1
/* gpgkeys_ldap.c - talk to a LDAP keyserver
2
* Copyright (C) 2001, 2002, 2004 Free Software Foundation, Inc.
4
* This file is part of GnuPG.
6
* GnuPG is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
9
* (at your option) any later version.
11
* GnuPG is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
40
#include "keyserver.h"
55
static int verbose=0,include_disabled=0,include_revoked=0,include_subkeys=0;
56
static int real_ldap=0;
57
static char *basekeyspacedn=NULL;
58
static char host[80]={'\0'};
59
static char portstr[10]={'\0'};
60
static char *pgpkeystr="pgpKey";
61
static FILE *input=NULL,*output=NULL,*console=NULL;
62
static LDAP *ldap=NULL;
65
time_t timegm(struct tm *tm);
75
ldap_err_to_gpg_err(int err)
81
case LDAP_ALREADY_EXISTS:
82
ret=KEYSERVER_KEY_EXISTS;
85
case LDAP_SERVER_DOWN:
86
ret=KEYSERVER_UNREACHABLE;
90
ret=KEYSERVER_GENERAL_ERROR;
98
ldap_to_gpg_err(LDAP *ld)
100
#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
104
if(ldap_get_option(ld,LDAP_OPT_ERROR_NUMBER,&err)==0)
105
return ldap_err_to_gpg_err(err);
107
return KEYSERVER_GENERAL_ERROR;
109
#elif defined(HAVE_LDAP_LD_ERRNO)
111
return ldap_err_to_gpg_err(ld->ld_errno);
115
/* We should never get here since the LDAP library should always
116
have either ldap_get_option or ld_errno, but just in case... */
117
return KEYSERVER_GENERAL_ERROR;
123
key_in_keylist(const char *key,struct keylist *list)
125
struct keylist *keyptr=list;
129
if(strcasecmp(key,keyptr->str)==0)
139
add_key_to_keylist(const char *key,struct keylist **list)
141
struct keylist *keyptr=malloc(sizeof(struct keylist));
145
fprintf(console,"gpgkeys: out of memory when deduping "
147
return KEYSERVER_NO_MEMORY;
150
strncpy(keyptr->str,key,MAX_LINE);
151
keyptr->str[MAX_LINE-1]='\0';
159
free_keylist(struct keylist *list)
163
struct keylist *keyptr=list;
171
ldap2epochtime(const char *timestr)
176
memset(&pgptime,0,sizeof(pgptime));
178
/* YYYYMMDDHHmmssZ */
180
sscanf(timestr,"%4d%2d%2d%2d%2d%2d",
188
pgptime.tm_year-=1900;
192
/* mktime() takes the timezone into account, so we use timegm() */
194
answer=timegm(&pgptime);
199
/* Caller must free */
201
epoch2ldaptime(time_t stamp)
206
ldaptime=gmtime(&stamp);
208
ldaptime->tm_year+=1900;
211
/* YYYYMMDDHHmmssZ */
213
sprintf(buf,"%04d%02d%02d%02d%02d%02dZ",
224
/* Append two onto the end of one. Two is not freed, but its pointers
225
are now part of one. Make sure you don't free them both! */
227
join_two_modlists(LDAPMod ***one,LDAPMod **two)
229
int i,one_count=0,two_count=0;
232
for(grow=*one;*grow;grow++)
235
for(grow=two;*grow;grow++)
238
grow=realloc(*one,sizeof(LDAPMod *)*(one_count+two_count+1));
242
for(i=0;i<two_count;i++)
243
grow[one_count+i]=two[i];
245
grow[one_count+i]=NULL;
252
/* Passing a NULL for value effectively deletes that attribute. This
253
doesn't mean "delete" in the sense of removing something from the
254
modlist, but "delete" in the LDAP sense of adding a modlist item
255
that specifies LDAP_MOD_REPLACE and a null attribute for the given
256
attribute. LDAP_MOD_DELETE doesn't work here as we don't know if
257
the attribute in question exists or not. */
260
make_one_attr(LDAPMod ***modlist,int unique,char *attr,const char *value)
265
/* Search modlist for the attribute we're playing with. */
266
for(m=*modlist;*m;m++)
268
if(strcasecmp((*m)->mod_type,attr)==0)
270
char **ptr=(*m)->mod_values;
273
/* We have this attribute already, so when the REPLACE
274
happens, the server attributes will be replaced
280
for(ptr=(*m)->mod_values;*ptr;ptr++)
282
if(unique && strcmp(*ptr,value)==0)
287
ptr=realloc((*m)->mod_values,sizeof(char *)*(numvalues+2));
291
(*m)->mod_values=ptr;
292
ptr[numvalues]=strdup(value);
296
ptr[numvalues+1]=NULL;
303
/* We didn't find the attr, so make one and add it to the end */
308
grow=realloc(*modlist,sizeof(LDAPMod *)*(nummods+2));
313
grow[nummods]=malloc(sizeof(LDAPMod));
316
grow[nummods]->mod_op=LDAP_MOD_REPLACE;
317
grow[nummods]->mod_type=attr;
320
grow[nummods]->mod_values=malloc(sizeof(char *)*2);
321
if(!grow[nummods]->mod_values)
