gpgsm: New compatibility flag "allow-ecc-encr".

* sm/gpgsm.h (COMPAT_ALLOW_ECC_ENCR): New.
* sm/gpgsm.c (compatibility_flags): Add new flag.
* sm/encrypt.c (encrypt_dek): Allw ECC only if flag is set.
--

ECC encryption was not part of the original VS evaluation.  Until this
has been re-evaluated we hide this feature behind this flag.

GnuPG-bug-id: 6253

3 files changed, 6 insertions, 1 deletions

diff --git a/sm/encrypt.c b/sm/encrypt.c
index 6210f310a..fb36977af 100644
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@@ -483,7 +483,10 @@ encrypt_dek (const DEK dek, ksba_cert_t cert, int pk_algo,
   s_data = NULL; /* (avoid compiler warning) */
   if (pk_algo == GCRY_PK_ECC)
     {
-      rc = ecdh_encrypt (dek, s_pkey, &s_ciph);
+      if (!(opt.compat_flags & COMPAT_ALLOW_ECC_ENCR))
+        rc = gpg_error (GPG_ERR_NOT_SUPPORTED);
+      else
+        rc = ecdh_encrypt (dek, s_pkey, &s_ciph);
     }
   else
     {
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 27168904c..70952391a 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -463,6 +463,7 @@ static struct debug_flags_s debug_flags [] =
 static struct compatibility_flags_s compatibility_flags [] =
   {
     { COMPAT_ALLOW_KA_TO_ENCR, "allow-ka-to-encr" },
+    { COMPAT_ALLOW_ECC_ENCR,   "allow-ecc-encr" },
     { 0, NULL }
   };
 
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index b74b41419..d7bc13565 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -181,6 +181,7 @@ struct
  *  policies: 1.3.6.1.4.1.7924.1.1:N:
  */
 #define COMPAT_ALLOW_KA_TO_ENCR   1
+#define COMPAT_ALLOW_ECC_ENCR     2
 
 
 /* Forward declaration for an object defined in server.c */