security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

gpg,gpgsm: Fix compliance check for DSA and avoid an assert.

Browse source 
* common/compliance.c (gnupg_pk_is_compliant): Swap P and Q for DSA
check.  Explicitly check for allowed ECC algos.
(gnupg_pk_is_allowed): Swap P and Q for DSA check.
* g10/mainproc.c (proc_encrypted): Simplify SYMKEYS check.  Replace
assert by debug message.

--

Note that in mainproc.c SYMKEYS is unsigned and thus a greater than 0
condition is surprising because it leads to the assumption SYMKEYS
could be negative.  Better use a boolean test.

The assert could have lead to a regression for no good reason.  Not
being compliant is better than breaking existing users.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-06-19 17:50:02 +02:00
parent 6cc4702767
commit 3621dbe525
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
4 changed files with 30 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

13
g10/mainproc.c
View file

@ -94,7 +94,7 @@ struct mainproc_context
kbnode_t list; /* The current list of packets. */
iobuf_t iobuf; /* Used to get the filename etc. */
int trustletter; /* Temporary usage in list_node. */
ulong symkeys;
ulong symkeys; /* Number of symmetrically encrypted session keys. */
struct kidlist_item *pkenc_list; /* List of encryption packets. */
struct {
unsigned int sig_seen:1; /* Set to true if a signature packet
@ -603,18 +603,19 @@ proc_encrypted (CTX c, PACKET *pkt)
/* Compute compliance with CO_DE_VS. */
if (!result && is_status_enabled ()
/* Symmetric encryption and asymmetric encryption voids compliance. */
&& ((c->symkeys > 0) != (c->pkenc_list != NULL))
&& (c->symkeys != !!c->pkenc_list )
/* Overriding session key voids compliance. */
&& opt.override_session_key == NULL
&& !opt.override_session_key
/* Check symmetric cipher. */
&& gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo, GCRY_CIPHER_MODE_CFB))
&& gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo,
GCRY_CIPHER_MODE_CFB))
{
struct kidlist_item *i;
int compliant = 1;
PKT_public_key *pk = xmalloc (sizeof *pk);
log_assert (c->pkenc_list || c->symkeys
|| !"where else did the session key come from!?");
if ( !(c->pkenc_list || c->symkeys) )
log_debug ("%s: where else did the session key come from?\n", __func__);
/* Now check that every key used to encrypt the session key is
* compliant. */