Yes, makes sense. Although, you should use datalen = indatalen; in the last line (to prevent typos in the numbers).

IIUC, for completeness, it would be good to add the lines like:

Ready for testing.

I cannot find good test vectors for PBKDF2 with HMAC-SHA-2.

In T5167#140229, @gbschenkel wrote:

Nice, I gonna apply the patch and see if resolves for me!

Nice, I gonna apply the patch and see if resolves for me!

If your problem is the incompatibility between standard OpenSSH (server) and PKIXSSH (client) for use of ssh-agent emulation of gpg-agent with ECDSA key, I'd suggest to apply following patch to your PKIXSSH:

diff --git a/compat.c b/compat.c
index fe71951..0c9b1ef 100644
--- a/compat.c
+++ b/compat.c
@@ -245,7 +245,6 @@ xkey_compatibility(const char *remote_version) {
 {	static sshx_compatibility info[] = {
 		{ 0, "OpenSSH*PKIX[??.*" /* 10.+ first correct */ },
 		{ 0, "OpenSSH*PKIX[X.*" /* developlement */ },
-		{ 1, "OpenSSH*" /* PKIX pre 10.0 */ },
 		{ 1, "SecureNetTerm-3.1" /* same as PKIX pre 10.0 */},
 		{ 0, NULL } };
 	p = xkey_compatibility_find(remote_version, info);

Ready for testing

Our tests are now in tests/basic.c.

For CMAC tests, we would need to use newer test vectors.

Unfortunately and confusingly, PKISSH returns "OpenSSH" when asked by "ssh -V".
Please install real OpenSSH, if this is the case for you.

Quote from IRC:
hey, i've some problems with my smartcard since quite some time. i'm not sure whether it's openssh related or gnupg. it's a openpgpcard v2.0 and i have to workaround ssh logins by using "SSH_AUTH_SOCK=0 ssh ...". .gnupg/gpg-agent.conf -

Yeah but it seems to be the same issue / reason. I wasn't aware that PKISSH is something else. I thought it was an extension/protocol or something

I added "Feature Request", because this is a request to support:

• A feature of bug compatibility, which is implemented wrongly in PKISSH
• for a specific algo of key, which is not considered so useful (== ECDSA)
• PKISSH, which is variant of OpenSSH

In T4563#140184, @idl0r wrote:

I was and I am using OpenSSH on both sides, client and server.

I was and I am using OpenSSH on both sides, client and server.

I do not think that we should support a fork of openssh right now. If we would support it we are bound to maintain that for years - this is not a good idea.

Well, I have no idea about the technical background to be honest but without this patch it doesn't work at all for me, unless I stop using the agent or workaround it by using SSH_AUTH_SOCK=0. With this patch, I can use the agent again. I don't know how many others are affected by this but it made it usable again, which wasn't the case for months already.

In theory, I don't think the patch gnupg.patch works. It just ignore the flag.

In T2291#140172, @gniibe wrote:

Thank you for testing.
For the issue #1, I think it is the probelm of rG1cd615afe301: gpg,card: Allow no version information of Yubikey.. This was introduced by the support of PIV feature of Yubikey.

Thank you for testing.
For the issue #1, I think it is the probelm of rG1cd615afe301: gpg,card: Allow no version information of Yubikey., which is fixed already. This was introduced by the support of PIV feature of Yubikey.

Report on some testing using master:

You're right. Thank you.

Oh, any chance GPG could inform the user when using export-pka that it is dead/deprecated? Also thanks for the quick reply.

PKA is dead but anyway: What you see is a record from a DNS zone file which has a specific semantic. The 14 for example means that 20 bytes follow.

The specs might just want to say that it just expects the wildcard to be broken, not that it expects an empty record.

Than put something into the TXT - it does not matter and is only used to break the wildcard.

Hartmut, please read Andre's mail again - we can't do anything about it if Outlook considers an extra delay of 20ms as too slow.

See the release info over at T5052 which notes the problem. See T5140 for details and update to 2.2.25.

Andre,

thats wrong.
if i disable the Addin, the effect is gone.

Best regards
Hartmut

Von: aheinecke (Andre Heinecke) <noreply@dev.gnupg.org>
Gesendet: Freitag, 11. Dezember 2020 08:35
An: hartmut.jacobi@hotmail.de
Betreff: [Task] [Closed] T5176: Problem with Office 365 GnuPG Outlook addin, Outlook reports not to be primary Mail client

aheinecke closed this task as "Invalid".
aheinecke added a comment.

Hi, you can change the default mail app under systemsettings in windwos 10, this has nothing to do with GpgOL, and the delayed start report, I can't do anything about. Outlook just shows this for any COM Addin to shift the blame, seriously we took 0,02s or 20ms on your system for our initialization. That is reasonably fast.

TASK DETAIL
https://dev.gnupg.org/T5176

EMAIL PREFERENCES
https://dev.gnupg.org/settings/panel/emailpreferences/

To: aheinecke

Cc: aheinecke, gnupg, HackyJ, Neurone, ccharabaruk, gp_ast

This is an automated email from the GnuPG development hub. If you have registered in the past at https://bugs.gnupg.org/ your account was migrated automatically. You can visit https://dev.gnupg.org/ to set a new password and update your email preferences.

Hi, you can change the default mail app under systemsettings in windwos 10, this has nothing to do with GpgOL, and the delayed start report, I can't do anything about. Outlook just shows this for any COM Addin to shift the blame, seriously we took 0,02s or 20ms on your system for our initialization. That is reasonably fast.

Reading the code again, I think that some configuration of NKS card doesn't work well, when it has no certificates but keys (e.g. IDLM config).
I'm going to fix do_readkey as well (the approach #1).

Cloudflare doesn't seem to allow empty DNS TXT records...

From the specs: