- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Yesterday
Wed, Apr 24
Tue, Apr 23
Mon, Apr 22
Please continue on T7041. This ticket is going to be closed (as the problem described was fixed already).
Applied to 2.4 branch.
Applied to 2.4 branch.
Here is current version:
diff --git a/src/misc.c b/src/misc.c index 4db2d9a4..bf50b00b 100644 --- a/src/misc.c +++ b/src/misc.c @@ -577,3 +577,61 @@ _gcry_divide_by_zero (void) gpg_err_set_errno (EDOM); _gcry_fatal_error (gpg_err_code_from_errno (errno), "divide by zero"); } + +#ifdef HAVE_CLOCK_GETTIME +#include <time.h> +# if defined(CLOCK_THREAD_CPUTIME_ID) && defined(CLOCK_TAI) +struct gcry_timedwait +{ + clockid_t id; + struct timespec ts; +}; + +typedef struct gcry_timedwait *gcry_timedwait_t; + +gcry_err_code_t +_gcry_timedwait_init (gcry_timedwait_t tw, unsigned int flags) +{ + /* Possibly, it would be good to be able to select the wall clock. + * For now, it's CPU time by the thread. */ + if (flags != 0) + return GPG_ERR_INV_ARG; + + tw->id = CLOCK_THREAD_CPUTIME_ID; + if (clock_gettime (tw->id, &tw->ts) < 0) + return gpg_err_code_from_syserror (); + + return 0; +} + +gcry_err_code_t +_gcry_timedwait_finish (gcry_timedwait_t tw, struct timespec ts_r) +{ + struct timespec ts; + u32 negative; + + if (clock_gettime (tw->id, &ts) < 0) + return gpg_err_code_from_syserror (); + + ts.tv_sec -= tw->ts.tv_sec; + ts.tv_nsec -= tw->ts.tv_nsec; + negative = ((u32)ts.tv_nsec) >> 31; + ts.tv_sec -= negative; + ts.tv_nsec += (1000000000 * negative); + + ts_r.tv_sec -= ts.tv_sec; + ts_r.tv_nsec -= ts.tv_nsec; + negative = ((u32)ts_r.tv_nsec) >> 31; + ts_r.tv_sec -= negative; + ts_r.tv_nsec += (1000000000 * negative); + + if (ts_r.tv_sec < 0) + return GPG_ERR_TIME_CONFLICT; + + if (clock_nanosleep (CLOCK_TAI, 0, &ts_r, &ts_r)) + return gpg_err_code_from_syserror (); + + return 0; +} +# endif +#endif
Fri, Apr 19
Thu, Apr 18
Wed, Apr 17
Tue, Apr 16
Are you using PC/SC shared mode? If so, it may be the case of T7041.
Mon, Apr 15
@mwalle Thank you for your testing.
Applied to master.
After testing, I'll also apply to 2.4 branch.
Fri, Apr 12
I'm considering applying the following patch. With this change, scdaemon will works well with a card implementation which consider F9 (wrongly) as primitive data object, as well as correct card implementation.
diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c index 26ac91ea2..09223ce33 100644 --- a/scd/app-openpgp.c +++ b/scd/app-openpgp.c @@ -410,6 +410,10 @@ get_cached_data (app_t app, int tag, size_t len; struct cache_s *c; int exmode; + int do_constructed = 0; + + if ((tag < 0x0100 && (tag & 0x20)) || (tag >= 0x0100 && (tag & 0x2000))) + do_constructed = 1;
API which does not require allocation internally would be better. In this case, it is allocated on stack by the caller.
I mean, something like this (for GNU/Linux):
diff --git a/src/misc.c b/src/misc.c index 4db2d9a4..74864334 100644 --- a/src/misc.c +++ b/src/misc.c @@ -577,3 +577,80 @@ _gcry_divide_by_zero (void) gpg_err_set_errno (EDOM); _gcry_fatal_error (gpg_err_code_from_errno (errno), "divide by zero"); } + +#ifdef HAVE_CLOCK_GETTIME +#include <time.h> +# if defined(CLOCK_THREAD_CPUTIME_ID) && defined(CLOCK_TAI) +struct gcry_timedwait +{ + struct timespec ts; +}; + +typedef struct gcry_timedwait *gcry_timedwait_t; + +gcry_err_code_t +_gcry_timedwait_new (gcry_timedwait_t *r_tw, unsigned int flags) +{ + gcry_err_code_t err; + gcry_timedwait_t tw; + + *r_tw = NULL; + + /* Possibly, it would be good to be able to select the wall clock. + * For now, it's CPU time by the thread. */ + if (flags != 0) + return GPG_ERR_INV_ARG; + + tw = xtrymalloc (sizeof (gcry_timedwait_t)); + if (!tw) + return gpg_err_code_from_syserror (); + + if (clock_gettime (CLOCK_THREAD_CPUTIME_ID, &tw->ts) < 0) + { + err = gpg_err_code_from_syserror (); + xfree (tw); + return err; + } + + *r_tw = tw; + return 0; +} + +gcry_err_code_t +_gcry_timedwait_release (gcry_timedwait_t tw, struct timespec ts_r) +{ + gcry_err_code_t err; + struct timespec ts; + u32 negative; + + if (clock_gettime (CLOCK_THREAD_CPUTIME_ID, &ts) < 0) + { + err = gpg_err_code_from_syserror (); + xfree (tw); + return err; + } + + ts.tv_sec -= tw->ts.tv_sec; + ts.tv_nsec -= tw->ts.tv_nsec; + negative = ((u32)ts.tv_nsec) >> 31; + ts.tv_sec -= negative; + ts.tv_nsec += (1000000000 * negative); + + xfree (tw); + + ts_r.tv_sec -= ts.tv_sec; + ts_r.tv_nsec -= ts.tv_nsec; + negative = ((u32)ts_r.tv_nsec) >> 31; + ts_r.tv_sec -= negative; + ts_r.tv_nsec += (1000000000 * negative); + + if (ts_r.tv_sec < 0) + return GPG_ERR_TIME_CONFLICT; + + if (clock_nanosleep (CLOCK_TAI, 0, &ts_r, &ts_r)) + return gpg_err_code_from_syserror (); + + return 0; +} +# endif +#endif
Thu, Apr 11
I had wrong interpretation about symmetric cipher algorithm identifier in the draft. It specifies symmetric cipher for the following Symmetrically Encrypted Data Packet (I was wrongly interpret as if it were specifying algo for AES keywrap).
