845 | 0 | free_strlist (keyspec); |
846 | |
|
847 | 0 | return err; |
848 | 0 | } |
849 | | |
850 | | |
851 | | |
852 | | |
853 | | /* Structure to convey the arg to keyserver_retrieval_screener. */ |
854 | | struct ks_retrieval_screener_arg_s |
855 | | { |
856 | | KEYDB_SEARCH_DESC *desc; |
857 | | int ndesc; |
858 | | }; |
859 | | |
860 | | |
861 | | /* Check whether a key matches the search description. The function |
862 | | returns 0 if the key shall be imported. */ |
863 | | static gpg_error_t |
864 | | keyserver_retrieval_screener (kbnode_t keyblock, void *opaque) |
865 | 0 | { |
866 | 0 | struct ks_retrieval_screener_arg_s *arg = opaque; |
867 | 0 | KEYDB_SEARCH_DESC *desc = arg->desc; |
868 | 0 | int ndesc = arg->ndesc; |
869 | 0 | kbnode_t node; |
870 | 0 | PKT_public_key *pk; |
871 | 0 | int n; |
872 | 0 | u32 keyid[2]; |
873 | 0 | byte fpr[MAX_FINGERPRINT_LEN]; |
874 | 0 | size_t fpr_len = 0; |
875 | | |
876 | | /* Secret keys are not expected from a keyserver. We do not |
877 | | care about secret subkeys because the import code takes care |
878 | | of skipping them. Not allowing an import of a public key |
879 | | with a secret subkey would make it too easy to inhibit the |
880 | | downloading of a public key. Recall that keyservers do only |
881 | | limited checks. */ |
882 | 0 | node = find_kbnode (keyblock, PKT_SECRET_KEY); |
883 | 0 | if (node) |
884 | 0 | return gpg_error (GPG_ERR_GENERAL); /* Do not import. */ |
885 | | |
886 | 0 | if (!ndesc) |
887 | 0 | return 0; /* Okay if no description given. */ |
888 | | |
889 | | /* Loop over all key packets. */ |
890 | 0 | for (node = keyblock; node; node = node->next) |
891 | 0 | { |
892 | 0 | if (node->pkt->pkttype != PKT_PUBLIC_KEY |
893 | 0 | && node->pkt->pkttype != PKT_PUBLIC_SUBKEY) |
894 | 0 | continue; |
895 | | |
896 | 0 | pk = node->pkt->pkt.public_key; |
897 | 0 | fingerprint_from_pk (pk, fpr, &fpr_len); |
898 | 0 | keyid_from_pk (pk, keyid); |
899 | | |
900 | | /* Compare requested and returned fingerprints if available. */ |
901 | 0 | for (n = 0; n < ndesc; n++) |
902 | 0 | { |
903 | 0 | if (desc[n].mode == KEYDB_SEARCH_MODE_FPR) |
904 | 0 | { |
905 | 0 | if (fpr_len == desc[n].fprlen |
906 | 0 | && !memcmp (fpr, desc[n].u.fpr, desc[n].fprlen)) |
907 | 0 | return 0; |
908 | 0 | } |
909 | 0 | else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID) |
910 | 0 | { |
911 | 0 | if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1]) |
912 | 0 | return 0; |
913 | 0 | } |
914 | 0 | else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID) |
915 | 0 | { |
916 | 0 | if (keyid[1] == desc[n].u.kid[1]) |
917 | 0 | return 0; |
918 | 0 | } |
919 | 0 | else /* No keyid or fingerprint - can't check. */ |
920 | 0 | return 0; /* allow import. */ |
921 | 0 | } |
922 | 0 | } |
923 | | |
924 | 0 | return gpg_error (GPG_ERR_GENERAL); |
925 | 0 | } |
926 | | |
927 | | |
928 | | /* Given a list of patterns in USERS, try to import those keys from |
929 | | * the configured keyserver. */ |
930 | | gpg_error_t |
931 | | keyserver_import (ctrl_t ctrl, strlist_t users, unsigned int flags) |
932 | 0 | { |
933 | 0 | gpg_error_t tmperr; |
934 | 0 | gpg_error_t err = 0; |
935 | 0 | KEYDB_SEARCH_DESC *desc; |
936 | 0 | int num=100,count=0; |
937 | | |
938 | | /* Build a list of key ids */ |
939 | 0 | desc = xmalloc (sizeof(KEYDB_SEARCH_DESC)*num); |
940 | |
|
941 | 0 | for(;users;users=users->next) |
942 | 0 | { |
943 | 0 | tmperr = classify_user_id (users->d, &desc[count], 1); |
944 | 0 | if (!tmperr && (flags & KEYSERVER_IMPORT_FLAG_ONLYFPR) |
945 | 0 | && desc[count].mode != KEYDB_SEARCH_MODE_FPR) |
946 | 0 | { |
947 | 0 | log_info (_("\"%s\" not a fingerprint: skipping\n"), users->d); |
948 | 0 | continue; |
949 | 0 | } |
950 | 0 | if (tmperr || (desc[count].mode != KEYDB_SEARCH_MODE_SHORT_KID |
951 | 0 | && desc[count].mode != KEYDB_SEARCH_MODE_LONG_KID |
952 | 0 | && desc[count].mode != KEYDB_SEARCH_MODE_FPR)) |
953 | 0 | { |
954 | 0 | log_error (_("\"%s\" not a key ID: skipping\n"), users->d); |
955 | 0 | continue; |
956 | 0 | } |
957 | | |
958 | 0 | count++; |
959 | 0 | if(count==num) |
960 | 0 | { |
961 | 0 | num+=100; |
962 | 0 | desc=xrealloc(desc,sizeof(KEYDB_SEARCH_DESC)*num); |
963 | 0 | } |
964 | 0 | } |
965 | |
|
966 | 0 | if (count > 0) |
967 | 0 | err = keyserver_get (ctrl, desc, count, NULL, flags, NULL, NULL); |
968 | |
|
969 | 0 | xfree (desc); |
970 | |
|
971 | 0 | return err; |
972 | 0 | } |
973 | | |
974 | | |
975 | | /* Return true if any keyserver has been configured. */ |
976 | | int |
977 | | keyserver_any_configured (ctrl_t ctrl) |
978 | 0 | { |
979 | 0 | return !gpg_dirmngr_ks_list (ctrl, NULL); |
980 | 0 | } |
981 | | |
982 | | |
983 | | /* Import all keys that exactly match MBOX */ |
984 | | gpg_error_t |
985 | | keyserver_import_mbox (ctrl_t ctrl, const char *mbox, |
986 | | unsigned char **fpr, size_t *fprlen, |
987 | | struct keyserver_spec *keyserver, unsigned int flags) |
988 | 0 | { |
