From 6771ed4c13226ea8f410d022fa83888930070f70 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 3 Sep 2025 16:33:49 +0200
Subject: gpg: Fix de-vs compliance with OCB and additional password.

* g10/mainproc.c (struct symlist_item): Change flag cfb_mode to a
general cipher_mode variable.
(proc_symkey_enc): Set this variable to the used mode.
(proc_encrypted): Check the symmetric encrypted session keys now also
with support for OCB.
--

GnuPG-bug-id: 7804
---
 g10/mainproc.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/g10/mainproc.c b/g10/mainproc.c
index fe4242c07..3b921b15d 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -52,7 +52,7 @@ struct symlist_item
 {
   struct symlist_item *next;
   int cipher_algo;
-  int cfb_mode;
+  enum gcry_cipher_modes cipher_mode;
   int other_error;
 };
 
@@ -484,7 +484,11 @@ proc_symkey_enc (CTX c, PACKET *pkt)
     if (enc)
       {
         symitem->cipher_algo = enc->cipher_algo;
-        symitem->cfb_mode = !enc->aead_algo;
+        symitem->cipher_mode = !enc->aead_algo;
+        symitem->cipher_mode
+          = (enc->aead_algo == AEAD_ALGO_NONE? GCRY_CIPHER_MODE_CFB :
+             enc->aead_algo == AEAD_ALGO_OCB?  GCRY_CIPHER_MODE_OCB :
+             GCRY_CIPHER_MODE_NONE);
       }
     else
       symitem->other_error = 1;
@@ -778,9 +782,9 @@ proc_encrypted (CTX c, PACKET *pkt)
        * key can be sneaked in.  */
       for (si = c->symenc_list; si && compliant; si = si->next)
         {
-          if (!si->cfb_mode
+          if (si->cipher_mode == GCRY_CIPHER_MODE_NONE
               || !gnupg_cipher_is_compliant (CO_DE_VS, si->cipher_algo,
-                                             GCRY_CIPHER_MODE_CFB))
+                                             si->cipher_mode))
             compliant = 0;
         }
 
-- 
cgit v1.2.3