327
/* Is this the right thing? Can a UTF8-encoded user ID have
329
grow[nummods]->mod_values[0]=strdup(value);
330
if(!grow[nummods]->mod_values[0])
332
free(grow[nummods]->mod_values);
337
grow[nummods]->mod_values[1]=NULL;
340
grow[nummods]->mod_values=NULL;
342
grow[nummods+1]=NULL;
349
build_attrs(LDAPMod ***modlist,char *line)
354
/* Remove trailing whitespace */
355
for(i=strlen(line);i>0;i--)
356
if(ascii_isspace(line[i-1]))
361
if((record=strsep(&line,":"))==NULL)
364
if(ascii_strcasecmp("pub",record)==0)
367
int disabled=0,revoked=0;
370
if((tok=strsep(&line,":"))==NULL)
375
make_one_attr(modlist,0,"pgpCertID",tok);
376
make_one_attr(modlist,0,"pgpKeyID",&tok[8]);
381
/* The primary pubkey algo */
382
if((tok=strsep(&line,":"))==NULL)
388
make_one_attr(modlist,0,"pgpKeyType","RSA");
392
make_one_attr(modlist,0,"pgpKeyType","DSS/DH");
396
/* Size of primary key */
397
if((tok=strsep(&line,":"))==NULL)
405
/* We zero pad this on the left to make PGP happy. */
407
if(val<99999 && val>0)
409
sprintf(padded,"%05u",atoi(tok));
410
make_one_attr(modlist,0,"pgpKeySize",padded);
415
if((tok=strsep(&line,":"))==NULL)
420
char *stamp=epoch2ldaptime(atoi(tok));
423
make_one_attr(modlist,0,"pgpKeyCreateTime",stamp);
429
if((tok=strsep(&line,":"))==NULL)
434
char *stamp=epoch2ldaptime(atoi(tok));
437
make_one_attr(modlist,0,"pgpKeyExpireTime",stamp);
443
if((tok=strsep(&line,":"))==NULL)
461
Note that we always create the pgpDisabled and pgpRevoked
462
attributes, regardless of whether the key is disabled/revoked
463
or not. This is because a very common search is like
464
"(&(pgpUserID=*isabella*)(pgpDisabled=0))"
467
make_one_attr(modlist,0,"pgpDisabled",disabled?"1":"0");
468
make_one_attr(modlist,0,"pgpRevoked",revoked?"1":"0");
470
else if(ascii_strcasecmp("sub",record)==0)
475
if((tok=strsep(&line,":"))==NULL)
479
make_one_attr(modlist,0,"pgpSubKeyID",tok);
483
/* The subkey algo */
484
if((tok=strsep(&line,":"))==NULL)
488
if((tok=strsep(&line,":"))==NULL)
496
/* We zero pad this on the left to make PGP happy. */
498
if(val<99999 && val>0)
500
sprintf(padded,"%05u",atoi(tok));
501
make_one_attr(modlist,0,"pgpKeySize",padded);
505
/* Ignore the rest of the items for subkeys since the LDAP
506
schema doesn't store them. */
508
else if(ascii_strcasecmp("uid",record)==0)
512
/* The user ID string */
513
if((tok=strsep(&line,":"))==NULL)
521
/* By definition, de-%-encoding is always smaller than the
522
original string so we can decode in place. */
527
if(tok[0]=='%' && tok[1] && tok[2])
529
if((userid[i]=hextobyte(&tok[1]))==-1)
540
/* We don't care about the other info provided in the uid: line
541
since the LDAP schema doesn't need it. */
543
make_one_attr(modlist,0,"pgpUserID",userid);
545
else if(ascii_strcasecmp("sig",record)==0)
549
if((tok=strsep(&line,":"))==NULL)
553
make_one_attr(modlist,1,"pgpSignerID",tok);
558
free_mod_values(LDAPMod *mod)
565
for(ptr=mod->mod_values;*ptr;ptr++)
568
free(mod->mod_values);
574
int err,begin=0,end=0,keysize=1,ret=KEYSERVER_INTERNAL_ERROR;
575
char *dn=NULL,line[MAX_LINE],*key=NULL;
577
LDAPMod **modlist,**addlist,**ml;
579
modlist=malloc(sizeof(LDAPMod *));
582
fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
583
ret=KEYSERVER_NO_MEMORY;
589
addlist=malloc(sizeof(LDAPMod *));
592
fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
593
ret=KEYSERVER_NO_MEMORY;
599
/* Start by nulling out all attributes. We try and do a modify
600
operation first, so this ensures that we don't leave old
601
attributes lying around. */
602
make_one_attr(&modlist,0,"pgpDisabled",NULL);
603
make_one_attr(&modlist,0,"pgpKeyID",NULL);
604
make_one_attr(&modlist,0,"pgpKeyType",NULL);
605
make_one_attr(&modlist,0,"pgpUserID",NULL);
606
make_one_attr(&modlist,0,"pgpKeyCreateTime",NULL);
607
make_one_attr(&modlist,0,"pgpSignerID",NULL);
608
make_one_attr(&modlist,0,"pgpRevoked",NULL);
609
make_one_attr(&modlist,0,"pgpSubKeyID",NULL);
610
make_one_attr(&modlist,0,"pgpKeySize",NULL);
611
make_one_attr(&modlist,0,"pgpKeyExpireTime",NULL);
612