989 | 0 | KEYDB_SEARCH_DESC desc = { 0 }; |
990 | |
|
991 | 0 | desc.mode = KEYDB_SEARCH_MODE_MAIL; |
992 | 0 | desc.u.name = mbox; |
993 | |
|
994 | 0 | return keyserver_get (ctrl, &desc, 1, keyserver, flags, fpr, fprlen); |
995 | 0 | } |
996 | | |
997 | | |
998 | | /* Import the keys that match exactly MBOX */ |
999 | | int |
1000 | | keyserver_import_ntds (ctrl_t ctrl, const char *mbox, |
1001 | | unsigned char **fpr, size_t *fprlen) |
1002 | 0 | { |
1003 | 0 | KEYDB_SEARCH_DESC desc = { 0 }; |
1004 | 0 | struct keyserver_spec keyserver = { NULL, "ldap:///" }; |
1005 | |
|
1006 | 0 | desc.mode = KEYDB_SEARCH_MODE_MAIL; |
1007 | 0 | desc.u.name = mbox; |
1008 | |
|
1009 | 0 | return keyserver_get (ctrl, &desc, 1, &keyserver, 0, fpr, fprlen); |
1010 | 0 | } |
1011 | | |
1012 | | |
1013 | | int |
1014 | | keyserver_import_fpr (ctrl_t ctrl, const byte *fpr, size_t fprlen, |
1015 | | struct keyserver_spec *keyserver, unsigned int flags) |
1016 | 0 | { |
1017 | 0 | KEYDB_SEARCH_DESC desc; |
1018 | |
|
1019 | 0 | memset (&desc, 0, sizeof(desc)); |
1020 | |
|
1021 | 0 | if (fprlen == 16 || fprlen == 20 || fprlen == 32) |
1022 | 0 | desc.mode = KEYDB_SEARCH_MODE_FPR; |
1023 | 0 | else |
1024 | 0 | return gpg_error (GPG_ERR_INV_ARG); |
1025 | | |
1026 | 0 | memcpy (desc.u.fpr, fpr, fprlen); |
1027 | 0 | desc.fprlen = fprlen; |
1028 | |
|
1029 | 0 | return keyserver_get (ctrl, &desc, 1, keyserver, flags, NULL, NULL); |
1030 | 0 | } |
1031 | | |
1032 | | |
1033 | | int |
1034 | | keyserver_import_fpr_ntds (ctrl_t ctrl, const byte *fpr, size_t fprlen) |
1035 | 0 | { |
1036 | 0 | struct keyserver_spec keyserver = { NULL, "ldap:///" }; |
1037 | |
|
1038 | 0 | return keyserver_import_fpr (ctrl, fpr, fprlen, |
1039 | 0 | &keyserver, KEYSERVER_IMPORT_FLAG_LDAP); |
1040 | 0 | } |
1041 | | |
1042 | | |
1043 | | int |
1044 | | keyserver_import_keyid (ctrl_t ctrl, |
1045 | | u32 *keyid,struct keyserver_spec *keyserver, |
1046 | | unsigned int flags) |
1047 | 0 | { |
1048 | 0 | KEYDB_SEARCH_DESC desc; |
1049 | |
|
1050 | 0 | memset(&desc,0,sizeof(desc)); |
1051 | |
|
1052 | 0 | desc.mode=KEYDB_SEARCH_MODE_LONG_KID; |
1053 | 0 | desc.u.kid[0]=keyid[0]; |
1054 | 0 | desc.u.kid[1]=keyid[1]; |
1055 | |
|
1056 | 0 | return keyserver_get (ctrl, &desc, 1, keyserver, flags, NULL, NULL); |
1057 | 0 | } |
1058 | | |
1059 | | |
1060 | | /* code mostly stolen from do_export_stream */ |
1061 | | static int |
1062 | | keyidlist (ctrl_t ctrl, strlist_t users, KEYDB_SEARCH_DESC **klist, |
1063 | | int *count) |
1064 | 0 | { |
1065 | 0 | int rc = 0; |
1066 | 0 | int num = 100; |
1067 | 0 | kbnode_t keyblock = NULL; |
1068 | 0 | kbnode_t node; |
1069 | 0 | KEYDB_HANDLE kdbhd; |
1070 | 0 | int ndesc; |
1071 | 0 | KEYDB_SEARCH_DESC *desc = NULL; |
1072 | 0 | strlist_t sl; |
1073 | |
|
1074 | 0 | *count=0; |
1075 | |
|
1076 | 0 | *klist=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num); |
1077 | |
|
1078 | 0 | kdbhd = keydb_new (ctrl); |
1079 | 0 | if (!kdbhd) |
1080 | 0 | { |
1081 | 0 | rc = gpg_error_from_syserror (); |
1082 | 0 | goto leave; |
1083 | 0 | } |
1084 | 0 | keydb_disable_caching (kdbhd); /* We are looping the search. */ |
1085 | |
|
1086 | 0 | if(!users) |
1087 | 0 | { |
1088 | 0 | ndesc = 1; |
1089 | 0 | desc = xmalloc_clear ( ndesc * sizeof *desc); |
1090 | 0 | desc[0].mode = KEYDB_SEARCH_MODE_FIRST; |
1091 | 0 | } |
1092 | 0 | else |
1093 | 0 | { |
1094 | 0 | for (ndesc=0, sl=users; sl; sl = sl->next, ndesc++) |
1095 | 0 | ; |
1096 | 0 | desc = xmalloc ( ndesc * sizeof *desc); |
1097 | |
|
1098 | 0 | for (ndesc=0, sl=users; sl; sl = sl->next) |
1099 | 0 | { |
1100 | 0 | gpg_error_t err; |
1101 | 0 | if (!(err = classify_user_id (sl->d, desc+ndesc, 1))) |
1102 | 0 | ndesc++; |
1103 | 0 | else |
1104 | 0 | log_error (_("key \"%s\" not found: %s\n"), |
1105 | 0 | sl->d, gpg_strerror (err)); |
1106 | 0 | } |
1107 | 0 | } |
1108 | |
|
1109 | 0 | for (;;) |
1110 | 0 | { |
1111 | 0 | rc = keydb_search (kdbhd, desc, ndesc, NULL); |
1112 | 0 | if (rc) |
1113 | 0 | break; /* ready. */ |
1114 | | |
1115 | 0 | if (!users) |
1116 | 0 | desc[0].mode = KEYDB_SEARCH_MODE_NEXT; |
1117 | | |
1118 | | /* read the keyblock */ |
1119 | 0 | rc = keydb_get_keyblock (kdbhd, &keyblock ); |
1120 | 0 | if( rc ) |
1121 | 0 | { |
1122 | 0 | log_error (_("error reading keyblock: %s\n"), gpg_strerror (rc) ); |
1123 | 0 | goto leave; |
1124 | 0 | } |
1125 | | |
1126 | 0 | if((node=find_kbnode(keyblock,PKT_PUBLIC_KEY))) |
1127 | 0 | { |
1128 | | /* v4 keys get full fingerprints. v3 keys get long keyids. |
1129 | | This is because it's easy to calculate any sort of keyid |
1130 | | from a v4 fingerprint, but not a v3 fingerprint. */ |
1131 | |
|
1132 | 0 | if (node->pkt->pkt.public_key->version < 4) |
1133 | 0 | { |
1134 | 0 | (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID; |
1135 | 0 | keyid_from_pk(node->pkt->pkt.public_key, |
1136 | 0 | (*klist)[*count].u.kid); |
1137 | 0 | } |
1138 | 0 | else |
