I am closing this bug report, as I can't get feedback to fix something.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Oct 24 2017
Oct 20 2017
gniibe: Can you check the status?
Aug 31 2017
Thanks. That reminds me again that a GPA release is due.
Aug 29 2017
Do you have the specs for getenv_r? I can't find such a thing on FreeBSD or Debian
Jul 5 2017
Thanks. Will go into the next release.
Jul 2 2017
Jun 28 2017
Fixed. Thanks.
Jun 26 2017
Jun 22 2017
May 23 2017
Mar 30 2017
Oct 17 2016
I run in the same issue as PRab whenever I suspend or hibernate my machine. The
machine as Broadcom BCM5880 with a smart-card reader, so I cannot unplug it.
Quickest workaround is to kill/restart scdaemon.
Is there/could there be a command that could be sent to scdaemon via the agent
so a reset could be triggered? It should be easy enough to line that up as part
of the resume scripts.
Mar 18 2016
Applied to master will go into 1.7.
Mar 16 2016
I believe I have also seen this issue (or something very similar) on my Windows
7 64bit machine. I am running gpg 2.1.11. I hope this isn't redundant, but it
seems that I need to restart scdaemon anytime I unplug/replug my yubikey or
suspend/resume my computer.
Sometimes it doesn't recover even after restarting scdaemon. In those cases, I
am able to fix it by stopping scdaemon, removing the yubikey, starting scdaemon,
and finally reinserting the yubikey.
Dec 22 2015
Thank you again.
It is likely that the token itself doesn't work well after wakeup from sleep
mode. In this case, all that we can do is re-inserting the token manually.
I'm not sure how PC/SC service handles USB reset after wakeup.
Sorry to say, but mapping the error to "no reader" doesn't help. The first
reset event doesn't get handled. Later it trys to remove the reader but it's
not getting correctly resetted/reinserted again.
I've attached the debug log again
Thank you for further testing.
I think that current code doesn't handle the case when card goes inactive/reset
while reader keeps working. Current code only goes to the reset sequence for a
card again when it detects reader failure. So, although the concept is
different, I think mapping PSCS_W_CARD_RESET to SW_HOST_NO_READER (for now) will
work. Given the situation we don't yet support multiple cards, this workaround
would be OK for a while.
Nope. Neither mapping the "reset card" event to SW_HOST_CARD_INACTIVE or
SW_HOST_NO_CARD helps. It seems that somewhere in the code the return code
SW error codes are not being handled correctly and the card doesn't get
resetted.
I've attached a small log where you can see that pcsc returns the error
reason "reset card" which then gets remapped to "Card reset required" (was
general error before). I also can see that the error is getting mapped to
GPG_ERR_CARD_RESET (because of the error message "Card reset required")
leaving the daemon around with no working card and reporting general errors
again (0x100b).
Additional Info: This bug only happens when you put your computer/laptop
into sleep mode while the smartcard/reader (yubikey) is plugged in. If I
remove the reader before putting it to sleep and attaching it after getting
out of the sleep mode, the scdaemon works fine.
Dec 21 2015
Maybe it's more appropriate to map the PSCS_W_CARD_RESET event to the
SW_HOST_CARD_INACTIVE error code which later gets mapped to GPG_ERR_CARD_RESET
error code.
I've attached the patch file. It would make sense to backport this mapping as
well. Right now it's not yet tested.
I found another problem with the smartcard service under windows. Putting
the system into sleep mode and waking it up again creates an 0x80100068
error code (aka PCSC_W_RESET_CARD).
I'll test if it helps to map the RESET_CARD event to the same REMOVE_CARD
event to get the card reactivated after sleep mode.
Logfile:
2015-12-21 22:16:57 scdaemon[10040] DBG: send apdu: c=00 i=CA p1=00 p2=C4
lc=-1 le=256 em=0
2015-12-21 22:16:57 scdaemon[10040] DBG: PCSC_data: 00 CA 00 C4 00
2015-12-21 22:16:57 scdaemon[10040] pcsc_transmit failed: reset card
(0x80100068)
2015-12-21 22:16:57 scdaemon[10040] apdu_send_simple(0) failed: general
error
Dec 11 2015
Thank you for your testing.