make_one_attr(&modlist,0,"pgpCertID",NULL);
614
/* Assemble the INFO stuff into LDAP attributes */
616
while(fgets(line,MAX_LINE,input)!=NULL)
617
if(sscanf(line,"INFO %16s BEGIN\n",keyid)==1)
625
/* i.e. eof before the INFO BEGIN was found. This isn't an
632
if(strlen(keyid)!=16)
635
ret=KEYSERVER_KEY_INCOMPLETE;
639
dn=malloc(strlen("pgpCertID=")+16+1+strlen(basekeyspacedn)+1);
642
fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
643
ret=KEYSERVER_NO_MEMORY;
647
sprintf(dn,"pgpCertID=%s,%s",keyid,basekeyspacedn);
652
fprintf(console,"gpgkeys: unable to allocate memory for key\n");
653
ret=KEYSERVER_NO_MEMORY;
659
/* Now parse each line until we see the END */
661
while(fgets(line,MAX_LINE,input)!=NULL)
662
if(sscanf(line,"INFO %16s END\n",keyid)==1)
668
build_attrs(&addlist,line);
672
fprintf(console,"gpgkeys: no INFO %s END found\n",keyid);
674
ret=KEYSERVER_KEY_INCOMPLETE;
680
/* Read and throw away stdin until we see the BEGIN */
682
while(fgets(line,MAX_LINE,input)!=NULL)
683
if(sscanf(line,"KEY %16s BEGIN\n",keyid)==1)
691
/* i.e. eof before the KEY BEGIN was found. This isn't an
698
/* Now slurp up everything until we see the END */
700
while(fgets(line,MAX_LINE,input)!=NULL)
701
if(sscanf(line,"KEY %16s END\n",keyid)==1)
709
keysize+=strlen(line);
710
tempkey=realloc(key,keysize);
713
fprintf(console,"gpgkeys: unable to reallocate for key\n");
714
ret=KEYSERVER_NO_MEMORY;
725
fprintf(console,"gpgkeys: no KEY %s END found\n",keyid);
727
ret=KEYSERVER_KEY_INCOMPLETE;
731
make_one_attr(&addlist,0,"objectClass","pgpKeyInfo");
732
make_one_attr(&addlist,0,"pgpKey",key);
734
/* Now append addlist onto modlist */
735
if(!join_two_modlists(&modlist,addlist))
737
fprintf(console,"gpgkeys: unable to merge LDAP modification lists\n");
738
ret=KEYSERVER_NO_MEMORY;
742
/* Going on the assumption that modify operations are more frequent
743
than adds, we try a modify first. If it's not there, we just
744
turn around and send an add command for the same key. Otherwise,
745
the modify brings the server copy into compliance with our copy.
746
Note that unlike the LDAP keyserver (and really, any other
747
keyserver) this does NOT merge signatures, but replaces the whole
748
key. This should make some people very happy. */
750
err=ldap_modify_s(ldap,dn,modlist);
751
if(err==LDAP_NO_SUCH_OBJECT)
752
err=ldap_add_s(ldap,dn,addlist);
754
if(err!=LDAP_SUCCESS)
756
fprintf(console,"gpgkeys: error adding key %s to keyserver: %s\n",
757
keyid,ldap_err2string(err));
758
ret=ldap_err_to_gpg_err(err);
765
/* Unwind and free the whole modlist structure */
766
for(ml=modlist;*ml;ml++)
768
free_mod_values(*ml);
777
fprintf(output,"KEY %s FAILED %d\n",keyid,ret);
783
send_key_keyserver(int *eof)
785
int err,begin=0,end=0,keysize=1,ret=KEYSERVER_INTERNAL_ERROR;
786
char *dn=NULL,line[MAX_LINE],*key[2]={NULL,NULL};
788
LDAPMod mod, *attrs[2];
790
memset(&mod,0,sizeof(mod));
791
mod.mod_op=LDAP_MOD_ADD;
792
mod.mod_type=pgpkeystr;
797
dn=malloc(strlen("pgpCertid=virtual,")+strlen(basekeyspacedn)+1);
800
fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
801
ret=KEYSERVER_NO_MEMORY;
805
strcpy(dn,"pgpCertid=virtual,");
806
strcat(dn,basekeyspacedn);
811
fprintf(console,"gpgkeys: unable to allocate memory for key\n");
812
ret=KEYSERVER_NO_MEMORY;
818
/* Read and throw away stdin until we see the BEGIN */
820
while(fgets(line,MAX_LINE,input)!=NULL)
821
if(sscanf(line,"KEY %16s BEGIN\n",keyid)==1)
829
/* i.e. eof before the KEY BEGIN was found. This isn't an
836
/* Now slurp up everything until we see the END */
838
while(fgets(line,MAX_LINE,input)!=NULL)
839
if(sscanf(line,"KEY %16s END\n",keyid)==1)
846
keysize+=strlen(line);
847
key[0]=realloc(key[0],keysize);
850
fprintf(console,"gpgkeys: unable to reallocate for key\n");
851
ret=KEYSERVER_NO_MEMORY;
860
fprintf(console,"gpgkeys: no KEY %s END found\n",keyid);
862
ret=KEYSERVER_KEY_INCOMPLETE;
866
err=ldap_add_s(ldap,dn,attrs);
867
if(err!=LDAP_SUCCESS)
869
fprintf(console,"gpgkeys: error adding key %s to keyserver: %s\n",
870
keyid,ldap_err2string(err));
871
ret=ldap_err_to_gpg_err(err);
