gpg: Protect against rogue keyservers sending secret keys.

* g10/options.h (IMPORT_NO_SECKEY): New.
* g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new
flag.
* g10/import.c (import_secret_one): Deny import if flag is set.
--

By modifying a keyserver or a DNS record to send a secret key, an
attacker could trick a user into signing using a different key and
user id.  The trust model should protect against such rogue keys but
we better make sure that secret keys are never received from remote
sources.

Suggested-by: Stefan Tomanek
Signed-off-by: Werner Koch <wk@gnupg.org>

g10/options.h

@@ -31,7 +31,7 @@
 #if defined (__riscos__) && !defined (INCLUDED_BY_MAIN_MODULE)
 #define EXTERN_UNLESS_MAIN_MODULE extern
 #else
-#define EXTERN_UNLESS_MAIN_MODULE 
+#define EXTERN_UNLESS_MAIN_MODULE
 #endif
 #endif
 
@@ -85,7 +85,7 @@ struct
   int completes_needed;
   int max_cert_depth;
   const char *homedir;
-  const char *agent_program; 
+  const char *agent_program;
 
   /* Options to be passed to the gpg-agent */
   session_env_t session_env;
@@ -207,7 +207,7 @@ struct
 
   /* If > 0, limit the number of card insertion prompts to this
      value. */
-  int limit_card_insert_tries; 
+  int limit_card_insert_tries;
 
 #ifdef ENABLE_CARD_SUPPORT
   /* FIXME: We don't needs this here as it is done in scdaemon. */
@@ -236,8 +236,8 @@ struct
     enum {
       AKL_NODEFAULT,
       AKL_LOCAL,
-      AKL_CERT, 
-      AKL_PKA, 
+      AKL_CERT,
+      AKL_PKA,
       AKL_LDAP,
       AKL_KEYSERVER,
       AKL_SPEC
@@ -317,6 +317,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;
 #define IMPORT_MERGE_ONLY                (1<<4)
 #define IMPORT_MINIMAL                   (1<<5)
 #define IMPORT_CLEAN                     (1<<6)
+#define IMPORT_NO_SECKEY                 (1<<7)
 
 #define EXPORT_LOCAL_SIGS                (1<<0)
 #define EXPORT_ATTRIBUTES                (1<<1)