Page MenuHome GnuPG
Feed Advanced Search

Nov 10 2021

gniibe committed rPTH854b3fd1d66c: libtool: Link without -flat_namespace for macOS. (authored by gniibe).
libtool: Link without -flat_namespace for macOS.
Nov 10 2021, 4:32 AM
gniibe committed rG0982c6cb19da: scd: More conservative selection of a card reader. (authored by gniibe).
scd: More conservative selection of a card reader.
Nov 10 2021, 4:01 AM
gniibe committed rC915839abc54a: doc: Fix NEWS entry to refer CVE-2021-40528. (authored by gniibe).
doc: Fix NEWS entry to refer CVE-2021-40528.
Nov 10 2021, 3:49 AM
gniibe committed rCb118681ebc4c: doc: Fix NEWS entry to refer CVE-2021-40528. (authored by gniibe).
doc: Fix NEWS entry to refer CVE-2021-40528.
Nov 10 2021, 3:49 AM
gniibe committed rK0d7a62c355ea: libtool: Link without -flat_namespace for macOS. (authored by gniibe).
libtool: Link without -flat_namespace for macOS.
Nov 10 2021, 3:37 AM
gniibe committed rM50daf3d75d66: libtool: Link without -flat_namespace for macOS. (authored by gniibe).
libtool: Link without -flat_namespace for macOS.
Nov 10 2021, 3:24 AM
gniibe added a project to T5610: macOS 11 or newer support: Update libtool: gpgme.

Also applied to gpgme.

Nov 10 2021, 3:07 AM · gpgme, MacOS, ntbtls, npth, libksba, libassuan, libgcrypt, gpgrt
gniibe added a comment to T5610: macOS 11 or newer support: Update libtool.

Since there is no problem with libgpg-error 1.43, I applied it to other libraries: npth, libassuan, libksba, and ntbtls.

Nov 10 2021, 3:04 AM · gpgme, MacOS, ntbtls, npth, libksba, libassuan, libgcrypt, gpgrt
gniibe added a comment to T5512: Implement service indicators.

I'll fix regressions: failures of pubkey and pkcs1v2.

Nov 10 2021, 2:09 AM · Testing, Feature Request, FIPS, libgcrypt

Nov 9 2021

gniibe added a comment to T5636: Run integrity checks + selftests from library constructor in FIPS.

We will have rnd-getentropy.c

Nov 9 2021, 11:16 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe claimed T5636: Run integrity checks + selftests from library constructor in FIPS.
Nov 9 2021, 11:08 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe moved T5636: Run integrity checks + selftests from library constructor in FIPS from Backlog to Next on the FIPS board.
Nov 9 2021, 11:08 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe added a comment to T5512: Implement service indicators.

Applied and pushed symmetric algo for basic.

Nov 9 2021, 7:37 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe committed rCfb931073707e: tests: Explicit FIPS checking for symmetric algorithms. (authored by Jakuje).
tests: Explicit FIPS checking for symmetric algorithms.
Nov 9 2021, 7:37 AM
gniibe committed rC2a899b5b8458: tests: Benchmark also larger RSA keys in FIPS mode (authored by Jakuje).
tests: Benchmark also larger RSA keys in FIPS mode
Nov 9 2021, 7:37 AM
gniibe added a comment to T5636: Run integrity checks + selftests from library constructor in FIPS.

Let me clean up rndlinux.c for current use case, at first.

Nov 9 2021, 7:07 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe added a comment to T5523: jitter entropy RNG update.

I decided to use 3.3.0 disabling pthread feature.

Nov 9 2021, 6:41 AM · Testing, FIPS, libgcrypt

Nov 8 2021

gniibe added a comment to E895: Weekly Standup.