883
fprintf(output,"KEY %s FAILED %d\n",keyid,ret);
885
/* Not a fatal error */
886
if(ret==KEYSERVER_KEY_EXISTS)
893
build_info(const char *certid,LDAPMessage *each)
897
fprintf(output,"INFO %s BEGIN\n",certid);
899
fprintf(output,"pub:%s:",certid);
901
vals=ldap_get_values(ldap,each,"pgpkeytype");
904
if(strcmp(vals[0],"RSA")==0)
906
else if(strcmp(vals[0],"DSS/DH")==0)
907
fprintf(output,"17");
908
ldap_value_free(vals);
913
vals=ldap_get_values(ldap,each,"pgpkeysize");
917
fprintf(output,"%d",atoi(vals[0]));
918
ldap_value_free(vals);
923
vals=ldap_get_values(ldap,each,"pgpkeycreatetime");
926
if(strlen(vals[0])==15)
927
fprintf(output,"%u",(unsigned int)ldap2epochtime(vals[0]));
928
ldap_value_free(vals);
933
vals=ldap_get_values(ldap,each,"pgpkeyexpiretime");
936
if(strlen(vals[0])==15)
937
fprintf(output,"%u",(unsigned int)ldap2epochtime(vals[0]));
938
ldap_value_free(vals);
943
vals=ldap_get_values(ldap,each,"pgprevoked");
948
ldap_value_free(vals);
951
fprintf(output,"\n");
953
vals=ldap_get_values(ldap,each,"pgpuserid");
959
fprintf(output,"uid:%s\n",vals[i]);
960
ldap_value_free(vals);
963
fprintf(output,"INFO %s END\n",certid);
966
/* Note that key-not-found is not a fatal error */
968
get_key(char *getkey)
970
LDAPMessage *res,*each;
971
int ret=KEYSERVER_INTERNAL_ERROR,err,count;
972
struct keylist *dupelist=NULL;
974
/* This ordering is significant - specifically, "pgpcertid" needs to
975
be the second item in the list, since everything after it may be
976
discarded if the user isn't in verbose mode. */
977
char *attrs[]={"replaceme","pgpcertid","pgpuserid","pgpkeyid","pgprevoked",
978
"pgpdisabled","pgpkeycreatetime","modifytimestamp",
979
"pgpkeysize","pgpkeytype",NULL};
980
attrs[0]=pgpkeystr; /* Some compilers don't like using variables as
981
array initializers. */
983
/* Build the search string */
985
/* GPG can send us a v4 fingerprint, a v3 or v4 long key id, or a v3
986
or v4 short key id */
988
if(strncmp(getkey,"0x",2)==0)
991
if(strlen(getkey)==32)
994
"gpgkeys: LDAP keyservers do not support v3 fingerprints\n");
995
fprintf(output,"KEY 0x%s BEGIN\n",getkey);
996
fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_NOT_SUPPORTED);
997
return KEYSERVER_NOT_SUPPORTED;
1000
if(strlen(getkey)>16)
1002
char *offset=&getkey[strlen(getkey)-16];
1004
/* fingerprint. Take the last 16 characters and treat it like a
1008
sprintf(search,"(|(pgpcertid=%.16s)(pgpsubkeyid=%.16s))",
1011
sprintf(search,"(pgpcertid=%.16s)",offset);
1013
else if(strlen(getkey)>8)
1018
sprintf(search,"(|(pgpcertid=%.16s)(pgpsubkeyid=%.16s))",
1021
sprintf(search,"(pgpcertid=%.16s)",getkey);
1027
sprintf(search,"(pgpkeyid=%.8s)",getkey);
1031
fprintf(console,"gpgkeys: LDAP fetch for: %s\n",search);
1034
attrs[2]=NULL; /* keep only pgpkey(v2) and pgpcertid */
1036
err=ldap_search_s(ldap,basekeyspacedn,
1037
LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1040
int errtag=ldap_err_to_gpg_err(err);
1042
fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1043
fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1044
fprintf(output,"KEY 0x%s FAILED %d\n",getkey,errtag);
1048
count=ldap_count_entries(ldap,res);
1051
fprintf(console,"gpgkeys: key %s not found on keyserver\n",getkey);
1052
fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1053
fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_KEY_NOT_FOUND);
1057
/* There may be more than one unique result for a given keyID,
1058
so we should fetch them all (test this by fetching short key
1061
each=ldap_first_entry(ldap,res);
1064
char **vals,**certid;
1066
/* Use the long keyid to remove duplicates. The LDAP server
1067
returns the same keyid more than once if there are
1068
multiple user IDs on the key. Note that this does NOT
1069
mean that a keyid that exists multiple times on the
1070
keyserver will not be fetched. It means that each KEY,
1071
no matter how many user IDs share its keyid, will be
1072
fetched only once. If a keyid that belongs to more than
1073
one key is fetched, the server quite properly responds
1074