Wed, Apr 10
I merged the change by Werner to get the value from frontend.
Tue, Apr 9
In the current code, just for testing against the test vector in m https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc-02, there are specific value in the key combiner KDF.
Namely, the value 105 for fixedInfo is defined in the draft (and it will be changed).
Applied to master. If no problem will be found, I'll apply to 2.4 branch too.
Let's see.
Mon, Apr 8
Fri, Apr 5
The following patch works.
I use this for testing:
Thu, Apr 4
Wed, Apr 3
Mon, Apr 1
Fri, Mar 29
Thu, Mar 28
Mar 27 2024
Given the situation where GnuPG works well with existing OpenPGP card implementations, what we should do here is, perhaps:
There are multiple problems described in your report. Let us handle one by one.
Thank you for your quick testing.
Mar 26 2024
The patches looks too large to merge (than actually needed), and not enough/clean like not having detection of the system.
Mar 25 2024
On March 11 and 18, the private key file DE1AB1D22899CEC7DBB1A7863F34E6E92BFB7756.key was wrong.
I updated on March 25. Now, the endian is GnuPG (d is big endian).
Thank you for the reminder. I will update the version in configure.ac for AM_GNU_GETTEXT_VERSION, when I will confirm other developers' emvironment.
Mar 19 2024
There are two locks here; (1) rw_lock for card_top (list of cards) access and (2) individual card lock.
It looks for me that:
- don't know how/what the thread 7208.2 does
- the thread 7208.3: KEYINFO, then PKSIGN (gets read lock for card_top, then, individual card lock)
- the thread 7208.4: SERIALNO --all (and wait for write lock for card_top)
Mar 18 2024
I extracted data from https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc-02 and compose x25519 key and MLKEM768 key. Here they are.
x25519 :
MLKEM768 :
Mar 13 2024
This rejection could be relaxed.
Mar 11 2024
Mar 7 2024
As a first experiment, let us use CIPHERTEXT in the format of (enc-val(ecdh(s%m)(e%m)(k%m))) (s: encrypted-session-key, e: ecc ephemeral key, k: kyber ephemeral key).
Mar 5 2024
Mar 4 2024
Applied to both (master and 1.10 branch).
Mar 3 2024
Mar 2 2024
Mar 1 2024
Pushed the change in: rGf50c543326c2: agent: Allow simple KEYINFO command when restricted.
Apply the change in: rPTH417abd56fd7b: Fix INSERT_EXPOSE_RWLOCK_API for musl C library.
It looks like hardware problem or card reader problem.
Please test with debug-ccid-driver line in scdaemon.conf to see lower-lever (driver debug) message.
Since I don't like to introduce hppa specific workaround in a way like pragma (and I have no time to fix compiler itself), I tried to improve the ec-nist.c for hppa so that register pressure can be lower.
Here is my solution.
Feb 29 2024
@thesamesam Thank you for the report.
Thanks a lot for your quick testing.
The commit rGff42ed0d69bb: gpg: Enhance agent_probe_secret_key to return bigger value. of GnuPG 2.2 introduced this bug.
Alternatively (more narrow workaround), when I add a line:
#pragma GCC optimize("O1")
before the function _gcry_mpi_ec_nist256_mod in mpi/ec-nist.c, it works for me on panama.debian.net (Debian porterbox for hppa).
Fixed in libksba 1.6.6.
Fixed in npth 1.7.
Feb 28 2024
You can get more information by applying a patch below (and also tests/json/Makefile.in):
diff --git a/tests/json/Makefile.am b/tests/json/Makefile.am index 90fba79e..7523bb6b 100644 --- a/tests/json/Makefile.am +++ b/tests/json/Makefile.am @@ -106,6 +106,8 @@ gpg-agent.conf: # a key from a smartcard reader (error might be: Unusable secret key) echo pinentry-program $(abs_srcdir)/../gpg/pinentry > ./gpg-agent.conf echo disable-scdaemon >> ./gpg-agent.conf + echo debug-all >> ./gpg-agent.conf + echo log-file /tmp/gpg-agent-logfile.log >> ./gpg-agent.conf