Last week:

  • libgcrypt:
    • jitter entropy: 3.3.0 (newest) but disabling pthread fallback feature
    • T5512
    • T5636
    • keysize for FIPS (RSA and DSA)
  • npth: consider adding poll/ppoll API: D540
  • gpgme: no select but poll: T2385: D539
  • scdaemon: DEVINFO command and rw-lock
  • openpgp-dt
    • keysize
    • quantum computing

This week:

  • openpgp-dt
    • IETF 112
  • libgcrypt
    • fix regression for FIPS enabled: keysize of RSA/DSA
Nov 8 2021, 8:28 AM
gniibe added a comment to T5512: Implement service indicators.

Applied parts except part 2.
The part 3 are modified version, so that memory can be released correctly.

Nov 8 2021, 6:58 AM · Testing, Feature Request, FIPS, libgcrypt
gniibe committed rCdf66bd94e6e3: dsa: Add checks in FIPS mode. (authored by gniibe).
dsa: Add checks in FIPS mode.
Nov 8 2021, 6:54 AM
gniibe committed rC1f45fec20822: tests: Add 2k RSA key working in FIPS mode. (authored by Jakuje).
tests: Add 2k RSA key working in FIPS mode.
Nov 8 2021, 6:54 AM
gniibe committed rC1b29be8e7e49: tests: Fix basic.c:check_pubkey. (authored by gniibe).
tests: Fix basic.c:check_pubkey.
Nov 8 2021, 6:54 AM
gniibe committed rCcc3571a1f224: tests: Expect errors from algorithms not supported in FIPS mode. (authored by gniibe).
tests: Expect errors from algorithms not supported in FIPS mode.
Nov 8 2021, 6:54 AM
gniibe committed rC40d63d09b2d0: rsa: Check keylen constraints for key operations. (authored by Jakuje).
rsa: Check keylen constraints for key operations.
Nov 8 2021, 6:54 AM
gniibe committed rCff5ab6a80934: cipher: Respect the disabled flag of pubkey algorithms (authored by Jakuje).
cipher: Respect the disabled flag of pubkey algorithms
Nov 8 2021, 6:54 AM

Nov 5 2021

gniibe committed rC976673425784: doc: Reference the new FIPS 140-3 (authored by Jakuje).
doc: Reference the new FIPS 140-3
Nov 5 2021, 7:45 AM
gniibe added a comment to T5636: Run integrity checks + selftests from library constructor in FIPS.

Firstly, applied uncontroversial part in rC976673425784: doc: Reference the new FIPS 140-3

Nov 5 2021, 7:23 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe added a comment to D540: Adding poll/ppoll to NPTH.

I use unsigned long instead of nfds_t, so that a user doesn't need to include <poll.h> when he doesn't use poll/ppoll API.

Nov 5 2021, 6:22 AM
gniibe requested review of D540: Adding poll/ppoll to NPTH.
Nov 5 2021, 6:21 AM
gniibe added a comment to D539: Using poll instead, removing use of select for POSIX system.

Don't apply tests/gpg/t-support.h, it's only for testing this patch.
When test, before running 'make check' please do:

Nov 5 2021, 3:26 AM
gniibe updated the diff for D539: Using poll instead, removing use of select for POSIX system.

Update to include the change of tests.
Also include a change for tests/gpg/t-support.h to run tests under artificial environment.

Nov 5 2021, 3:25 AM

Nov 4 2021

gniibe added a comment to T2385: support more than 1024 fds..

For libgcrypt, it was fixed in: T5637: Use poll for libgcrypt (support more than 1024 fds)

Nov 4 2021, 3:54 AM · Testing, gpgrt, Feature Request, gpgme
gniibe requested review of D539: Using poll instead, removing use of select for POSIX system.
Nov 4 2021, 3:50 AM
gniibe changed the status of T5637: Use poll for libgcrypt (support more than 1024 fds), a subtask of T2385: support more than 1024 fds., from Open to Testing.
Nov 4 2021, 1:43 AM · Testing, gpgrt, Feature Request, gpgme
gniibe changed the status of T5637: Use poll for libgcrypt (support more than 1024 fds) from Open to Testing.
Nov 4 2021, 1:43 AM · Testing, libgcrypt, Feature Request
gniibe committed rE61843dace32f: estream: Only include sys/select.h when needed. (authored by gniibe).
estream: Only include sys/select.h when needed.
Nov 4 2021, 1:41 AM

Nov 2 2021

gniibe committed rG49f7fcb90b5d: scd: Simplify the loop of DEVINFO. (authored by gniibe).
scd: Simplify the loop of DEVINFO.
Nov 2 2021, 6:11 AM

Nov 1 2021

gniibe added a comment to E894: Weekly Standup.