with all matching keys. -ds */
1076
certid=ldap_get_values(ldap,each,"pgpcertid");
1079
if(!key_in_keylist(certid[0],dupelist))
1081
/* it's not a duplicate, so add it */
1083
int rc=add_key_to_keylist(certid[0],&dupelist);
1090
build_info(certid[0],each);
1092
fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1094
vals=ldap_get_values(ldap,each,pgpkeystr);
1097
int errtag=ldap_to_gpg_err(ldap);
1099
fprintf(console,"gpgkeys: unable to retrieve key %s "
1100
"from keyserver\n",getkey);
1101
fprintf(output,"KEY 0x%s FAILED %d\n",getkey,errtag);
1105
fprintf(output,"%sKEY 0x%s END\n",vals[0],getkey);
1107
ldap_value_free(vals);
1111
ldap_value_free(certid);
1114
each=ldap_next_entry(ldap,each);
1122
free_keylist(dupelist);
1128
printquoted(FILE *stream,char *string,char delim)
1132
if(*string==delim || *string=='%')
1133
fprintf(stream,"%%%02x",*string);
1135
fputc(*string,stream);
1141
/* Returns 0 on success and -1 on error. Note that key-not-found is
1144
search_key(char *searchkey)
1147
LDAPMessage *res,*each;
1149
struct keylist *dupelist=NULL;
1150
/* The maximum size of the search, including the optional stuff and
1152
char search[2+12+MAX_LINE+2+15+14+1+1];
1153
char *attrs[]={"pgpcertid","pgpuserid","pgprevoked","pgpdisabled",
1154
"pgpkeycreatetime","pgpkeyexpiretime","modifytimestamp",
1155
"pgpkeysize","pgpkeytype",NULL};
1157
fprintf(output,"SEARCH %s BEGIN\n",searchkey);
1159
/* Build the search string */
1161
sprintf(search,"%s(pgpuserid=*%s*)%s%s%s",
1162
(!(include_disabled&&include_revoked))?"(&":"",
1164
include_disabled?"":"(pgpdisabled=0)",
1165
include_revoked?"":"(pgprevoked=0)",
1166
!(include_disabled&&include_revoked)?")":"");
1169
fprintf(console,"gpgkeys: LDAP search for: %s\n",search);
1171
err=ldap_search_s(ldap,basekeyspacedn,
1172
LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1173
if(err!=LDAP_SUCCESS && err!=LDAP_SIZELIMIT_EXCEEDED)
1175
int errtag=ldap_err_to_gpg_err(err);
1177
fprintf(output,"SEARCH %s FAILED %d\n",searchkey,errtag);
1178
fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1182
/* The LDAP server doesn't return a real count of unique keys, so we
1183
can't use ldap_count_entries here. */
1184
each=ldap_first_entry(ldap,res);
1187
char **certid=ldap_get_values(ldap,each,"pgpcertid");
1191
if(!key_in_keylist(certid[0],dupelist))
1193
int rc=add_key_to_keylist(certid[0],&dupelist);
1196
fprintf(output,"SEARCH %s FAILED %d\n",searchkey,rc);
1197
free_keylist(dupelist);
1205
each=ldap_next_entry(ldap,each);
1208
if(err==LDAP_SIZELIMIT_EXCEEDED)
1209
fprintf(console,"gpgkeys: search results exceeded server limit. First %d results shown.\n",count);
1211
free_keylist(dupelist);
1215
fprintf(output,"info:1:0\n");
1218
fprintf(output,"info:1:%d\n",count);
1220
each=ldap_first_entry(ldap,res);
1225
certid=ldap_get_values(ldap,each,"pgpcertid");
1230
/* Have we seen this certid before? */
1231
if(!key_in_keylist(certid[0],dupelist))
1233
int rc=add_key_to_keylist(certid[0],&dupelist);
1236
fprintf(output,"SEARCH %s FAILED %d\n",searchkey,rc);
1237
free_keylist(dupelist);
1238
ldap_value_free(certid);
1243
fprintf(output,"pub:%s:",certid[0]);
1245
vals=ldap_get_values(ldap,each,"pgpkeytype");
1248
/* The LDAP server doesn't exactly handle this
1250
if(strcasecmp(vals[0],"RSA")==0)
1251
fprintf(output,"1");
1252
else if(strcasecmp(vals[0],"DSS/DH")==0)
1253
fprintf(output,"17");
1254
ldap_value_free(vals);
1259
vals=ldap_get_values(ldap,each,"pgpkeysize");
1262
/* Not sure why, but some keys are listed with a
1263
key size of 0. Treat that like an
1266
fprintf(output,"%d",atoi(vals[0]));
1267
ldap_value_free(vals);
1272
/* YYYYMMDDHHmmssZ */
1274
vals=ldap_get_values(ldap,each,"pgpkeycreatetime");
1275
if(vals!=NULL && strlen(vals[0])==15)
1277
fprintf(output,"%u",
1278
(unsigned int)ldap2epochtime(vals[0]));
1279
ldap_value_free(vals);
1284
vals=ldap_get_values(ldap,each,"pgpkeyexpiretime");
1285
if(vals!=NULL && strlen(vals[0])==15)
1287
fprintf(output,"%u",
1288
(unsigned int)ldap2epochtime(vals[0]));
1289
ldap_value_free(vals);
1294
