From a0d0cbee7654ad7582400efaa92d493cd8e669e9 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 27 Jul 2017 13:56:38 +0200 Subject: gpg,sm: Fix compliance checking for decryption. * common/compliance.c (gnupg_pk_is_compliant): Remove the Elgamal signing check. We don't support Elgamal signing at all. (gnupg_pk_is_allowed) : Revert encryption/decryption for RSA. Check the curvenames for ECDH. * g10/pubkey-enc.c (get_session_key): Print only a warning if the key is not compliant. * sm/decrypt.c (gpgsm_decrypt): Ditto. Use the same string as in gpg so that we have only one translation. -- We always allow decryption and print only a note if the key was not complaint at the encryption site. GnuPG-bug-id: 3308 Signed-off-by: Werner Koch --- g10/pubkey-enc.c | 42 ++++++++++++++++++------------------------ 1 file changed, 18 insertions(+), 24 deletions(-) (limited to 'g10') diff --git a/g10/pubkey-enc.c b/g10/pubkey-enc.c index 0ddb8d7bb..013fd2f1b 100644 --- a/g10/pubkey-enc.c +++ b/g10/pubkey-enc.c @@ -90,19 +90,16 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek) sk->pubkey_algo = k->pubkey_algo; /* We want a pubkey with this algo. */ if (!(rc = get_seckey (ctrl, sk, k->keyid))) { - /* Check compliance. */ - if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION, - sk->pubkey_algo, - sk->pkey, nbits_from_pk (sk), NULL)) - { - log_info (_("key %s not suitable for decryption" - " while in %s mode\n"), - keystr_from_pk (sk), - gnupg_compliance_option_string (opt.compliance)); - rc = gpg_error (GPG_ERR_PUBKEY_ALGO); - } - else - rc = get_it (ctrl, k, dek, sk, k->keyid); + /* Print compliance warning. */ + if (!gnupg_pk_is_compliant (opt.compliance, + sk->pubkey_algo, + sk->pkey, nbits_from_pk (sk), NULL)) + log_info (_("Note: key %s was not suitable for encryption" + " in %s mode\n"), + keystr_from_pk (sk), + gnupg_compliance_option_string (opt.compliance)); + + rc = get_it (ctrl, k, dek, sk, k->keyid); } } else if (opt.skip_hidden_recipients) @@ -131,17 +128,14 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek) log_info (_("anonymous recipient; trying secret key %s ...\n"), keystr (keyid)); - /* Check compliance. */ - if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION, - sk->pubkey_algo, - sk->pkey, nbits_from_pk (sk), NULL)) - { - log_info (_("key %s not suitable for decryption" - " while in %s mode\n"), - keystr_from_pk (sk), - gnupg_compliance_option_string (opt.compliance)); - continue; - } + /* Print compliance warning. */ + if (!gnupg_pk_is_compliant (opt.compliance, + sk->pubkey_algo, + sk->pkey, nbits_from_pk (sk), NULL)) + log_info (_("Note: key %s was not suitable for encryption" + " in %s mode\n"), + keystr_from_pk (sk), + gnupg_compliance_option_string (opt.compliance)); rc = get_it (ctrl, k, dek, sk, keyid); if (!rc) -- cgit v1.2.3