Last week:

This week:

  • scdaemon
  • openpgp
  • libgcrypt: constructor thing on FIPS, drbg continued
Nov 1 2021, 8:52 AM
gniibe claimed T5665: libgcrypt : Restrict message digest use for FIPS 140-3.
Nov 1 2021, 6:59 AM · Testing, FIPS, Bug Report, libgcrypt
gniibe added a comment to T5665: libgcrypt : Restrict message digest use for FIPS 140-3.

Check for FIPS has been added. (1) and (2) were solved.

Nov 1 2021, 6:59 AM · Testing, FIPS, Bug Report, libgcrypt
gniibe committed rCcfd1dd6a838f: cipher:md: Check digest algo is supported when FIPS enabled. (authored by gniibe).
cipher:md: Check digest algo is supported when FIPS enabled.
Nov 1 2021, 6:59 AM
gniibe added a comment to T5523: jitter entropy RNG update.

Its copyright notice in upstream now refers LICENSE file, which requires some arrangement.

Nov 1 2021, 6:48 AM · Testing, FIPS, libgcrypt

Oct 29 2021

gniibe added a comment to T5523: jitter entropy RNG update.

I work on gniibe/jitterent branch.
I realized that full featured jitterentropy now requires pthread. Timer-less mode uses threads for entropy. This is not good for libgcrypt use.

Oct 29 2021, 8:05 AM · Testing, FIPS, libgcrypt
gniibe committed rC34d55589b7d9: mpi: Allow opaque MPI with zero length. (authored by gniibe).
mpi: Allow opaque MPI with zero length.
Oct 29 2021, 6:08 AM
gniibe committed rC7f2fbbcdce46: mpi: Allow opaque MPI with zero length. (authored by gniibe).
mpi: Allow opaque MPI with zero length.
Oct 29 2021, 6:08 AM
gniibe committed rG99e00ec6db33: scd: Fix the previous commit. (authored by gniibe).
scd: Fix the previous commit.
Oct 29 2021, 4:48 AM
gniibe added projects to T5359: Kleopatra: Loop in DeviceInfoWatcher with GnuPG 2.3 on Windows: scd, Testing.
Oct 29 2021, 4:19 AM · Testing, scd, Restricted Project, kleopatra
gniibe moved T5359: Kleopatra: Loop in DeviceInfoWatcher with GnuPG 2.3 on Windows from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Oct 29 2021, 4:18 AM · Testing, scd, Restricted Project, kleopatra
gniibe added a comment to T5359: Kleopatra: Loop in DeviceInfoWatcher with GnuPG 2.3 on Windows.

Sorry, I have been confused and it took time to understand issues.
Indeed, there are (at least) four issues.

Oct 29 2021, 4:09 AM · Testing, scd, Restricted Project, kleopatra
gniibe committed rG48e824b6ea69: scd: Modify DEVINFO behavior to support looping forever. (authored by gniibe).
scd: Modify DEVINFO behavior to support looping forever.
Oct 29 2021, 3:59 AM

Oct 27 2021

gniibe added a comment to T5574: GPG Portable on USB-Stick - Problems with GnuPG 2.2.30.

I think that this is due to support of UTF-8 codepage problem by console.

Oct 27 2021, 4:34 AM · Info Needed, Bug Report

Oct 25 2021

gniibe moved T5665: libgcrypt : Restrict message digest use for FIPS 140-3 from Backlog to Next on the FIPS board.
Oct 25 2021, 11:09 AM · Testing, FIPS, Bug Report, libgcrypt
gniibe moved T5244: libgcrypt: Restrict MD5 use from Backlog to Done on the FIPS board.
Oct 25 2021, 11:08 AM · Testing, Bug Report, FIPS, libgcrypt
gniibe moved T5669: Run continuous random test in FIPS mode from Backlog to Next on the FIPS board.
Oct 25 2021, 11:07 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to E892: Weekly Standup.

