From 1bd22a85b4f06324037b3500d2fa8af62733c926 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 27 Jul 2017 14:54:50 +0200
Subject: gpg,sm: Allow encryption (with warning) to any key in de-vs mode.

* g10/encrypt.c (encrypt_crypt): Do not abort for a non-compliant key.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
--

GnuPG-bug-id: 3306
Signed-off-by: Werner Koch <wk@gnupg.org>
---
 g10/encrypt.c | 16 ++++++----------
 sm/encrypt.c  | 17 +++++++++--------
 2 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/g10/encrypt.c b/g10/encrypt.c
index c63ec8838..c7982d448 100644
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@@ -657,16 +657,12 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
         PKT_public_key *pk = pkr->pk;
         unsigned int nbits = nbits_from_pk (pk);
 
-        if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_ENCRYPTION,
-                                   pk->pubkey_algo, pk->pkey, nbits, NULL))
-          {
-            log_error (_("key %s not suitable for encryption"
-                         " while in %s mode\n"),
-                       keystr_from_pk (pk),
-                       gnupg_compliance_option_string (opt.compliance));
-            rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
-            goto leave;
-          }
+        if (!gnupg_pk_is_compliant (opt.compliance,
+                                    pk->pubkey_algo, pk->pkey, nbits, NULL))
+          log_info (_("WARNING: key %s is not suitable for encryption"
+                      " in %s mode\n"),
+                    keystr_from_pk (pk),
+                    gnupg_compliance_option_string (opt.compliance));
 
         if (compliant
             && !gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
diff --git a/sm/encrypt.c b/sm/encrypt.c
index 73519325e..0225476e7 100644
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@@ -481,15 +481,16 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
 
       /* Check compliance.  */
       pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
-      if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_ENCRYPTION, pk_algo,
-                                 NULL, nbits, NULL))
+      if (!gnupg_pk_is_compliant (opt.compliance, pk_algo, NULL, nbits, NULL))
         {
-          log_error ("certificate ID 0x%08lX not suitable for "
-                     "encryption while in %s mode\n",
-                     gpgsm_get_short_fingerprint (cl->cert, NULL),
-                     gnupg_compliance_option_string (opt.compliance));
-          rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
-          goto leave;
+          char  kidstr[10+1];
+
+          snprintf (kidstr, sizeof kidstr, "0x%08lX",
+                    gpgsm_get_short_fingerprint (cl->cert, NULL));
+          log_info (_("WARNING: key %s is not suitable for encryption"
+                      " in %s mode\n"),
+                    kidstr,
+                    gnupg_compliance_option_string (opt.compliance));
         }
 
       /* Fixme: When adding ECC we need to provide the curvename and
-- 
cgit v1.2.3