From 969abcf40cdfc65f3ee859c5e62889e1a8ccde91 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 3 Jul 2020 15:47:55 +0200
Subject: sm: Exclude rsaPSS from de-vs compliance mode.

* common/compliance.h (PK_ALGO_FLAG_RSAPSS): New.
* common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and
test rsaPSS.  Adjust all callers.
(gnupg_pk_is_allowed): Ditto.
* sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function.
(gpgsm_get_hash_algo_from_sigval): New.
* sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval
arg.  Add arg pkalgoflags.  Use the PK_ALGO_FLAG_RSAPSS.
* sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to
also get the algo flags.  Pass algo flags along.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 g10/pubkey-enc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'g10/pubkey-enc.c')

diff --git a/g10/pubkey-enc.c b/g10/pubkey-enc.c
index 38353c812..14cbdbb0f 100644
--- a/g10/pubkey-enc.c
+++ b/g10/pubkey-enc.c
@@ -96,7 +96,7 @@ get_session_key (ctrl_t ctrl, struct pubkey_enc_list *list, DEK *dek)
 
       /* Check compliance.  */
       if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION,
-                                 sk->pubkey_algo,
+                                 sk->pubkey_algo, 0,
                                  sk->pkey, nbits_from_pk (sk), NULL))
         {
           log_info (_("key %s is not suitable for decryption"
-- 
cgit v1.2.3