Last week:

This week:

  • gnupg / v5 / 448
    • secret key handling
  • libgcrypt
    • more on FIPS
Oct 25 2021, 9:45 AM
gniibe is attending E892: Weekly Standup.
Oct 25 2021, 9:41 AM

Oct 22 2021

gniibe committed rG752422a792ce: scd: Select a reader for PC/SC. (authored by gniibe).
scd: Select a reader for PC/SC.
Oct 22 2021, 6:51 AM
gniibe added a comment to T5644: Heuristic for default reader detection.

I put my initial try by rG752422a792ce: scd: Select a reader for PC/SC..

Oct 22 2021, 6:51 AM · Testing, Feature Request, gnupg (gpg22)
gniibe added a comment to T5644: Heuristic for default reader detection.

I found this: https://gist.github.com/PatrickLang/7be00ba46a43eca3ef64ffe64b494749#user-content-conflicts-with-windows-hello--virtual-smart-card

Oct 22 2021, 4:45 AM · Testing, Feature Request, gnupg (gpg22)
gniibe added a comment to T5669: Run continuous random test in FIPS mode.

I understand the point in the 1706920, but I'm afraid that the patch itself would not be directly related for the bug. My point: It surely may catch a most serious failure, but not many failures (if we need to check here).

Oct 22 2021, 3:02 AM · libgcrypt, FIPS, Bug Report

Oct 20 2021

gniibe updated the task description for T5665: libgcrypt : Restrict message digest use for FIPS 140-3.
Oct 20 2021, 12:21 PM · Testing, FIPS, Bug Report, libgcrypt
gniibe added a comment to T5665: libgcrypt : Restrict message digest use for FIPS 140-3.

Perhaps, as a library (considering the benefit of users), it would be better to allow signature verification with SHA-1, to defer the decision to application.

Oct 20 2021, 12:20 PM · Testing, FIPS, Bug Report, libgcrypt
gniibe added a comment to T5664: npth-1.6: error: unknown type name ‘pthread_rwlock_t’.

I have a little concern for glibc 2.34 (which has dummy libpthread and all is actually in libc).

Oct 20 2021, 9:57 AM · npth, Bug Report
gniibe committed rCa23cf78102f3: cipher: Reject SHA-1 for hash+sign/verify when FIPS enabled. (authored by gniibe).
cipher: Reject SHA-1 for hash+sign/verify when FIPS enabled.
Oct 20 2021, 5:40 AM
gniibe added a comment to T5665: libgcrypt : Restrict message digest use for FIPS 140-3.

(3-1) is implemented: rCa23cf78102f3: cipher: Reject SHA-1 for hash+sign/verify when FIPS enabled.

Oct 20 2021, 5:13 AM · Testing, FIPS, Bug Report, libgcrypt
gniibe updated the task description for T5665: libgcrypt : Restrict message digest use for FIPS 140-3.
Oct 20 2021, 4:28 AM · Testing, FIPS, Bug Report, libgcrypt
gniibe added a comment to T5665: libgcrypt : Restrict message digest use for FIPS 140-3.

For a programmer like me, it is easier if the behavior will be:

Oct 20 2021, 4:26 AM · Testing, FIPS, Bug Report, libgcrypt
gniibe triaged T5664: npth-1.6: error: unknown type name ‘pthread_rwlock_t’ as Normal priority.

It was fixed in: rPTH223e59f992f9: build: Define _NPTH_NO_RWLOCK when we can't find pthread_rwlock_t. and rPTH09a12a679ec0: Fix how we expose rwlock API.

Oct 20 2021, 3:36 AM · npth, Bug Report
gniibe added a comment to T5433: libgcrypt: Do not use SHA1 by default.

