gpg: Protect against rogue keyservers sending secret keys.

* g10/options.h (IMPORT_NO_SECKEY): New.
* g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new
flag.
* g10/import.c (import_secret_one): Deny import if flag is set.
--

By modifying a keyserver or a DNS record to send a secret key, an
attacker could trick a user into signing using a different key and
user id.  The trust model should protect against such rogue keys but
we better make sure that secret keys are never received from remote
sources.

Suggested-by: Stefan Tomanek
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit e7abed3448c1c1a4e756c12f95b665b517d22ebe)

Resolved conflicts:
	g10/import.c
	g10/keyserver.c

1 files changed, 6 insertions, 0 deletions

diff --git a/g10/import.c b/g10/import.c
index 74443ef10..c3ad53632 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1563,6 +1563,12 @@ import_secret_one (ctrl_t ctrl, const char *fname, KBNODE keyblock,
     }
   stats->secret_read++;
 
+  if ((options & IMPORT_NO_SECKEY))
+    {
+      log_error (_("importing secret keys not allowed\n"));
+      return 0;
+    }
+
   if (!uidnode)
     {
       log_error( _("key %s: no user ID\n"), keystr_from_pk (pk));