gpg: Protect against rogue keyservers sending secret keys.

* g10/options.h (IMPORT_NO_SECKEY): New. * g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new flag. * g10/import.c (import_secret_one): Deny import if flag is set. -- By modifying a keyserver or a DNS record to send a secret key, an attacker could trick a user into signing using a different key and user id. The trust model should protect against such rogue keys but we better make sure that secret keys are never received from remote sources. Suggested-by: Stefan Tomanek Signed-off-by: Werner Koch <wk@gnupg.org> (cherry picked from commit e7abed3448) Resolved conflicts: g10/options.h
2025-07-02 22:46:30 +02:00 · 2013-10-04 13:44:39 +02:00 · 2013-10-04 13:44:39 +02:00 · d74dd36c11
commit d74dd36c11
parent fe0fb5e6b0
3 changed files with 20 additions and 8 deletions
--- a/g10/import.c
+++ b/g10/import.c
@ -1175,6 +1175,12 @@ import_secret_one( const char *fname, KBNODE keyblock,
      }
    stats->secret_read++;

+    if ((options & IMPORT_NO_SECKEY))
+      {
+        log_error (_("importing secret keys not allowed\n"));
+        return 0;
+      }
+
    if( !uidnode )
      {
 	log_error( _("key %s: no user ID\n"), keystr_from_sk(sk));