The problem is that the SHA-1 as a digest algorithm itself is allowed in FIPS mode (for non-cryptographic digests), but using it as part of approved signature scheme is not allowed

Oct 20 2021, 3:27 AM · FIPS, libgcrypt, Bug Report
gniibe added a comment to T5665: libgcrypt : Restrict message digest use for FIPS 140-3.

The current code is inconsistent about its behavior: how non-approved digest algos are supported or not when FIPS enabled.

Oct 20 2021, 3:17 AM · Testing, FIPS, Bug Report, libgcrypt
gniibe added projects to T5665: libgcrypt : Restrict message digest use for FIPS 140-3: libgcrypt, Bug Report, FIPS.

If .fips will mean FIPS 140-3, why not the following patch?

diff --git a/cipher/sha1.c b/cipher/sha1.c
index 3bb24c7e..cb50ef66 100644
--- a/cipher/sha1.c
+++ b/cipher/sha1.c
@@ -759,7 +759,7 @@ static gcry_md_oid_spec_t oid_spec_sha1[] =
Oct 20 2021, 3:07 AM · Testing, FIPS, Bug Report, libgcrypt
gniibe renamed T5244: libgcrypt: Restrict MD5 use from libgcrypt: Restrict message digest use to libgcrypt: Restrict MD5 use.
Oct 20 2021, 3:04 AM · Testing, Bug Report, FIPS, libgcrypt
gniibe added a project to T5244: libgcrypt: Restrict MD5 use: Bug Report.

I created T5665: libgcrypt : Restrict message digest use for FIPS 140-3.

Oct 20 2021, 3:03 AM · Testing, Bug Report, FIPS, libgcrypt
gniibe triaged T5665: libgcrypt : Restrict message digest use for FIPS 140-3 as High priority.
Oct 20 2021, 2:59 AM · Testing, FIPS, Bug Report, libgcrypt
gniibe removed a project from T5244: libgcrypt: Restrict MD5 use: Testing.

Let me move this ticket as DONE (now Testing status), as the subject was solved (MD5 and soft/forced/inactive things).

Oct 20 2021, 2:54 AM · Testing, Bug Report, FIPS, libgcrypt

Oct 19 2021

gniibe added a comment to T5433: libgcrypt: Do not use SHA1 by default.

I investigated if the possible change above (if applied) constitutes an ABI change: Indeed, it will be an ABI change, and an API change; code should be modified and build.

Oct 19 2021, 8:58 AM · FIPS, libgcrypt, Bug Report
gniibe added a comment to T5433: libgcrypt: Do not use SHA1 by default.

Sorry, I was wrong. We don't need any changes.

Oct 19 2021, 8:07 AM · FIPS, libgcrypt, Bug Report

Oct 18 2021

gniibe added a comment to T5433: libgcrypt: Do not use SHA1 by default.

I am going to implement rejecting SHA-1 through new API (hash+sign, hash+verify).

Oct 18 2021, 11:24 AM · FIPS, libgcrypt, Bug Report
gniibe added a comment to E891: Weekly Standup.

Last week:

  • libgcrypt
  • libksba: Bison and its yylex: T5616
  • pinentry-curses: color support: T5631 and others
  • dirmngr - dns: T5657
  • New Gnuk release for PC/SC and emulated Gnuk

This week:

  • openpgp
    • Implement writing side of new448
  • libgcrypt
    • more on constructor / global_init
  • gnupg
    • consider PC/SC heuristic T5644 and use of virtual PC/SC driver
Oct 18 2021, 9:44 AM
gniibe is attending E891: Weekly Standup.
Oct 18 2021, 9:35 AM

Oct 15 2021

gniibe added a comment to T5636: Run integrity checks + selftests from library constructor in FIPS.

It seems for me that the patches to random/ was written in old days.

  • Now, we have getentropy in libc
    • This is most reliable one
    • better than urandom, because it may block when kernel is not yet seeded
    • better than random, because it never blocks once kernel is seeded
  • So, the real path in rndlinux.c is actually, call to getentropy
  • No access to /dev/random or /dev/urandom any more, in fact
  • Although old code remains, non-touched
    • like use of syscall when getentropy function is not available
Oct 15 2021, 8:42 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe added a comment to T4894: FIPS: RSA/DSA/ECDSA are missing hashing operation.