Your change is pushed with my comment:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d1a97585c5e73fbc7d4cf90e38f76ffc5aea305f
I'll backport this to GnuPG 2.0.
Dec 10 2015
Here's the logfile with all the errors (guru debug level) vanilla 2.1.10
After some time spending fighting with the build tools of gnupg (cross compile
for windows under debian) I managed to build the installer with my patched
file.
Most important: The most common error thrown is the 0x8010001e
(E_SERVICE_STOPPED) This is the important one. The other error 0x8010001d
(E_NO_SERVICE) is only thrown in the transition from ok to stopped. So only
sometimes.
This was my process:
git clone git://git.gnupg.org/gnupg.git
cd gnupg
git checkout tags/gnupg-2.1.10
./autogen.sh
cat ../0001-scd-Fix-removal-of-unplugged-usb-readers.patch | patch -p1
sed -i -e 's/^SELFCHECK=1/SELFCHECK=0/' build-aux/speedo.mk
make -f build-aux/speedo.mk w32-installer
I've created new logfiles (vanilla 2.1.10 und patched 2.1.10) to show the
difference and confirm that it'S actually working now :-)
I'm okay with signing off the commit. I can test this for Windows 8.1 or 10,
my only problem is that I'm not able to compile gpg for windows right now. Or
are there instructions somewhere on how to achieve this?
Thank you again.
I think that Windows 8 (and later) changed the PC/SC service. The service is
only available when smartcard is there, and after the removal, it returns
PCSC_E_NO_SERVICE error. This is not expected for current code.
I'm applying your patch with my comment like above. Do you agree to put the
line in the commit log?:
Signed-off-by: Daniel Hoffend <dh@dotlan.net>
I don't have Windows 8 machine. So, I leave this issue as testing.
No, I just installed version 2.1.10 (which included your mentioned fix). But the
error still applies.
In my case the smartcard reader never gets closed, cause the error thrown by the
pcsc/scd gets only mapped to a general_error which does not result in
removing/closing the reader interface.
I've the feeling that we've to take a closer look at the errors thrown (at least
those 2 in my patch). Maybe there're even more possible events.
If you like I can upload the debug log of scdaemon 2.1.10 ... (if that helps).
Somehow I don't have any issues when running linux, this bug applies to windows
only atm. Maybe it's just that windows is throwing different errors or events
compared to linux.
Thank you for the bug report with log.
It could be related to the bug which was just fixed:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
I'm backporting this to 2.0.x.
Dec 7 2015
After looking at the gnupg 2.0 branch I would say the patch could be applied
to the 2.0 and 2.1 branch to fix the issue in both branches stable/modern
since both version are affected (tested with 2.1.9 and 2.0.29 from gpg2win)
Nov 6 2015
At most, this is a performance bug. However, applygnupgdefaults isn't
performance critical. There is no reason to apply this so I'm dropping it.
Sep 8 2015
Sep 7 2015
To be considered for 1.7
May 6 2015
The patch is a work for problem somewhere in the PC/SC implementaion. I am also
not sure whether a pthread_cancel for a buggy PC/SC library is a good idea.
Terminating the process seems to be a better solution.
If gpgtools wants to apply this pacth, they might of course do so but I don't
want to apply it upstream in particular not to an older version (2.1 is current).
May 4 2015
Apr 8 2015
Done in c238340:
Apr 1 2015
I created (1938) a new issue for the extreme slowness of --list-sigs on a
keybox. 1938 is most likely a bug, while 1710 is merely a quickfix for an
algorithmic issue in --list-sigs. However if with keybox “random access to the
keys is now really fast”, maybe it a proper fix could easily be implemented
instead. See also
http://lists.gnupg.org/pipermail/gnupg-devel/2015-February/029541.html
I'm also seeing this extreme delay from gpg --list-sigs 2.1.2 on a large
keyring, particularly when using kbx. It seems likely that there is a bug here.
Dec 11 2014
Pushed.
Give that the macro change is a no-brainer I will do that immediatly. Which
means this bug report can be closed.
Dec 7 2014
Understood - would you like me to fix with automake 1.10, or park this
for a merge post-Jessie ?
Dec 4 2014
automake 1.14 is not yet supported becuase it defaults to the new parallel tests
and automake 1.11 has no way to disable this tests (serial-tests option in 1.14).
