From ed33264fe2ca1bc9a8e657cdc9561b6a357f25d7 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 7 Dec 2000 10:55:10 +0000
Subject: [PATCH] New option --allow-secret-key-import

---
 NEWS          |  3 +++
 THANKS        |  1 +
 doc/gpg.sgml  |  9 +++++++++
 g10/ChangeLog |  8 ++++++++
 g10/g10.c     |  3 +++
 g10/import.c  | 26 ++++++++++++++++++--------
 g10/options.h |  1 +
 7 files changed, 43 insertions(+), 8 deletions(-)

diff --git a/NEWS b/NEWS
index a6c34bf83..28ffeb278 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,9 @@
       !  and make sure that they don't pipe the signed material to stdin  !
       !  without using a filename and "-" on the the command line.        !
 
+    * Secret keys are no longer imported unless you use the new option
+      --allow-secret-key-import.
+
     * Support for the gpg-agent from gpg 1.1
 
     * Better LFS support.
diff --git a/THANKS b/THANKS
index e6fed9598..71aa72e75 100644
--- a/THANKS
+++ b/THANKS
@@ -42,6 +42,7 @@ Enzo Michelangeli	   em@MailAndNews.com
 Ernst Molitor		   ernst.molitor@uni-bonn.de
 Fabio Coatti		   cova@ferrara.linux.it
 Felix von Leitner	   leitner@amdiv.de
+Florian Weimer             Florian.Weimer@rus.uni-stuttgart.de
 Frank Donahoe		   fdonahoe@wilkes1.wilkes.edu
 Frank Heckenbach	   heckenb@mi.uni-erlangen.de
 Frank Stajano		   frank.stajano@cl.cam.ac.uk
diff --git a/doc/gpg.sgml b/doc/gpg.sgml
index 342ee580b..8cbd326ca 100644
--- a/doc/gpg.sgml
+++ b/doc/gpg.sgml
@@ -479,6 +479,7 @@ command --update-trustdb.
 There are a few other options which control how this command works.
 Most notable here is the --merge-only options which does not insert new keys
 but does only the merging of new signatures, user-IDs and subkeys.
+See also the option --allow-secret-key-import.
 </para></listitem></varlistentry>
 
 
@@ -1404,6 +1405,14 @@ handing out the secret key.
 Don't insert new keys into the keyrings while doing an import.
 </para></listitem></varlistentry>
 
+<varlistentry>
+<term>--allow-secret-key-import</term>
+<listitem><para>
+Allow import of secret keys.  The import command normally skips secret
+keys because a secret key can otherwise be used to attack the trust
+calculation.
+</para></listitem></varlistentry>
+
 <varlistentry>
 <term>--try-all-secrets</term>
 <listitem><para>
diff --git a/g10/ChangeLog b/g10/ChangeLog
index 305a4d341..9ebb3378c 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,11 @@
+2000-12-07  Werner Koch  <wk@gnupg.org>
+
+	* g10.c: New option --allow-secret-key-import.
+	* import.c (import_keys,import_keys_stream): Honor this option.
+	(import): New arg allow_secret and pass that arg down to ...
+	(import_secret_one): to this and print a warnign if secret key
+	importing is not allowed.
+
 2000-12-05  Werner Koch  <wk@gnupg.org>
 
 	* cipher.c (cipher_filter): Moved the end_encryption status ...
diff --git a/g10/g10.c b/g10/g10.c
index 3d42c3734..d98ec0785 100644
--- a/g10/g10.c
+++ b/g10/g10.c
@@ -183,6 +183,7 @@ enum cmd_and_opt_values { aNull = 0,
     oDisablePubkeyAlgo,
     oAllowNonSelfsignedUID,
     oAllowFreeformUID,
+    oAllowSecretKeyImport,                      
     oEnableSpecialFilenames,
     oNoLiteral,
     oSetFilesize,
@@ -389,6 +390,7 @@ static ARGPARSE_OPTS opts[] = {
     { oNoRandomSeedFile,  "no-random-seed-file", 0, "@" },
     { oNoAutoKeyRetrieve, "no-auto-key-retrieve", 0, "@" },
     { oMergeOnly,	  "merge-only", 0, "@" },
+    { oAllowSecretKeyImport, "allow-secret-key-import", 0, "@" },
     { oTryAllSecrets,  "try-all-secrets", 0, "@" },
     { oEnableSpecialFilenames, "enable-special-filenames", 0, "@" },
     { oEmu3DESS2KBug,  "emulate-3des-s2k-bug", 0, "@"},
@@ -954,6 +956,7 @@ main( int argc, char **argv )
 		opt.override_session_key = pargs.r.ret_str;
 		break;
 	  case oMergeOnly: opt.merge_only = 1; break;
+	  case oAllowSecretKeyImport: opt.allow_secret_key_import = 1; break;
 	  case oTryAllSecrets: opt.try_all_secrets = 1; break;
           case oTrustedKey: register_trusted_key( pargs.r.ret_str ); break;
           case oEnableSpecialFilenames:
diff --git a/g10/import.c b/g10/import.c
index 6bd1582dc..dc24edf48 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -54,11 +54,11 @@ static struct {
 } stats;
 