1139 | 0 | { |
1140 | 0 | size_t fprlen; |
1141 | |
|
1142 | 0 | fingerprint_from_pk (node->pkt->pkt.public_key, |
1143 | 0 | (*klist)[*count].u.fpr, &fprlen); |
1144 | 0 | (*klist)[*count].mode = KEYDB_SEARCH_MODE_FPR; |
1145 | 0 | (*klist)[*count].fprlen = fprlen; |
1146 | 0 | } |
1147 | | |
1148 | | /* This is a little hackish, using the skipfncvalue as a |
1149 | | void* pointer to the keyserver spec, but we don't need |
1150 | | the skipfnc here, and it saves having an additional field |
1151 | | for this (which would be wasted space most of the |
1152 | | time). */ |
1153 | |
|
1154 | 0 | (*klist)[*count].skipfncvalue=NULL; |
1155 | | |
1156 | | /* Are we honoring preferred keyservers? */ |
1157 | 0 | if(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL) |
1158 | 0 | { |
1159 | 0 | PKT_user_id *uid=NULL; |
1160 | 0 | PKT_signature *sig=NULL; |
1161 | |
|
1162 | 0 | merge_keys_and_selfsig (ctrl, keyblock); |
1163 | |
|
1164 | 0 | for(node=node->next;node;node=node->next) |
1165 | 0 | { |
1166 | 0 | if(node->pkt->pkttype==PKT_USER_ID |
1167 | 0 | && node->pkt->pkt.user_id->flags.primary) |
1168 | 0 | uid=node->pkt->pkt.user_id; |
1169 | 0 | else if(node->pkt->pkttype==PKT_SIGNATURE |
1170 | 0 | && node->pkt->pkt.signature-> |
1171 | 0 | flags.chosen_selfsig && uid) |
1172 | 0 | { |
1173 | 0 | sig=node->pkt->pkt.signature; |
1174 | 0 | break; |
1175 | 0 | } |
1176 | 0 | } |
1177 | | |
1178 | | /* Try and parse the keyserver URL. If it doesn't work, |
1179 | | then we end up writing NULL which indicates we are |
1180 | | the same as any other key. */ |
1181 | 0 | if(sig) |
1182 | 0 | (*klist)[*count].skipfncvalue=parse_preferred_keyserver(sig); |
1183 | 0 | } |
1184 | |
|
1185 | 0 | (*count)++; |
1186 | |
|
1187 | 0 | if(*count==num) |
1188 | 0 | { |
1189 | 0 | num+=100; |
1190 | 0 | *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num); |
1191 | 0 | } |
1192 | 0 | } |
1193 | 0 | } |
1194 | | |
1195 | 0 | if (gpg_err_code (rc) == GPG_ERR_NOT_FOUND) |
1196 | 0 | rc = 0; |
1197 | |
|
1198 | 0 | leave: |
1199 | 0 | if(rc) |
1200 | 0 | { |
1201 | 0 | xfree(*klist); |
1202 | 0 | *klist = NULL; |
1203 | 0 | } |
1204 | 0 | xfree(desc); |
1205 | 0 | keydb_release(kdbhd); |
1206 | 0 | release_kbnode(keyblock); |
1207 | |
|
1208 | 0 | return rc; |
1209 | 0 | } |
1210 | | |
1211 | | /* Note this is different than the original HKP refresh. It allows |
1212 | | usernames to refresh only part of the keyring. */ |
1213 | | |
1214 | | gpg_error_t |
1215 | | keyserver_refresh (ctrl_t ctrl, strlist_t users) |
1216 | 0 | { |
1217 | 0 | gpg_error_t err; |
1218 | 0 | int count, numdesc; |
1219 | 0 | KEYDB_SEARCH_DESC *desc; |
1220 | 0 | unsigned int options=opt.keyserver_options.import_options; |
1221 | | |
1222 | | /* We switch merge-only on during a refresh, as 'refresh' should |
1223 | | never import new keys, even if their keyids match. */ |
1224 | 0 | opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY; |
1225 | | |
1226 | | /* Similarly, we switch on fast-import, since refresh may make |
1227 | | multiple import sets (due to preferred keyserver URLs). We don't |
1228 | | want each set to rebuild the trustdb. Instead we do it once at |
1229 | | the end here. */ |
1230 | 0 | opt.keyserver_options.import_options|=IMPORT_FAST; |
1231 | | |
1232 | |
|
1233 | 0 | err = keyidlist (ctrl, users, &desc, &numdesc); |
1234 | 0 | if (err) |
1235 | 0 | return err; |
1236 | | |
1237 | 0 | count=numdesc; |
1238 | 0 | if(count>0) |
1239 | 0 | { |
1240 | 0 | int i; |
1241 | | |
1242 | | /* Try to handle preferred keyserver keys first */ |
1243 | 0 | for(i=0;i<numdesc;i++) |
1244 | 0 | { |
1245 | 0 | if(desc[i].skipfncvalue) |
1246 | 0 | { |
1247 | 0 | struct keyserver_spec *keyserver=desc[i].skipfncvalue; |
1248 | |
|
1249 | 0 | if (!opt.quiet) |
1250 | 0 | log_info (ngettext("refreshing %d key from %s\n", |
1251 | 0 | "refreshing %d keys from %s\n", |
1252 | 0 | 1), 1, keyserver->uri); |
1253 | | |
1254 | | /* We use the keyserver structure we parsed out before. |
1255 | | Note that a preferred keyserver without a scheme:// |
1256 | | will be interpreted as hkp:// */ |
1257 | 0 | err = keyserver_get (ctrl, &desc[i], 1, keyserver, 0, NULL, NULL); |
1258 | 0 | if (err) |
1259 | 0 | log_info(_("WARNING: unable to refresh key %s" |
1260 | 0 | " via %s: %s\n"),keystr_from_desc(&desc[i]), |
1261 | 0 | keyserver->uri,gpg_strerror (err)); |
1262 | 0 | else |
1263 | 0 | { |
1264 | | /* We got it, so mark it as NONE so we don't try and |
1265 | | get it again from the regular keyserver. */ |
1266 | |
|
1267 | 0 | desc[i].mode=KEYDB_SEARCH_MODE_NONE; |
1268 | 0 | count--; |
1269 | 0 | } |
1270 | |
|
1271 | 0 | free_keyserver_spec(keyserver); |
1272 | 0 | } |
1273 | 0 | } |
1274 | 0 | } |
1275 | |
|
1276 | 0 | if(count>0) |
1277 | 0 | { |
1278 | 0 | char *tmpuri; |
1279 | |
|
1280 | 0 | err = gpg_dirmngr_ks_list (ctrl, &tmpuri); |
1281 | 0 | if (!err) |
1282 | 0 | { |
1283 | 0 | if (!opt.quiet) |
