2 files changed, 15 insertions, 4 deletions

diff --git a/common/compliance.c b/common/compliance.c
index c2daa654e..bcf621a45 100644
--- a/common/compliance.c
+++ b/common/compliance.c
@@ -193,9 +193,11 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
 }
 
 
-/* Return true if CIPHER is compliant to the given COMPLIANCE mode.  */
+/* Return true if (CIPHER, MODE) is compliant to the given COMPLIANCE mode.  */
 int
-gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance, cipher_algo_t cipher)
+gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance,
+			   cipher_algo_t cipher,
+			   enum gcry_cipher_modes mode)
 {
   log_assert (initialized);
 
@@ -208,7 +210,15 @@ gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance, cipher_algo_t
 	case CIPHER_ALGO_AES192:
 	case CIPHER_ALGO_AES256:
 	case CIPHER_ALGO_3DES:
-	  return 1;
+	  switch (module)
+	    {
+	    case GNUPG_MODULE_NAME_GPG:
+	      return mode == GCRY_CIPHER_MODE_CFB;
+	    case GNUPG_MODULE_NAME_GPGSM:
+	      return mode == GCRY_CIPHER_MODE_CBC;
+	    }
+	  log_assert (!"reached");
+
 	default:
 	  return 0;
 	}
diff --git a/common/compliance.h b/common/compliance.h
index 7235b007b..e57495da2 100644
--- a/common/compliance.h
+++ b/common/compliance.h
@@ -45,7 +45,8 @@ int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
                            gcry_mpi_t key[], unsigned int keylength,
                            const char *curvename);
 int gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance,
-                               cipher_algo_t cipher);
+                               cipher_algo_t cipher,
+                               enum gcry_cipher_modes mode);
 int gnupg_digest_is_compliant (enum gnupg_compliance_mode compliance,
                                digest_algo_t digest);
 const char *gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance);