From a0d0cbee7654ad7582400efaa92d493cd8e669e9 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 27 Jul 2017 13:56:38 +0200 Subject: gpg,sm: Fix compliance checking for decryption. * common/compliance.c (gnupg_pk_is_compliant): Remove the Elgamal signing check. We don't support Elgamal signing at all. (gnupg_pk_is_allowed) : Revert encryption/decryption for RSA. Check the curvenames for ECDH. * g10/pubkey-enc.c (get_session_key): Print only a warning if the key is not compliant. * sm/decrypt.c (gpgsm_decrypt): Ditto. Use the same string as in gpg so that we have only one translation. -- We always allow decryption and print only a note if the key was not complaint at the encryption site. GnuPG-bug-id: 3308 Signed-off-by: Werner Koch --- sm/decrypt.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) (limited to 'sm/decrypt.c') diff --git a/sm/decrypt.c b/sm/decrypt.c index 170ad5ad3..3de742a25 100644 --- a/sm/decrypt.c +++ b/sm/decrypt.c @@ -480,17 +480,19 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) unsigned int nbits; int pk_algo = gpgsm_get_key_algo_info (cert, &nbits); - /* Check compliance. */ - if (! gnupg_pk_is_allowed (opt.compliance, - PK_USE_DECRYPTION, - pk_algo, NULL, nbits, NULL)) + /* Print compliance warning. */ + if (! gnupg_pk_is_compliant (opt.compliance, + pk_algo, NULL, nbits, NULL)) { - log_error ("certificate ID 0x%08lX not suitable for " - "decryption while in %s mode\n", - gpgsm_get_short_fingerprint (cert, NULL), - gnupg_compliance_option_string (opt.compliance)); - rc = gpg_error (GPG_ERR_PUBKEY_ALGO); - goto oops; + char kidstr[10+1]; + + snprintf (kidstr, sizeof kidstr, "0x%08lX", + gpgsm_get_short_fingerprint (cert, NULL)); + log_info + (_("Note: key %s was not suitable for encryption" + " in %s mode\n"), + kidstr, + gnupg_compliance_option_string (opt.compliance)); } /* Check that all certs are compliant with CO_DE_VS. */ -- cgit v1.2.3