gpg: Do not use import-clean for LDAP keyserver imports.

* g10/options.h (opts): New field expl_import_only.
* g10/import.c (parse_import_options): Set it.
* g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP.
--

I can be assumed that configured LDAP servers are somehow curated and
not affected by rogue key signatures as the HKP servers are.  Thus we
don't clean the key anymore so that key certifications are kept even
if the public key has not yet been imported.

See-commit: 6c26e593df
GnuPG-bug-id: 5387

g10/keyserver.c

@@ -1771,13 +1771,17 @@ keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
          never accept or send them but we better protect against rogue
          keyservers. */
 
-      /* For LDAP servers we reset IMPORT_SELF_SIGS_ONLY unless it has
-       * been set explicitly.  */
+      /* For LDAP servers we reset IMPORT_SELF_SIGS_ONLY and
+       * IMPORT_CLEAN unless they have been set explicitly.  */
       options = (opt.keyserver_options.import_options | IMPORT_NO_SECKEY);
       if (source && (!strncmp (source, "ldap:", 5)
-                     || !strncmp (source, "ldaps:", 6))
-          && !opt.flags.expl_import_self_sigs_only)
-        options &= ~IMPORT_SELF_SIGS_ONLY;
+                     || !strncmp (source, "ldaps:", 6)))
+        {
+          if (!opt.flags.expl_import_self_sigs_only)
+            options &= ~IMPORT_SELF_SIGS_ONLY;
+          if (!opt.flags.expl_import_clean)
+            options &= ~IMPORT_CLEAN;
+        }
 
       screenerarg.desc = desc;
       screenerarg.ndesc = *r_ndesc_used;