vals=ldap_get_values(ldap,each,"pgprevoked");
1297
if(atoi(vals[0])==1)
1298
fprintf(output,"r");
1299
ldap_value_free(vals);
1302
vals=ldap_get_values(ldap,each,"pgpdisabled");
1305
if(atoi(vals[0])==1)
1306
fprintf(output,"d");
1307
ldap_value_free(vals);
1311
/* This is not yet specified in the keyserver
1312
protocol, but may be someday. */
1315
vals=ldap_get_values(ldap,each,"modifytimestamp");
1316
if(vals!=NULL && strlen(vals[0])==15)
1318
fprintf(output,"%u",
1319
(unsigned int)ldap2epochtime(vals[0]));
1320
ldap_value_free(vals);
1324
fprintf(output,"\n");
1326
/* Now print all the uids that have this certid */
1327
uids=ldap_first_entry(ldap,res);
1330
vals=ldap_get_values(ldap,uids,"pgpcertid");
1333
if(strcasecmp(certid[0],vals[0])==0)
1337
fprintf(output,"uid:");
1339
uidvals=ldap_get_values(ldap,uids,"pgpuserid");
1342
/* Need to escape any colons */
1343
printquoted(output,uidvals[0],':');
1344
ldap_value_free(uidvals);
1347
fprintf(output,"\n");
1350
ldap_value_free(vals);
1353
uids=ldap_next_entry(ldap,uids);
1357
ldap_value_free(certid);
1360
each=ldap_next_entry(ldap,each);
1365
free_keylist(dupelist);
1367
fprintf(output,"SEARCH %s END\n",searchkey);
1369
return KEYSERVER_OK;
1373
fail_all(struct keylist *keylist,int action,int err)
1380
fprintf(output,"SEARCH ");
1383
fprintf(output,"%s ",keylist->str);
1384
keylist=keylist->next;
1386
fprintf(output,"FAILED %d\n",err);
1391
fprintf(output,"KEY %s FAILED %d\n",keylist->str,err);
1392
keylist=keylist->next;
1397
find_basekeyspacedn(void)
1400
char *attr[]={"namingContexts",NULL,NULL,NULL};
1404
/* Look for namingContexts */
1405
err=ldap_search_s(ldap,"",LDAP_SCOPE_BASE,"(objectClass=*)",attr,0,&res);
1406
if(err==LDAP_SUCCESS)
1408
context=ldap_get_values(ldap,res,"namingContexts");
1411
attr[0]="pgpBaseKeySpaceDN";
1412
attr[1]="pgpVersion";
1413
attr[2]="pgpSoftware";
1417
/* We found some, so try each namingContext as the search base
1418
and look for pgpBaseKeySpaceDN. Because we found this, we
1419
know we're talking to a regular-ish LDAP server and not a
1422
for(i=0;context[i] && !basekeyspacedn;i++)
1425
LDAPMessage *si_res;
1428
object=malloc(17+strlen(context[i])+1);
1432
strcpy(object,"cn=pgpServerInfo,");
1433
strcat(object,context[i]);
1435
err=ldap_search_s(ldap,object,LDAP_SCOPE_BASE,
1436
"(objectClass=*)",attr,0,&si_res);
1439
if(err==LDAP_NO_SUCH_OBJECT)
1441
else if(err!=LDAP_SUCCESS)
1444
vals=ldap_get_values(ldap,si_res,"pgpBaseKeySpaceDN");
1447
basekeyspacedn=strdup(vals[0]);
1448
ldap_value_free(vals);
1453
vals=ldap_get_values(ldap,si_res,"pgpSoftware");
1456
fprintf(console,"Server: \t%s\n",vals[0]);
1457
ldap_value_free(vals);
1460
vals=ldap_get_values(ldap,si_res,"pgpVersion");
1463
fprintf(console,"Version:\t%s\n",vals[0]);
1464
ldap_value_free(vals);
1468
ldap_msgfree(si_res);
1471
ldap_value_free(context);
1478
/* We don't have an answer yet, which means the server might be
1479
a LDAP keyserver. */
1481
LDAPMessage *si_res;
1483
attr[0]="pgpBaseKeySpaceDN";
1487
err=ldap_search_s(ldap,"cn=pgpServerInfo",LDAP_SCOPE_BASE,
1488
"(objectClass=*)",attr,0,&si_res);
1489
if(err!=LDAP_SUCCESS)
1492
/* For the LDAP keyserver, this is always "OU=ACTIVE,O=PGP
1493
KEYSPACE,C=US", but it might not be in the future. */
1495
vals=ldap_get_values(ldap,si_res,"baseKeySpaceDN");
1498
basekeyspacedn=strdup(vals[0]);
1499
ldap_value_free(vals);
1504
vals=ldap_get_values(ldap,si_res,"software");
1507
fprintf(console,"Server: \t%s\n",vals[0]);
1508
ldap_value_free(vals);
1512
vals=ldap_get_values(ldap,si_res,"version");
1516
fprintf(console,"Version:\t%s\n",vals[0]);
1518
/* If the version is high enough, use the new pgpKeyV2
1519
attribute. This design if iffy at best, but it matches how
1520
PGP does it. I figure the NAI folks assumed that there would
1521
never be a LDAP keyserver vendor with a different numbering
1524
pgpkeystr="pgpKeyV2";
1526
ldap_value_free(vals);
1529
ldap_msgfree(si_res);
1532
return LDAP_SUCCESS;
1536
show_help (FILE *fp)
1538
fprintf (fp,"-h\thelp\n");
1539
fprintf (fp,"-V\tversion\n");
