Adding comments, fixing "const" qualifier, I pushed the change.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Dec 10 2021
Thank you, applied.
Dec 9 2021
A patch created:
Thank you, applied.
Dec 8 2021
GnuPG 2.2 does:
- In g10/sign.c:do_sign, it keeps leading zeros for Ed25519 signature, as opaque MPI
- In g10/build-packet.c:do_signature which calls gpg_mpi_write to output the (opaque) MPI, leading zeros are removed.
Let me explain concretely.
Reading compressed point format has been done.
If writing support is needed, please open another task.
This new API is not for FIPS directly (any more), as we introduced pk_hash_sign/verify for FIPS.
Pushed the backport.
I have been convinced disabling DSA makes more sense.
Done.
(Actually, it's not in the tarball.)
Dec 7 2021
For GnuPG 2.2, it's better to be conservative (least change of behavior, if any).
We have tests in gniibe/new-pk-api, which can be backported.
- t-dsa
- t-ecdsa
- t-rsa-pss
- t-rsa-15
Thank you, applied.
The patch has been applied.
Thank you, applied.
Dec 6 2021
And please let me know the change rC751fcadd34ed: random: Release memory in DRBG. affects t-secmem failure.
IIUC, one of the causes for the failure of secmem was resource release of DRBG memory.
Thank you for testing.
Applied. Thank you.
Fixed in 2.2.33.
An application should use syshd, instead.
Dec 3 2021
Adding the case for == 0 only might be problematic, because I don't think it's an alias for a secure value; I think that == 0 means that it's up to libgcrypt to select the value (just like other generate_* functions).
Thank you, applied.
Dec 2 2021
What would be setting those? And how do I disable it?
A possibility is that gpg-agent which invokes pinentry happens have COLUMNS and LINES defined, then, pinentry misbehaves.
Thanks again for further information.
For the part 1, I created: T5710: FIPS: disable DSA for FIPS
Dec 1 2021
So, the solution is to build pinentry with newer ncurses. As I wrote in another comment, it's adding a single line to the formula.
Also, applied the part 2, improving basic.c.
Applied the part 3, the 3DES is no-FIPS patch.
Nov 30 2021
Applied the part 4, the indicator patch.
The change for pubkey-util.c is not needed any more, because
- T5665 handles new functions rejects use of SHA-1 as approved signature.
- pubkey-util.c is used by gcry_pk_sign and gcry_pk_verify.
Thank you for the info.
Is there some other command I should run to check which curses it's using? I see there's a --debug flag but I'm not sure how to use it.
I think that either of following might be true:
(1) macOS has older ncurses (which doesn't support ioctl well, to get columns/lines info) in system
(2) macOS has BSD curses (with no suport for ioctl)
Thank you for the information. So, you don't have these environment variables set.
Curses application (of pinentry) get information of screen size by:
- environment variables (COLUMNS, LINES)
- operating system using TIOCGSIZE or TIOCGWINSZ ioctl
- tinfo data base
Nov 29 2021
The original intention was to fix t-poll failure on Windows.
It was fixed in different way in rE858bcd4343ac: tests,w32: Use CreatePipe and es_sysopen..