1284 | 0 | { |
1285 | 0 | log_info (ngettext("refreshing %d key from %s\n", |
1286 | 0 | "refreshing %d keys from %s\n", |
1287 | 0 | count), count, tmpuri); |
1288 | 0 | } |
1289 | 0 | xfree (tmpuri); |
1290 | |
|
1291 | 0 | err = keyserver_get (ctrl, desc, numdesc, NULL, 0, NULL, NULL); |
1292 | 0 | } |
1293 | 0 | } |
1294 | |
|
1295 | 0 | xfree(desc); |
1296 | |
|
1297 | 0 | opt.keyserver_options.import_options=options; |
1298 | | |
1299 | | /* If the original options didn't have fast import, and the trustdb |
1300 | | is dirty, rebuild. */ |
1301 | 0 | if(!(opt.keyserver_options.import_options&IMPORT_FAST)) |
1302 | 0 | check_or_update_trustdb (ctrl); |
1303 | |
|
1304 | 0 | return err; |
1305 | 0 | } |
1306 | | |
1307 | | |
1308 | | /* Search for keys on the keyservers. The patterns are given in the |
1309 | | string list TOKENS. */ |
1310 | | gpg_error_t |
1311 | | keyserver_search (ctrl_t ctrl, strlist_t tokens) |
1312 | 0 | { |
1313 | 0 | gpg_error_t err; |
1314 | 0 | char *searchstr; |
1315 | 0 | struct search_line_handler_parm_s parm; |
1316 | |
|
1317 | 0 | memset (&parm, 0, sizeof parm); |
1318 | |
|
1319 | 0 | if (!tokens) |
1320 | 0 | return 0; /* Return success if no patterns are given. */ |
1321 | | |
1322 | 0 | { |
1323 | 0 | membuf_t mb; |
1324 | 0 | strlist_t item; |
1325 | |
|
1326 | 0 | init_membuf (&mb, 1024); |
1327 | 0 | for (item = tokens; item; item = item->next) |
1328 | 0 | { |
1329 | 0 | if (item != tokens) |
1330 | 0 | put_membuf (&mb, " ", 1); |
1331 | 0 | put_membuf_str (&mb, item->d); |
1332 | 0 | } |
1333 | 0 | put_membuf (&mb, "", 1); /* Append Nul. */ |
1334 | 0 | searchstr = get_membuf (&mb, NULL); |
1335 | 0 | if (!searchstr) |
1336 | 0 | { |
1337 | 0 | err = gpg_error_from_syserror (); |
1338 | 0 | goto leave; |
1339 | 0 | } |
1340 | 0 | } |
1341 | | |
1342 | 0 | parm.ctrl = ctrl; |
1343 | 0 | if (searchstr) |
1344 | 0 | parm.searchstr_disp = utf8_to_native (searchstr, strlen (searchstr), 0); |
1345 | |
|
1346 | 0 | err = gpg_dirmngr_ks_search (ctrl, searchstr, search_line_handler, &parm); |
1347 | |
|
1348 | 0 | if (parm.not_found || gpg_err_code (err) == GPG_ERR_NO_DATA) |
1349 | 0 | { |
1350 | 0 | if (parm.searchstr_disp) |
1351 | 0 | log_info (_("key \"%s\" not found on keyserver\n"), |
1352 | 0 | parm.searchstr_disp); |
1353 | 0 | else |
1354 | 0 | log_info (_("key not found on keyserver\n")); |
1355 | 0 | } |
1356 | |
|
1357 | 0 | if (gpg_err_code (err) == GPG_ERR_NO_DATA) |
1358 | 0 | err = gpg_error (GPG_ERR_NOT_FOUND); |
1359 | 0 | else if (err) |
1360 | 0 | log_error ("error searching keyserver: %s\n", gpg_strerror (err)); |
1361 | |
|
1362 | 0 | leave: |
1363 | 0 | xfree (parm.desc); |
1364 | 0 | xfree (parm.searchstr_disp); |
1365 | 0 | xfree(searchstr); |
1366 | |
|
1367 | 0 | return err; |
1368 | 0 | } |
1369 | | |
1370 | | /* Helper for keyserver_get. Here we only receive a chunk of the |
1371 | | description to be processed in one batch. This is required due to |
1372 | | the limited number of patterns the dirmngr interface (KS_GET) can |
1373 | | grok and to limit the amount of temporary required memory. */ |
1374 | | static gpg_error_t |
1375 | | keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, |
1376 | | int *r_ndesc_used, |
1377 | | import_stats_t stats_handle, |
1378 | | struct keyserver_spec *override_keyserver, |
1379 | | unsigned int flags, |
1380 | | unsigned char **r_fpr, size_t *r_fprlen) |
1381 | | |
1382 | 0 | { |
1383 | 0 | gpg_error_t err = 0; |
1384 | 0 | char **pattern; |
1385 | 0 | int idx, npat, npat_fpr; |
1386 | 0 | estream_t datastream; |
1387 | 0 | char *source = NULL; |
1388 | 0 | size_t linelen; /* Estimated linelen for KS_GET. */ |
1389 | 0 | size_t n; |
1390 | 0 | int only_fprs; |
1391 | |
|
1392 | 0 | #define MAX_KS_GET_LINELEN 950 /* Somewhat lower than the real limit. */ |
1393 | |
|
1394 | 0 | *r_ndesc_used = 0; |
1395 | | |
1396 | | /* Create an array filled with a search pattern for each key. The |
1397 | | array is delimited by a NULL entry. */ |
1398 | 0 | pattern = xtrycalloc (ndesc+1, sizeof *pattern); |
1399 | 0 | if (!pattern) |
1400 | 0 | return gpg_error_from_syserror (); |
1401 | | |
1402 | | /* Note that we break the loop as soon as our estimation of the to |
1403 | | be used line length reaches the limit. But we do this only if we |
1404 | | have processed at least one search requests so that an overlong |
1405 | | single request will be rejected only later by gpg_dirmngr_ks_get |
1406 | | but we are sure that R_NDESC_USED has been updated. This avoids |
1407 | | a possible indefinite loop. */ |
1408 | 0 | linelen = 24; /* "KS_GET --quick --ldap --" */ |
1409 | 0 | for (npat=npat_fpr=0, idx=0; idx < ndesc; idx++) |
1410 | 0 | { |
1411 | 0 | int quiet = 0; |
1412 | |
|
1413 | 0 | if (desc[idx].mode == KEYDB_SEARCH_MODE_FPR) |
1414 | 0 | { |
1415 | 0 | n = 1+2+2*desc[idx].fprlen; |
1416 | 0 | if (idx && linelen + n > MAX_KS_GET_LINELEN) |