1540
fprintf (fp,"-o\toutput to this file\n");
1544
main(int argc,char *argv[])
1546
int debug=0,port=0,arg,err,action=-1,ret=KEYSERVER_INTERNAL_ERROR;
1547
char line[MAX_LINE];
1548
int version,failed=0,use_ssl=0,use_tls=0,bound=0;
1549
struct keylist *keylist=NULL,*keyptr=NULL;
1550
unsigned int timeout=DEFAULT_KEYSERVER_TIMEOUT;
1554
/* Kludge to implement standard GNU options. */
1555
if (argc > 1 && !strcmp (argv[1], "--version"))
1557
fputs ("gpgkeys_ldap (GnuPG) " VERSION"\n", stdout);
1560
else if (argc > 1 && !strcmp (argv[1], "--help"))
1566
while((arg=getopt(argc,argv,"hVo:"))!=-1)
1571
show_help (console);
1572
return KEYSERVER_OK;
1575
fprintf(stdout,"%d\n%s\n",KEYSERVER_PROTO_VERSION,VERSION);
1576
return KEYSERVER_OK;
1579
output=fopen(optarg,"w");
1582
fprintf(console,"gpgkeys: Cannot open output file `%s': %s\n",
1583
optarg,strerror(errno));
1584
return KEYSERVER_INTERNAL_ERROR;
1593
input=fopen(argv[optind],"r");
1596
fprintf(console,"gpgkeys: Cannot open input file `%s': %s\n",
1597
argv[optind],strerror(errno));
1598
return KEYSERVER_INTERNAL_ERROR;
1608
/* Get the command and info block */
1610
while(fgets(line,MAX_LINE,input)!=NULL)
1613
char optionstr[256];
1620
if(sscanf(line,"%c",&hash)==1 && hash=='#')
1623
if(sscanf(line,"COMMAND %6s\n",commandstr)==1)
1627
if(strcasecmp(commandstr,"get")==0)
1629
else if(strcasecmp(commandstr,"send")==0)
1631
else if(strcasecmp(commandstr,"search")==0)
1637
if(sscanf(line,"HOST %79s\n",host)==1)
1643
if(sscanf(line,"PORT %9s\n",portstr)==1)
1650
if(sscanf(line,"SCHEME %79s\n",schemestr)==1)
1653
if(strcasecmp(schemestr,"ldaps")==0)
1661
if(sscanf(line,"VERSION %d\n",&version)==1)
1663
if(version!=KEYSERVER_PROTO_VERSION)
1665
ret=KEYSERVER_VERSION_ERROR;
1672
if(sscanf(line,"OPTION %255[^\n]\n",optionstr)==1)
1675
char *start=&optionstr[0];
1677
optionstr[255]='\0';
1679
if(strncasecmp(optionstr,"no-",3)==0)
1682
start=&optionstr[3];
1685
if(strcasecmp(start,"verbose")==0)
1692
else if(strcasecmp(start,"include-disabled")==0)
1699
else if(strcasecmp(start,"include-revoked")==0)
1706
else if(strcasecmp(start,"include-subkeys")==0)
1713
else if(strncasecmp(start,"tls",3)==0)
1717
else if(start[3]=='=')
1719
if(strcasecmp(&start[4],"no")==0)
1721
else if(strcasecmp(&start[4],"try")==0)
1723
else if(strcasecmp(&start[4],"warn")==0)
1725
else if(strcasecmp(&start[4],"require")==0)
1730
else if(start[3]=='\0')
1733
else if(strncasecmp(start,"debug",5)==0)
1737
else if(start[5]=='=')
1738
debug=atoi(&start[6]);
1740
else if(strncasecmp(start,"basedn",6)==0)
1744
free(basekeyspacedn);
1745
basekeyspacedn=NULL;
1747
else if(start[6]=='=')
1749
free(basekeyspacedn);
1750
basekeyspacedn=strdup(&start[7]);
1753
fprintf(console,"gpgkeys: out of memory while creating "
1755
ret=KEYSERVER_NO_MEMORY;
1762
else if(strncasecmp(start,"timeout",7)==0)
1766
else if(start[7]=='=')
1767
timeout=atoi(&start[8]);
1768
else if(start[7]=='\0')
1769
timeout=DEFAULT_KEYSERVER_TIMEOUT;
1776
if(timeout && register_timeout()==-1)
1778
fprintf(console,"gpgkeys: unable to register timeout handler\n");
1779
return KEYSERVER_INTERNAL_ERROR;
1782
/* SSL trumps TLS */
1786
/* If it's a GET or a SEARCH, the next thing to come in is the
1787
keyids. If it's a SEND, then there are no keyids. */
1790
while(fgets(line,MAX_LINE,input)!=NULL && line[0]!='\n');
1791
else if(action==GET || action==SEARCH)
1795
struct keylist *work;
1797
if(fgets(line,MAX_LINE,input)==NULL)
1801
if(line[0]=='\n' || line[0]=='\0')
1804
work=malloc(sizeof(struct keylist));
1807
fprintf(console,"gpgkeys: out of memory while "
1808
"building key list\n");
1809
ret=KEYSERVER_NO_MEMORY;
1813
strcpy(work->str,line);
1815
/* Trim the trailing \n */
1816
work->str[strlen(line)-1]='\0';
1820
/* Always attach at the end to keep the list in proper
1821
order for searching */
1833
fprintf(console,"gpgkeys: no keyserver command specified\n");
1837
/* Send the response */
1839
fprintf(output,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
1840
fprintf(output,"PROGRAM %s\n\n",VERSION);
1844