After the release of Debian Jessie I plan to migrate to 1.14 and drop support
form earlier automakes.
Nov 29 2014
Sep 10 2014
Sep 7 2014
The patch v10 should now cover all change requests from Werner as documented in
the cover-letter.
However, I am not fully sure about the interface yet: the GCRY_DRBG_REINIT is
now solely limited to normal DRBG use. I do not see how that can be merged to
existing random interfaces.
The CAVS test interface is now isolated to the control value 75 similarly to the
X9.31 testing approach. However, the current approach triggers a compile time
warning about the undefined enum 75.
See [1] in libgcrypt/test/ for a test application that uses the DRBG in normal
mode and in CAVS test mode -- search for gcry_control.
Tested:
- 32 / 64 bit
- CAVS testing on both arches
- brief stess testing by creating 200 MB of data and checking it with ent to see
that the output function is not broken
Sep 3 2014
Thanks.
re: indent: You mixed prototype and functions and thus by quickly browsing the
source I noticed the prototype - which are correct.
re: API it is a bit hard to check from just the patches. Thus I suggest that I
apply your next patch and then look again at it.
re: reregssion test: We can use a secret API for that so that it is not part of
the stable ABI. See for example tests/fipsdrv.c:init_external_rng_test
Please do not use C99 feature like // and struct init using symbols. I am
willing to fix that, though.
re GPL: will do
re one patch: will do
I will make also the requested code changes. Though, the indentation makes me
wonder. As I am not used to this indentation, I used the help of indent wit the
following command as specified on the GNU home page: indent -nbad -bap -nbc -bbo
-bl -bli2 -bls -ncdb -nce -cp1 -cs -di2 -ndj -nfc1 -nfca -hnl -i2 -ip5 -lp -pcs
-psl -nsc -nsob. Now, what is wrong with the indentation?
Re reusing the API: I am wondering where I do not reuse the API? The normal
usage is via the gcry_randomize function. The external hook is used for:
- changing the type of DRBG (note, the code implements many random number
generators)
- allowing the use of the personalization string / additional info string (I
would not know how to use that with gcry_randomize.
- allow the CAVS testing to be performed.
If you have suggestions on how to cover that using existing APIs, I would be
very much interested in it.
One last thing: Libcrypt is under the LGPLv2+ but your alternative license is
under an unspecified version of the GPL. Can you change the alternative license
to the "GNU Lesser General Public License as published by the Free Software
Foundation; either version 2.1 of the License, or (at your option) any later
version."?
Aug 6 2014
There are no known attacks on SHA-1. MD5 is disabled anyway in recent versions.
But please continue at gnupg-users - if you like.
Thank you for the prompt response.
I am familiar with the standard. The only violation of a MUST I'm aware of is that
recipient and personal digest preferences are ignored for hashes with known attacks;
perhaps some of these changes cause GnuPG to behave badly in other cases?
This has been discussed at gnupg-users at lengths. You need to read the OpenPGP
standard to understand some of the defaults. For the others you may start yet
another disucssion thread at gnupg-users.
re 4) The iteration count used depends on the machine.
Aug 5 2014
Jun 24 2014
Done for 2.0.14 with commit e790671c
Jun 23 2014
Jun 22 2014
May 15 2014
Jan 24 2014
Oh well, backporting is easy enough. Commit id f6bd8ed, will go into 1.6.1.
Jan 20 2014
This has meanwhile been fixed in master with commit 9edcf109.
I don't see a reason tobackport it to 1.6.
Dec 16 2013
References:
OpenSSL
http://git.openssl.org/gitweb/?
p=openssl.git;a=blob;f=crypto/ecdsa/ecs_ossl.c;h=adab1f74b41daf6e719ca1fdae1ba81
7085c7802;hb=HEAD#l309
Nettle:
http://git.lysator.liu.se/nettle/nettle/blobs/master/ecc-ecdsa-sign.c#line86
http://git.lysator.liu.se/nettle/nettle/blobs/master/ecc-hash.c
NSS:
https://hg.mozilla.org/projects/nss/file/49360b638350/lib/freebl/ec.c#l746
Oct 15 2013
Oct 12 2013
Oct 11 2013
Tested and works fine with current gnupg and gpgcard.