1417 | 0 | break; /* Declare end of this chunk. */ |
1418 | 0 | linelen += n; |
1419 | |
|
1420 | 0 | pattern[npat] = xtrymalloc (n); |
1421 | 0 | if (!pattern[npat]) |
1422 | 0 | err = gpg_error_from_syserror (); |
1423 | 0 | else |
1424 | 0 | { |
1425 | 0 | strcpy (pattern[npat], "0x"); |
1426 | 0 | bin2hex (desc[idx].u.fpr, desc[idx].fprlen, pattern[npat]+2); |
1427 | 0 | npat++; |
1428 | 0 | if (desc[idx].fprlen == 20 || desc[idx].fprlen == 32) |
1429 | 0 | npat_fpr++; |
1430 | 0 | } |
1431 | 0 | } |
1432 | 0 | else if(desc[idx].mode == KEYDB_SEARCH_MODE_LONG_KID) |
1433 | 0 | { |
1434 | 0 | n = 1+2+16; |
1435 | 0 | if (idx && linelen + n > MAX_KS_GET_LINELEN) |
1436 | 0 | break; /* Declare end of this chunk. */ |
1437 | 0 | linelen += n; |
1438 | |
|
1439 | 0 | pattern[npat] = xtryasprintf ("0x%08lX%08lX", |
1440 | 0 | (ulong)desc[idx].u.kid[0], |
1441 | 0 | (ulong)desc[idx].u.kid[1]); |
1442 | 0 | if (!pattern[npat]) |
1443 | 0 | err = gpg_error_from_syserror (); |
1444 | 0 | else |
1445 | 0 | npat++; |
1446 | 0 | } |
1447 | 0 | else if(desc[idx].mode == KEYDB_SEARCH_MODE_SHORT_KID) |
1448 | 0 | { |
1449 | 0 | n = 1+2+8; |
1450 | 0 | if (idx && linelen + n > MAX_KS_GET_LINELEN) |
1451 | 0 | break; /* Declare end of this chunk. */ |
1452 | 0 | linelen += n; |
1453 | |
|
1454 | 0 | pattern[npat] = xtryasprintf ("0x%08lX", (ulong)desc[idx].u.kid[1]); |
1455 | 0 | if (!pattern[npat]) |
1456 | 0 | err = gpg_error_from_syserror (); |
1457 | 0 | else |
1458 | 0 | npat++; |
1459 | 0 | } |
1460 | 0 | else if(desc[idx].mode == KEYDB_SEARCH_MODE_EXACT) |
1461 | 0 | { |
1462 | | /* The Dirmngr also uses classify_user_id to detect the type |
1463 | | of the search string. By adding the '=' prefix we force |
1464 | | Dirmngr's KS_GET to consider this an exact search string. |
1465 | | (In gpg 1.4 and gpg 2.0 the keyserver helpers used the |
1466 | | KS_GETNAME command to indicate this.) */ |
1467 | |
|
1468 | 0 | n = 1+1+strlen (desc[idx].u.name); |
1469 | 0 | if (idx && linelen + n > MAX_KS_GET_LINELEN) |
1470 | 0 | break; /* Declare end of this chunk. */ |
1471 | 0 | linelen += n; |
1472 | |
|
1473 | 0 | pattern[npat] = strconcat ("=", desc[idx].u.name, NULL); |
1474 | 0 | if (!pattern[npat]) |
1475 | 0 | err = gpg_error_from_syserror (); |
1476 | 0 | else |
1477 | 0 | { |
1478 | 0 | npat++; |
1479 | 0 | quiet = 1; |
1480 | 0 | } |
1481 | 0 | } |
1482 | 0 | else if(desc[idx].mode == KEYDB_SEARCH_MODE_MAIL) |
1483 | 0 | { |
1484 | 0 | n = 1 + strlen (desc[idx].u.name) + 1 + 1; |
1485 | 0 | if (idx && linelen + n > MAX_KS_GET_LINELEN) |
1486 | 0 | break; /* Declare end of this chunk. */ |
1487 | 0 | linelen += n; |
1488 | |
|
1489 | 0 | if (desc[idx].u.name[0] == '<') |
1490 | 0 | pattern[npat] = xtrystrdup (desc[idx].u.name); |
1491 | 0 | else |
1492 | 0 | pattern[npat] = strconcat ("<", desc[idx].u.name, ">", NULL); |
1493 | 0 | if (!pattern[npat]) |
1494 | 0 | err = gpg_error_from_syserror (); |
1495 | 0 | else |
1496 | 0 | { |
1497 | 0 | npat++; |
1498 | 0 | quiet = 1; |
1499 | 0 | } |
1500 | 0 | } |
1501 | 0 | else if (desc[idx].mode == KEYDB_SEARCH_MODE_NONE) |
1502 | 0 | continue; |
1503 | 0 | else |
1504 | 0 | BUG(); |
1505 | | |
1506 | 0 | if (err) |
1507 | 0 | { |
1508 | 0 | for (idx=0; idx < npat; idx++) |
1509 | 0 | xfree (pattern[idx]); |
1510 | 0 | xfree (pattern); |
1511 | 0 | return err; |
1512 | 0 | } |
1513 | | |
1514 | 0 | if (!quiet && override_keyserver) |
1515 | 0 | { |
1516 | 0 | log_info (_("requesting key %s from %s\n"), |
1517 | 0 | keystr_from_desc (&desc[idx]), override_keyserver->uri); |
1518 | 0 | } |
1519 | 0 | } |
1520 | | |
1521 | | /* Remember how many of the search items were considered. Note that |
1522 | | this is different from NPAT. */ |
1523 | 0 | *r_ndesc_used = idx; |
1524 | |
|
1525 | 0 | only_fprs = (npat && npat == npat_fpr); |
1526 | |
|
1527 | 0 | err = gpg_dirmngr_ks_get (ctrl, pattern, override_keyserver, flags, |
1528 | 0 | &datastream, &source); |
1529 | 0 | for (idx=0; idx < npat; idx++) |
1530 | 0 | xfree (pattern[idx]); |
1531 | 0 | xfree (pattern); |
1532 | 0 | if (opt.verbose && source) |
1533 | 0 | log_info ("data source: %s\n", source); |
1534 | | |
1535 | | |
1536 | |
|
1537 | 0 | if (!err) |
1538 | 0 | { |
1539 | 0 | struct ks_retrieval_screener_arg_s screenerarg; |
1540 | 0 | unsigned int options; |
1541 | | |
1542 | | /* FIXME: Check whether this comment should be moved to dirmngr. |
1543 | | |
1544 | | Slurp up all the key data. In the future, it might be nice |
1545 | | to look for KEY foo OUTOFBAND and FAILED indicators. It's |
1546 | | harmless to ignore them, but ignoring them does make gpg |
1547 | | complain about "no valid OpenPGP data found". One way to do |
1548 | | this could be to continue parsing this line-by-line and make |
1549 | | a temp iobuf for each key. Note that we don't allow the |
1550 | | import of secret keys from a keyserver. Keyservers should |
1551 | | never accept or send them but we better protect against rogue |
1552 | | keyservers. */ |
1553 | | |
1554 | | /* For LDAP servers we reset IMPORT_SELF_SIGS_ONLY and |
1555 | | * IMPORT_CLEAN unless they have been set explicitly. We |
1556 | | * forcible clear them if that has been requested and also set |
1557 | | * the MERGE_ONLY option so that a --send-key can't be tricked |
1558 | | * into importing a key by means of the update-before-send |
1559 | | * keyserver option. */ |
1560 | 0 | options = (opt.keyserver_options.import_options | IMPORT_ONLY_PUBKEYS); |
1561 | 0 | if (source && (!strncmp (source, "ldap:", 5) |
1562 | 0 | || !strncmp (source, "ldaps:", 6))) |
1563 | 0 | { |
1564 | 0 | if (!opt.flags.expl_import_self_sigs_only) |
1565 | 0 | options &= ~IMPORT_SELF_SIGS_ONLY; |
1566 | 0 | if (!opt.flags.expl_import_clean) |
1567 | 0 | options &= ~IMPORT_CLEAN; |
1568 | 0 | } |
1569 | 0 | if ((flags & KEYSERVER_IMPORT_FLAG_UPDSEND)) |
1570 | 0 | { |
1571 | 0 | options &= ~(IMPORT_SELF_SIGS_ONLY | IMPORT_CLEAN); |
1572 | 0 | options |= IMPORT_MERGE_ONLY; |
1573 | 0 | } |
1574 | |
|
1575 | 0 | screenerarg.desc = desc; |
1576 | 0 | screenerarg.ndesc = *r_ndesc_used; |
1577 | 0 | import_keys_es_stream (ctrl, datastream, stats_handle, |
1578 | 0 | r_fpr, r_fprlen, options, |
1579 | 0 | keyserver_retrieval_screener, &screenerarg, |
1580 | 0 | only_fprs? KEYORG_KS : 0, |
1581 | 0 | source); |
1582 | 0 | } |
1583 | 0 | es_fclose (datastream); |
1584 | 0 | xfree (source); |
1585 | |
|
1586 | 0 | return err; |
1587 | 0 | } |
1588 | | |
1589 | | |
1590 | | /* Retrieve a key from a keyserver. The search pattern are in |
1591 | | (DESC,NDESC). Allowed search modes are keyid, fingerprint, and |
1592 | | exact searches. OVERRIDE_KEYSERVER gives an optional override |
1593 | | keyserver. If (R_FPR,R_FPRLEN) are not NULL, they may return the |
1594 | | fingerprint of a single imported key. If the FLAG bit |
1595 | | KEYSERVER_IMPORT_FLAG_QUICK is set, dirmngr is advised to use a |
1596 | | shorter timeout. */ |
1597 | | static gpg_error_t |
1598 | | keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, |
1599 | | struct keyserver_spec *override_keyserver, unsigned int flags, |
1600 | | unsigned char **r_fpr, size_t *r_fprlen) |
1601 | 0 | { |
1602 | 0 | gpg_error_t err; |
1603 | 0 | import_stats_t stats_handle; |
1604 | 0 | int ndesc_used; |
1605 | 0 | int any_good = 0; |
1606 | |
|
1607 | 0 | stats_handle = import_new_stats_handle(); |
1608 | |
|
1609 | 0 | for (;;) |
1610 | 0 | { |
1611 | 0 | err = keyserver_get_chunk (ctrl, desc, ndesc, &ndesc_used, stats_handle, |
1612 | 0 | override_keyserver, flags, r_fpr, r_fprlen); |
1613 | 0 | if (!err) |
1614 | 0 | any_good = 1; |
1615 | 0 | if (err || ndesc_used >= ndesc) |
1616 | 0 | break; /* Error or all processed. */ |
1617 | | /* Prepare for the next chunk. */ |
1618 | 0 | desc += ndesc_used; |
1619 | 0 | ndesc -= ndesc_used; |
1620 | 0 | } |
1621 | |
|
1622 | 0 | if (any_good && !(flags & KEYSERVER_IMPORT_FLAG_SILENT)) |
1623 | 0 | import_print_stats (stats_handle); |
1624 | |
|
1625 | 0 | import_release_stats_handle (stats_handle); |
1626 | 0 | return err; |
1627 | 0 | } |
1628 | | |
1629 | | |
1630 | | /* Send all keys specified by KEYSPECS to the configured keyserver. |
1631 | | * If ASSUME_NEW_KEY is true the KEYSERVER_UPDATE_BEFORE_SEND option |
1632 | | * will be ignored. */ |
1633 | | static gpg_error_t |
1634 | | keyserver_put (ctrl_t ctrl, strlist_t keyspecs, int assume_new_key) |
1635 | 0 | { |
1636 | 0 | gpg_error_t err; |
1637 | 0 | strlist_t kspec; |
1638 | 0 | char *ksurl; |
1639 | 0 | int warn_only = !!(opt.keyserver_options.options & KEYSERVER_WARN_ONLY); |
1640 | 0 | int loglvl = warn_only? GPGRT_LOGLVL_INFO : GPGRT_LOGLVL_ERROR; |
1641 | |
|
1642 | 0 | if (!keyspecs) |
1643 | 0 | return 0; /* Return success if the list is empty. */ |
1644 | | |
1645 | | /* Get the name of the used keyservers. */ |
1646 | 0 | if (gpg_dirmngr_ks_list (ctrl, &ksurl)) |
1647 | 0 | { |
1648 | 0 | gpgrt_log (loglvl, _("no keyserver known\n")); |
1649 | 0 | return gpg_error (GPG_ERR_NO_KEYSERVER); |
1650 | 0 | } |
1651 | | |
1652 | | /* Check the LDAP only flag */ |
1653 | 0 | if ((opt.keyserver_options.options & KEYSERVER_LDAP_ONLY) |
1654 | 0 | && !(ksurl && (!strncmp (ksurl, "ldap:", 5) |
1655 | 0 | || !strncmp (ksurl, "ldaps:", 6)))) |
1656 | 0 | { |
1657 | 0 | if (opt.verbose) |
1658 | 0 | log_info (_("upload skipped due to non-LDAP keyserver\n")); |
1659 | 0 | err = 0; |
1660 | 0 | goto leave; |
1661 | 0 | } |
1662 | | |
1663 | | /* If the option is active, we first try to import the keys given by |
1664 | | * fingerprint from the keyserver. For example, if some PKI server |
1665 | | * has signed a key and the user has not yet imported that updated |
1666 | | * key, an upload would overwrite that key signature. This is only |
1667 | | * relevant for LDAP servers but not for the legacy HKP servers. */ |
1668 | 0 | if ((opt.keyserver_options.options & KEYSERVER_UPDATE_BEFORE_SEND) |