 
-static int import( IOBUF inp, int fast, const char* fname );
+static int import( IOBUF inp, int fast, const char* fname, int allow_secret );
 static void print_stats(void);
 static int read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root );
 static int import_one( const char *fname, KBNODE keyblock, int fast );
-static int import_secret_one( const char *fname, KBNODE keyblock );
+static int import_secret_one( const char *fname, KBNODE keyblock, int allow );
 static int import_revoke_cert( const char *fname, KBNODE node );
 static int chk_self_sigs( const char *fname, KBNODE keyblock,
 			  PKT_public_key *pk, u32 *keyid );
@@ -127,7 +127,7 @@ import_keys( char **fnames, int nnames, int fast )
 	if( !inp )
 	    log_error(_("can't open `%s': %s\n"), fname, strerror(errno) );
 	else {
-	    int rc = import( inp, fast, fname );
+	    int rc = import( inp, fast, fname, opt.allow_secret_key_import );
 	    iobuf_close(inp);
 	    if( rc )
 		log_error("import from `%s' failed: %s\n", fname,
@@ -148,7 +148,7 @@ import_keys_stream( IOBUF inp, int fast )
 
     /* fixme: don't use static variables */
     memset( &stats, 0, sizeof( stats ) );
-    rc = import( inp, fast, "[stream]" );
+    rc = import( inp, fast, "[stream]", opt.allow_secret_key_import );
     print_stats();
     if( !fast )
 	sync_trustdb();
@@ -156,7 +156,7 @@ import_keys_stream( IOBUF inp, int fast )
 }
 
 static int
-import( IOBUF inp, int fast, const char* fname )
+import( IOBUF inp, int fast, const char* fname, int allow_secret )
 {
     PACKET *pending_pkt = NULL;
     KBNODE keyblock;
@@ -173,8 +173,8 @@ import( IOBUF inp, int fast, const char* fname )
     while( !(rc = read_block( inp, &pending_pkt, &keyblock) )) {
 	if( keyblock->pkt->pkttype == PKT_PUBLIC_KEY )
 	    rc = import_one( fname, keyblock, fast );
-	else if( keyblock->pkt->pkttype == PKT_SECRET_KEY )
-	    rc = import_secret_one( fname, keyblock );
+	else if( keyblock->pkt->pkttype == PKT_SECRET_KEY ) 
+                rc = import_secret_one( fname, keyblock, allow_secret );
 	else if( keyblock->pkt->pkttype == PKT_SIGNATURE
 		 && keyblock->pkt->pkt.signature->sig_class == 0x20 )
 	    rc = import_revoke_cert( fname, keyblock );
@@ -556,9 +556,12 @@ import_one( const char *fname, KBNODE keyblock, int fast )
 
 /****************
  * Ditto for secret keys.  Handling is simpler than for public keys.
+ * We allow secret key importing only when allow is true, this is so
+ * that a secret key can not be imported accidently and thereby tampering
+ * with the trust calculation.
  */
 static int
-import_secret_one( const char *fname, KBNODE keyblock )
+import_secret_one( const char *fname, KBNODE keyblock, int allow )
 {
     PKT_secret_key *sk;
     KBNODE node, uidnode;
@@ -586,6 +589,13 @@ import_secret_one( const char *fname, KBNODE keyblock )
 	putc('\n', stderr);
     }
     stats.secret_read++;
+    if (!allow) {
+        log_info ( _("secret key %08lX not imported "
+                    "(use %s to allow for it)\n"),
+                   (ulong)keyid[1], "--allow-secret-key-import");
+        return 0;
+    }
+
     if( !uidnode ) {
 	log_error( _("key %08lX: no user ID\n"), (ulong)keyid[1]);
 	return 0;
diff --git a/g10/options.h b/g10/options.h
index fedd2f362..55c2a18fa 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -97,6 +97,7 @@ struct {
     int show_session_key;
     int use_agent;
     int merge_only;
+    int allow_secret_key_import;
     int try_all_secrets;
 } opt;