gpg,sm: Fix compliance checking for decryption.

* common/compliance.c (gnupg_pk_is_compliant): Remove the Elgamal signing check. We don't support Elgamal signing at all. (gnupg_pk_is_allowed) <de-vs>: Revert encryption/decryption for RSA. Check the curvenames for ECDH. * g10/pubkey-enc.c (get_session_key): Print only a warning if the key is not compliant. * sm/decrypt.c (gpgsm_decrypt): Ditto. Use the same string as in gpg so that we have only one translation. -- We always allow decryption and print only a note if the key was not complaint at the encryption site. GnuPG-bug-id: 3308 Signed-off-by: Werner Koch <wk@gnupg.org>
author: Werner Koch <wk@gnupg.org> 2017-07-27 13:56:38 +0200
committer: Werner Koch <wk@gnupg.org> 2017-07-27 13:56:38 +0200
commit: a0d0cbee7654ad7582400efaa92d493cd8e669e9 (patch)
tree: 20bfb26e2b78690f8ab54dc115dd5543f3331618 /sm/decrypt.c
parent: indent: Wrap an overlong line. (diff)
download: gnupg2-a0d0cbee7654ad7582400efaa92d493cd8e669e9.tar.xz
gnupg2-a0d0cbee7654ad7582400efaa92d493cd8e669e9.zip
1 files changed, 12 insertions, 10 deletions
diff --git a/sm/decrypt.c b/sm/decrypt.c
index 170ad5ad3..3de742a25 100644
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@@ -480,17 +480,19 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
                     unsigned int nbits;
                     int pk_algo = gpgsm_get_key_algo_info (cert, &nbits);
 
-                    /* Check compliance.  */
-                    if (! gnupg_pk_is_allowed (opt.compliance,
-                                               PK_USE_DECRYPTION,
-                                               pk_algo, NULL, nbits, NULL))
+                    /* Print compliance warning.  */
+                    if (! gnupg_pk_is_compliant (opt.compliance,
+                                                 pk_algo, NULL, nbits, NULL))
                       {
-                        log_error ("certificate ID 0x%08lX not suitable for "
-                                   "decryption while in %s mode\n",
-                                   gpgsm_get_short_fingerprint (cert, NULL),
-                                   gnupg_compliance_option_string (opt.compliance));
-                        rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
-                        goto oops;
+                        char  kidstr[10+1];
+
+                        snprintf (kidstr, sizeof kidstr, "0x%08lX",
+                                  gpgsm_get_short_fingerprint (cert, NULL));
+                        log_info
+                          (_("Note: key %s was not suitable for encryption"
+                             " in %s mode\n"),
+                           kidstr,
+                           gnupg_compliance_option_string (opt.compliance));
                       }
 
                     /* Check that all certs are compliant with CO_DE_VS.  */
author	Werner Koch <wk@gnupg.org>	2017-07-27 13:56:38 +0200
committer	Werner Koch <wk@gnupg.org>	2017-07-27 13:56:38 +0200
commit	a0d0cbee7654ad7582400efaa92d493cd8e669e9 (patch)
tree	20bfb26e2b78690f8ab54dc115dd5543f3331618 /sm/decrypt.c
parent	indent: Wrap an overlong line. (diff)
download	gnupg2-a0d0cbee7654ad7582400efaa92d493cd8e669e9.tar.xz gnupg2-a0d0cbee7654ad7582400efaa92d493cd8e669e9.zip