1669 | 0 | && !assume_new_key |
1670 | 0 | && ksurl && (!strncmp (ksurl, "ldap:", 5) |
1671 | 0 | || !strncmp (ksurl, "ldaps:", 6))) |
1672 | 0 | { |
1673 | 0 | err = keyserver_import (ctrl, keyspecs, (KEYSERVER_IMPORT_FLAG_UPDSEND |
1674 | 0 | | KEYSERVER_IMPORT_FLAG_ONLYFPR |
1675 | 0 | | KEYSERVER_IMPORT_FLAG_SILENT)); |
1676 | 0 | if (err) |
1677 | 0 | { |
1678 | 0 | if (opt.verbose && gpg_err_code (err) != GPG_ERR_NO_DATA) |
1679 | 0 | log_info (_("keyserver receive failed: %s\n"), |
1680 | 0 | gpg_strerror (err)); |
1681 | 0 | err = 0; |
1682 | 0 | } |
1683 | 0 | } |
1684 | | |
1685 | | /* Send key after key to the keyserver. */ |
1686 | 0 | for (kspec = keyspecs; kspec; kspec = kspec->next) |
1687 | 0 | { |
1688 | 0 | void *data; |
1689 | 0 | size_t datalen; |
1690 | 0 | kbnode_t keyblock; |
1691 | |
|
1692 | 0 | err = export_pubkey_buffer (ctrl, kspec->d, |
1693 | 0 | (opt.keyserver_options.export_options |
1694 | 0 | | EXPORT_NO_STATUS), |
1695 | 0 | NULL, 0, NULL, |
1696 | 0 | &keyblock, &data, &datalen); |
1697 | 0 | if (err) |
1698 | 0 | gpgrt_log (loglvl, _("skipped \"%s\": %s\n"), |
1699 | 0 | kspec->d, gpg_strerror (err)); |
1700 | 0 | else |
1701 | 0 | { |
1702 | 0 | if (!opt.quiet) |
1703 | 0 | log_info (_("sending key %s to %s\n"), |
1704 | 0 | keystr (keyblock->pkt->pkt.public_key->keyid), |
1705 | 0 | ksurl?ksurl:"[?]"); |
1706 | |
|
1707 | 0 | err = gpg_dirmngr_ks_put (ctrl, data, datalen, keyblock); |
1708 | 0 | xfree (data); |
1709 | 0 | if (err) |
1710 | 0 | { |
1711 | 0 | if (warn_only) |
1712 | 0 | write_status_warning ("keyserver_send", err); |
1713 | 0 | else |
1714 | 0 | write_status_error ("keyserver_send", err); |
1715 | 0 | gpgrt_log (loglvl, _("keyserver send failed: %s\n"), |
1716 | 0 | gpg_strerror (err)); |
1717 | 0 | } |
1718 | 0 | else /* On success print a status line. */ |
1719 | 0 | print_status_exported (keyblock->pkt->pkt.public_key); |
1720 | 0 | release_kbnode (keyblock); |
1721 | 0 | } |
1722 | 0 | } |
1723 | |
|
1724 | 0 | leave: |
1725 | 0 | xfree (ksurl); |
1726 | 0 | return err; |
1727 | |
|
1728 | 0 | } |
1729 | | |
1730 | | |
1731 | | /* Loop over all URLs in STRLIST and fetch the key at that URL. Note |
1732 | | that the fetch operation ignores the configured keyservers and |
1733 | | instead directly retrieves the keys. */ |
1734 | | int |
1735 | | keyserver_fetch (ctrl_t ctrl, strlist_t urilist, int origin) |
1736 | 0 | { |
1737 | 0 | gpg_error_t err; |
1738 | 0 | strlist_t sl; |
1739 | 0 | estream_t datastream; |
1740 | 0 | unsigned int save_options = opt.keyserver_options.import_options; |
1741 | 0 | int any_success = 0; |
1742 | 0 | gpg_error_t firsterr = 0; |
1743 | | |
1744 | | /* Switch on fast-import, since fetch can handle more than one |
1745 | | import and we don't want each set to rebuild the trustdb. |
1746 | | Instead we do it once at the end. */ |
1747 | 0 | opt.keyserver_options.import_options |= IMPORT_FAST; |
1748 | |
|
1749 | 0 | for (sl=urilist; sl; sl=sl->next) |
1750 | 0 | { |
1751 | 0 | if (!opt.quiet) |
1752 | 0 | log_info (_("requesting key from '%s'\n"), sl->d); |
1753 | |
|
1754 | 0 | err = gpg_dirmngr_ks_fetch (ctrl, sl->d, &datastream); |
1755 | 0 | if (!err) |
1756 | 0 | { |
1757 | 0 | import_stats_t stats_handle; |
1758 | |
|
1759 | 0 | stats_handle = import_new_stats_handle(); |
1760 | 0 | import_keys_es_stream (ctrl, datastream, stats_handle, NULL, NULL, |
1761 | 0 | opt.keyserver_options.import_options, |
1762 | 0 | NULL, NULL, origin, sl->d); |
1763 | |
|
1764 | 0 | import_print_stats (stats_handle); |
1765 | 0 | import_release_stats_handle (stats_handle); |
1766 | 0 | any_success = 1; |
1767 | 0 | } |
1768 | 0 | else |
1769 | 0 | { |
1770 | 0 | log_info (_("WARNING: unable to fetch URI %s: %s\n"), |
1771 | 0 | sl->d, gpg_strerror (err)); |
1772 | 0 | if (!firsterr) |
1773 | 0 | firsterr = err; |
1774 | 0 | } |
1775 | 0 | es_fclose (datastream); |
1776 | 0 | } |
1777 | |
|
1778 | 0 | if (!urilist) |
1779 | 0 | err = gpg_error (GPG_ERR_NO_NAME); |
1780 | 0 | else if (any_success) |
1781 | 0 | err = 0; |
1782 | 0 | else |
1783 | 0 | err = firsterr; |
1784 | |
|
1785 | 0 | opt.keyserver_options.import_options = save_options; |
1786 | | |
1787 | | /* If the original options didn't have fast import, and the trustdb |
1788 | | is dirty, rebuild. */ |
1789 | 0 | if (!(opt.keyserver_options.import_options&IMPORT_FAST)) |
1790 | 0 | check_or_update_trustdb (ctrl); |
1791 | |
|
1792 | 0 | return err; |
1793 | 0 | } |
1794 | | |
1795 | | |
1796 | | /* Import key in a CERT or pointed to by a CERT. In DANE_MODE fetch |
1797 | | the certificate using the DANE method. */ |
1798 | | int |
1799 | | keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, |
1800 | | unsigned char **fpr,size_t *fpr_len) |
1801 | 0 | { |
1802 | 0 | gpg_error_t err; |
1803 | 0 | char *look,*url; |
1804 | 0 | estream_t key; |
1805 | |
|
1806 | 0 | look = xstrdup(name); |
1807 | |
|
1808 | 0 | if (!dane_mode) |
1809 | 0 | { |