Add doc in gcrypt.texi.

Oct 15 2021, 8:02 AM · Testing, FIPS, libgcrypt, Feature Request
gniibe committed rC8f31f652d453: doc: Add entries for hash+sign functions. (authored by gniibe).
doc: Add entries for hash+sign functions.
Oct 15 2021, 8:01 AM
gniibe committed rCd45db4ad16fe: fips: Improve selftests invocation. (authored by Jakuje).
fips: Improve selftests invocation.
Oct 15 2021, 4:37 AM
gniibe added a comment to T5617: fips: Check library integrity before running selftests.

Thank you. Applied.

Oct 15 2021, 4:37 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe added a comment to T5631: pinentry-curses on OpenIndiana (Illumos distro) doesn't display correctly.

Thanks for testing. I pushed a fix for my typo: rPb713f31c5b04: curses: Fix the previous commit.

Oct 15 2021, 4:20 AM · Testing, pinentry
gniibe committed rPb713f31c5b04: curses: Fix the previous commit. (authored by gniibe).
curses: Fix the previous commit.
Oct 15 2021, 4:18 AM
gniibe committed rG48359c723206: dns: Make reading resolv.conf more robust. (authored by gniibe).
dns: Make reading resolv.conf more robust.
Oct 15 2021, 3:56 AM
gniibe added a comment to T5657: dirmngr: libdns sends malformed dns requests.

I don't know if it's same in your case, but to fix my case, I pushed a change rG48359c723206: dns: Make reading resolv.conf more robust.

Oct 15 2021, 3:52 AM · Info Needed, Bug Report, dns, dirmngr
gniibe added a comment to T5657: dirmngr: libdns sends malformed dns requests.

I managed to create a case. Put a line:

Oct 15 2021, 3:28 AM · Info Needed, Bug Report, dns, dirmngr
gniibe triaged T5658: pinentry-curses color option as Normal priority.
Oct 15 2021, 2:29 AM · Documentation, pinentry
gniibe triaged T5659: pinentry-curses disable colors as Normal priority.
Oct 15 2021, 2:27 AM · pinentry, Feature Request
gniibe updated the task description for T5659: pinentry-curses disable colors.
Oct 15 2021, 2:27 AM · pinentry, Feature Request
gniibe updated the task description for T5658: pinentry-curses color option.
Oct 15 2021, 2:26 AM · Documentation, pinentry
gniibe added a comment to T5657: dirmngr: libdns sends malformed dns requests.

BTW, in your screen shot (log is preferred here), it shows 1c00, that must be actually written as AAAA (0x1c). In the bug T3803, we saw byte sequence like that, additional 00 was added then resulted malformed DNS packet.

Oct 15 2021, 2:17 AM · Info Needed, Bug Report, dns, dirmngr

Oct 14 2021

gniibe triaged T5617: fips: Check library integrity before running selftests as Normal priority.

OK, let us start discussion by applying the patch first.

Oct 14 2021, 9:53 AM · Testing, FIPS, libgcrypt, Bug Report
gniibe committed rCb496868dc37d: fips: Fix the previous commit. (authored by gniibe).
fips: Fix the previous commit.
Oct 14 2021, 9:45 AM
gniibe committed rCd2c68849d19b: fips: Verify library integrity before running selftests. (authored by Jakuje).
fips: Verify library integrity before running selftests.
Oct 14 2021, 9:38 AM
gniibe changed the status of T5645: RSA/DSA keygen modification for FIPS/ACVP testing from Open to Testing.
Oct 14 2021, 9:29 AM · Testing, libgcrypt, FIPS, Bug Report
gniibe added a project to T5645: RSA/DSA keygen modification for FIPS/ACVP testing: Testing.
Oct 14 2021, 9:28 AM · Testing, libgcrypt, FIPS, Bug Report