fprintf(console,"Host:\t\t%s\n",host);
1846
fprintf(console,"Port:\t\t%d\n",port);
1847
fprintf(console,"Command:\t%s\n",action==GET?"GET":
1848
action==SEND?"SEND":"SEARCH");
1853
#if defined(LDAP_OPT_DEBUG_LEVEL) && defined(HAVE_LDAP_SET_OPTION)
1854
err=ldap_set_option(NULL,LDAP_OPT_DEBUG_LEVEL,&debug);
1855
if(err!=LDAP_SUCCESS)
1856
fprintf(console,"gpgkeys: unable to set debug mode: %s\n",
1857
ldap_err2string(err));
1859
fprintf(console,"gpgkeys: debug level %d\n",debug);
1861
fprintf(console,"gpgkeys: not built with debugging support\n");
1865
/* We have a timeout set for the setup stuff since it could time out
1867
set_timeout(timeout);
1869
/* Note that this tries all A records on a given host (or at least,
1871
ldap=ldap_init(host,port);
1874
fprintf(console,"gpgkeys: internal LDAP init error: %s\n",
1876
fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
1882
#if defined(LDAP_OPT_X_TLS_HARD) && defined(HAVE_LDAP_SET_OPTION)
1883
int ssl=LDAP_OPT_X_TLS_HARD;
1884
err=ldap_set_option(ldap,LDAP_OPT_X_TLS,&ssl);
1885
if(err!=LDAP_SUCCESS)
1887
fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
1888
ldap_err2string(err));
1889
fail_all(keylist,action,ldap_err_to_gpg_err(err));
1893
fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
1894
"not built with LDAPS support");
1895
fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
1901
if((err=find_basekeyspacedn()) || !basekeyspacedn)
1903
fprintf(console,"gpgkeys: unable to retrieve LDAP base: %s\n",
1904
err?ldap_err2string(err):"not found");
1905
fail_all(keylist,action,ldap_err_to_gpg_err(err));
1909
/* use_tls: 0=don't use, 1=try silently to use, 2=try loudly to use,
1916
fprintf(console,"gpgkeys: unable to start TLS: %s\n",
1917
"not supported by the NAI LDAP keyserver");
1920
fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
1926
#if defined(HAVE_LDAP_START_TLS_S) && defined(HAVE_LDAP_SET_OPTION)
1927
int ver=LDAP_VERSION3;
1931
err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
1932
if(err==LDAP_SUCCESS)
1933
err=ldap_start_tls_s(ldap,NULL,NULL);
1935
if(err!=LDAP_SUCCESS)
1937
if(use_tls==2 || verbose>2)
1938
fprintf(console,"gpgkeys: unable to start TLS: %s\n",
1939
ldap_err2string(err));
1940
/* Are we forcing it? */
1943
fail_all(keylist,action,ldap_err_to_gpg_err(err));
1947
else if(err==LDAP_SUCCESS && verbose>1)
1948
fprintf(console,"gpgkeys: TLS started successfully.\n");
1951
fprintf(console,"gpgkeys: unable to start TLS: %s\n",
1952
"not built with TLS support");
1955
fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
1963
/* The LDAP keyserver doesn't require this, but it might be useful
1964
if someone stores keys on a V2 LDAP server somewhere. (V3
1965
doesn't require a bind). Leave this out for now since it is not
1966
clear if anyone server we're likely to use really cares, plus
1967
there are some servers that don't allow it. */
1969
err=ldap_simple_bind_s(ldap,NULL,NULL);
1972
fprintf(console,"gpgkeys: internal LDAP bind error: %s\n",
1973
ldap_err2string(err));
1974
fail_all(keylist,action,ldap_err_to_gpg_err(err));
1988
set_timeout(timeout);
1990
if(get_key(keyptr->str)!=KEYSERVER_OK)
1993
keyptr=keyptr->next;
2003
set_timeout(timeout);
2007
if(send_key(&eof)!=KEYSERVER_OK)
2012
if(send_key_keyserver(&eof)!=KEYSERVER_OK)
2022
char *searchkey=NULL;
2025
set_timeout(timeout);
2027
/* To search, we stick a * in between each key to search for.
2028
This means that if the user enters words, they'll get
2029
"enters*words". If the user "enters words", they'll get
2035
len+=strlen(keyptr->str)+1;
2036
keyptr=keyptr->next;
2039
searchkey=malloc(len+1);
2042
ret=KEYSERVER_NO_MEMORY;
2043
fail_all(keylist,action,KEYSERVER_NO_MEMORY);
2052
strcat(searchkey,keyptr->str);
2053
strcat(searchkey,"*");
2054
keyptr=keyptr->next;
2057
/* Nail that last "*" */
2059
searchkey[strlen(searchkey)-1]='\0';
2061
if(search_key(searchkey)!=KEYSERVER_OK)
2075
while(keylist!=NULL)
2077
struct keylist *current=keylist;
2078
keylist=keylist->next;
2088
if(ldap!=NULL && bound)
2089
ldap_unbind_s(ldap);
2091
free(basekeyspacedn);