gpg,sm: Fix compliance checking for decryption.

* common/compliance.c (gnupg_pk_is_compliant): Remove the Elgamal signing check. We don't support Elgamal signing at all. (gnupg_pk_is_allowed) <de-vs>: Revert encryption/decryption for RSA. Check the curvenames for ECDH. * g10/pubkey-enc.c (get_session_key): Print only a warning if the key is not compliant. * sm/decrypt.c (gpgsm_decrypt): Ditto. Use the same string as in gpg so that we have only one translation. -- We always allow decryption and print only a note if the key was not complaint at the encryption site. GnuPG-bug-id: 3308 Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2017-07-27 13:56:38 +02:00 · 2017-07-27 13:56:38 +02:00 · a0d0cbee76
commit a0d0cbee76
parent 6d95611d01
3 changed files with 62 additions and 48 deletions
--- a/g10/pubkey-enc.c
+++ b/g10/pubkey-enc.c
@ -90,19 +90,16 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
      sk->pubkey_algo = k->pubkey_algo; /* We want a pubkey with this algo.  */
      if (!(rc = get_seckey (ctrl, sk, k->keyid)))
        {
-          /* Check compliance.  */
-          if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION,
-                                     sk->pubkey_algo,
-                                     sk->pkey, nbits_from_pk (sk), NULL))
-            {
-              log_info (_("key %s not suitable for decryption"
-                          " while in %s mode\n"),
-                        keystr_from_pk (sk),
-                        gnupg_compliance_option_string (opt.compliance));
-              rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
-            }
-          else
-            rc = get_it (ctrl, k, dek, sk, k->keyid);
+          /* Print compliance warning.  */
+          if (!gnupg_pk_is_compliant (opt.compliance,
+                                      sk->pubkey_algo,
+                                      sk->pkey, nbits_from_pk (sk), NULL))
+            log_info (_("Note: key %s was not suitable for encryption"
+                        " in %s mode\n"),
+                      keystr_from_pk (sk),
+                      gnupg_compliance_option_string (opt.compliance));
+
+          rc = get_it (ctrl, k, dek, sk, k->keyid);
        }
    }
  else if (opt.skip_hidden_recipients)
@ -131,17 +128,14 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
            log_info (_("anonymous recipient; trying secret key %s ...\n"),
                      keystr (keyid));

-          /* Check compliance.  */
-          if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION,
-                                     sk->pubkey_algo,
-                                     sk->pkey, nbits_from_pk (sk), NULL))
-            {
-              log_info (_("key %s not suitable for decryption"
-                          " while in %s mode\n"),
-                          keystr_from_pk (sk),
-                          gnupg_compliance_option_string (opt.compliance));
-              continue;
-            }
+          /* Print compliance warning.  */
+          if (!gnupg_pk_is_compliant (opt.compliance,
+                                      sk->pubkey_algo,
+                                      sk->pkey, nbits_from_pk (sk), NULL))
+            log_info (_("Note: key %s was not suitable for encryption"
+                        " in %s mode\n"),
+                      keystr_from_pk (sk),
+                      gnupg_compliance_option_string (opt.compliance));

          rc = get_it (ctrl, k, dek, sk, keyid);
          if (!rc)