From 3621dbe52584bc8b417f61b5370ebaa5598db956 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 19 Jun 2017 17:50:02 +0200
Subject: gpg,gpgsm: Fix compliance check for DSA and avoid an assert.

* common/compliance.c (gnupg_pk_is_compliant): Swap P and Q for DSA
check.  Explicitly check for allowed ECC algos.
(gnupg_pk_is_allowed): Swap P and Q for DSA check.
* g10/mainproc.c (proc_encrypted): Simplify SYMKEYS check.  Replace
assert by debug message.

--

Note that in mainproc.c SYMKEYS is unsigned and thus a greater than 0
condition is surprising because it leads to the assumption SYMKEYS
could be negative.  Better use a boolean test.

The assert could have lead to a regression for no good reason.  Not
being compliant is better than breaking existing users.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 g10/mainproc.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'g10/mainproc.c')

diff --git a/g10/mainproc.c b/g10/mainproc.c
index 2db8de1d5..c57925c9f 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -94,7 +94,7 @@ struct mainproc_context
   kbnode_t list;    /* The current list of packets. */
   iobuf_t iobuf;    /* Used to get the filename etc. */
   int trustletter;  /* Temporary usage in list_node. */
-  ulong symkeys;
+  ulong symkeys;    /* Number of symmetrically encrypted session keys.  */
   struct kidlist_item *pkenc_list; /* List of encryption packets. */
   struct {
     unsigned int sig_seen:1;      /* Set to true if a signature packet
@@ -603,18 +603,19 @@ proc_encrypted (CTX c, PACKET *pkt)
   /* Compute compliance with CO_DE_VS.  */
   if (!result && is_status_enabled ()
       /* Symmetric encryption and asymmetric encryption voids compliance.  */
-      && ((c->symkeys > 0) != (c->pkenc_list != NULL))
+      && (c->symkeys != !!c->pkenc_list )
       /* Overriding session key voids compliance.  */
-      && opt.override_session_key == NULL
+      && !opt.override_session_key
       /* Check symmetric cipher.  */
-      && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo, GCRY_CIPHER_MODE_CFB))
+      && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo,
+                                    GCRY_CIPHER_MODE_CFB))
     {
       struct kidlist_item *i;
       int compliant = 1;
       PKT_public_key *pk = xmalloc (sizeof *pk);
 
-      log_assert (c->pkenc_list || c->symkeys
-                  || !"where else did the session key come from!?");
+      if ( !(c->pkenc_list || c->symkeys) )
+        log_debug ("%s: where else did the session key come from?\n", __func__);
 
       /* Now check that every key used to encrypt the session key is
        * compliant.  */
-- 
cgit v1.2.3