1810 | 0 | char *domain = strrchr (look,'@'); |
1811 | 0 | if (domain) |
1812 | 0 | *domain='.'; |
1813 | 0 | } |
1814 | |
|
1815 | 0 | err = gpg_dirmngr_dns_cert (ctrl, look, dane_mode? NULL : "*", |
1816 | 0 | &key, fpr, fpr_len, &url); |
1817 | 0 | if (err) |
1818 | 0 | ; |
1819 | 0 | else if (key) |
1820 | 0 | { |
1821 | 0 | int armor_status=opt.no_armor; |
1822 | 0 | import_filter_t save_filt; |
1823 | | |
1824 | | /* CERTs and DANE records are always in binary format */ |
1825 | 0 | opt.no_armor=1; |
1826 | 0 | if (dane_mode) |
1827 | 0 | { |
1828 | 0 | save_filt = save_and_clear_import_filter (); |
1829 | 0 | if (!save_filt) |
1830 | 0 | err = gpg_error_from_syserror (); |
1831 | 0 | else |
1832 | 0 | { |
1833 | 0 | char *filtstr = es_bsprintf ("keep-uid=mbox = %s", look); |
1834 | 0 | err = filtstr? 0 : gpg_error_from_syserror (); |
1835 | 0 | if (!err) |
1836 | 0 | err = parse_and_set_import_filter (filtstr); |
1837 | 0 | xfree (filtstr); |
1838 | 0 | if (!err) |
1839 | 0 | err = import_keys_es_stream (ctrl, key, NULL, fpr, fpr_len, |
1840 | 0 | IMPORT_ONLY_PUBKEYS, |
1841 | 0 | NULL, NULL, KEYORG_DANE, NULL); |
1842 | 0 | restore_import_filter (save_filt); |
1843 | 0 | } |
1844 | 0 | } |
1845 | 0 | else |
1846 | 0 | { |
1847 | 0 | err = import_keys_es_stream (ctrl, key, NULL, fpr, fpr_len, |
1848 | 0 | (opt.keyserver_options.import_options |
1849 | 0 | | IMPORT_ONLY_PUBKEYS), |
1850 | 0 | NULL, NULL, 0, NULL); |
1851 | 0 | } |
1852 | |
|
1853 | 0 | opt.no_armor=armor_status; |
1854 | |
|
1855 | 0 | es_fclose (key); |
1856 | 0 | key = NULL; |
1857 | 0 | } |
1858 | 0 | else if (*fpr) |
1859 | 0 | { |
1860 | | /* We only consider the IPGP type if a fingerprint was provided. |
1861 | | This lets us select the right key regardless of what a URL |
1862 | | points to, or get the key from a keyserver. */ |
1863 | 0 | if(url) |
1864 | 0 | { |
1865 | 0 | struct keyserver_spec *spec; |
1866 | |
|
1867 | 0 | spec = parse_keyserver_uri (url, 1); |
1868 | 0 | if(spec) |
1869 | 0 | { |
1870 | 0 | err = keyserver_import_fpr (ctrl, *fpr, *fpr_len, spec, 0); |
1871 | 0 | free_keyserver_spec(spec); |
1872 | 0 | } |
1873 | 0 | } |
1874 | 0 | else if (keyserver_any_configured (ctrl)) |
1875 | 0 | { |
1876 | | /* If only a fingerprint is provided, try and fetch it from |
1877 | | the configured keyserver. */ |
1878 | |
|
1879 | 0 | err = keyserver_import_fpr (ctrl, *fpr, *fpr_len, opt.keyserver, 0); |
1880 | 0 | } |
1881 | 0 | else |
1882 | 0 | log_info(_("no keyserver known\n")); |
1883 | | |
1884 | | /* Give a better string here? "CERT fingerprint for \"%s\" |
1885 | | found, but no keyserver" " known (use option |
1886 | | --keyserver)\n" ? */ |
1887 | |
|
1888 | 0 | } |
1889 | |
|
1890 | 0 | xfree(url); |
1891 | 0 | xfree(look); |
1892 | |
|
1893 | 0 | return err; |
1894 | 0 | } |
1895 | | |
1896 | | |
1897 | | /* Import a key using the Web Key Directory protocol. */ |
1898 | | gpg_error_t |
1899 | | keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags, |
1900 | | unsigned char **fpr, size_t *fpr_len) |
1901 | 0 | { |
1902 | 0 | gpg_error_t err; |
1903 | 0 | char *mbox; |
1904 | 0 | estream_t key; |
1905 | 0 | char *url = NULL; |
1906 | | |
1907 | | /* We want to work on the mbox. That is what dirmngr will do anyway |
1908 | | * and we need the mbox for the import filter anyway. */ |
1909 | 0 | mbox = mailbox_from_userid (name, 0); |
1910 | 0 | if (!mbox) |
1911 | 0 | { |
1912 | 0 | err = gpg_error_from_syserror (); |
1913 | 0 | if (gpg_err_code (err) == GPG_ERR_EINVAL) |
1914 | 0 | err = gpg_error (GPG_ERR_INV_USER_ID); |
1915 | 0 | return err; |
1916 | 0 | } |
1917 | | |
1918 | 0 | err = gpg_dirmngr_wkd_get (ctrl, mbox, flags, &key, &url); |
1919 | 0 | if (err) |
1920 | 0 | ; |
1921 | 0 | else if (key) |
1922 | 0 | { |
1923 | 0 | int armor_status = opt.no_armor; |
1924 | 0 | import_filter_t save_filt; |
1925 | | |
1926 | | /* Keys returned via WKD are in binary format. However, we |
1927 | | * relax that requirement and allow also for armored data. */ |
1928 | 0 | opt.no_armor = 0; |
1929 | 0 | save_filt = save_and_clear_import_filter (); |
1930 | 0 | if (!save_filt) |
1931 | 0 | err = gpg_error_from_syserror (); |
1932 | 0 | else |
1933 | 0 | { |
1934 | 0 | char *filtstr = es_bsprintf ("keep-uid=mbox = %s", mbox); |
1935 | 0 | err = filtstr? 0 : gpg_error_from_syserror (); |
1936 | 0 | if (!err) |
1937 | 0 | err = parse_and_set_import_filter (filtstr); |
1938 | 0 | xfree (filtstr); |
1939 | 0 | if (!err) |
1940 | 0 | err = import_keys_es_stream (ctrl, key, NULL, fpr, fpr_len, |
1941 | 0 | IMPORT_ONLY_PUBKEYS, |
1942 | 0 | NULL, NULL, KEYORG_WKD, url); |
1943 | |
|
1944 | 0 | } |
1945 | |
|
1946 | 0 | restore_import_filter (save_filt); |
1947 | 0 | opt.no_armor = armor_status; |
1948 | |
|
1949 | 0 | es_fclose (key); |
1950 | 0 | key = NULL; |
1951 | 0 | } |
1952 | |
|
1953 | 0 | xfree (url); |
1954 | 0 | xfree (mbox); |
1955 | 0 | return err; |
1956 | 0 | } |