The change allows internal use of HMAC with shorter key.

Considering again, I concluded the patch above should be applied.
The use of SALT in HKDF may be not secret and there are valid use cases with no last or shorter salt. It's different to the use case of HMAC, where KEY is secret.

Even if it is only a single case (of old version of Wine), I think that it is worth to add es_fflush when writing to file.

What about rejected changes to "Key:"?

In rC76aad97dd312: fips: Reject shorter key for HMAC in FIPS mode., I added rejection, but it would be good to move the check to src/visibility.c to allow internal use.

Looking illumos-gate, Solaris variants have no issues.

Wine 5.0.3 (on Debian bullseye) fails.
Wine 6.0.3 Debian testing does no failure.

My intention to refer rG7b1db7192 was to specify the HEAD of STABLE-BRANCH-2-2, meaning "the head of STABLE-BRANCH-2-2 today". The commit itself has no meaning.

I created minimized test:

Last week:

• Scute
  • trying to introduce major change to support multiple devices: T6002
  • it works for me with Chromium and Firefox
• libgcrypt
  • hkdf implementation
  • T5976 to 1.10 branch (HPPA)
• gnupg
  • T5964 for gnupg (in future), a branch named t5964

I can replicate the error by 2.2.35, but I cannot replicate it with rG7b1db7192.
I tested:

• GNU/Linux
  • i686
  • x86_64
• Windows
  • i686

I pushed the change needed for GnuPG to t5964 branch.

Added HKDF implementation to master.

Applied to 1.10 branch.

didn't seem to work with 1.9.x

I found this page:
https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_tech_notes/nss_tech_note2/index.html

In the branch https://dev.gnupg.org/source/Scute/history/t6002/ , by the commit rS123d617ebefe: Less administration of devices by scute., things has been changed.

Thank you. Applied.

Last weeks:

• libgcrypt
  • T5964
    • OneStep KDF (concatinateKDF): implemented two of them : hash and hmac
      • we don't yet have kmac (Keccak MAC), so, no kmac support for OneStep KDF yet
  • T5973
  • Remove old (now questionable) support cap_ipc_lock of secmem
• pinentry
  • T6007
• gpg-connect-agent
  • Add --unbuffered support
• T5862
  • also tested with pinpad cardreader
  • mostly finished the feasibility study with xsecurelock
    • For X, xsecurelock is the best (as of 2022)
    • unfortunately, there is none like xsecurelock for Wayland
  • gpg-agent: T6012: Add --format-ssh support for READKEY
• libgpg-error:
  • experimental branch added: Remove WindowsCE support
• libassuan
  • T6018
• scdaemon
  • changes for new scute T6002

This week

• scute: T6002
• Meeting for libgcrypt
  • TwoStep KDF

I realized that we need to invent a way to represent KEYGRIP (40-byte string) in the scheme of PKCS#11; PKCS#11 uses fixed-size string (space padded) for it's label (32) and serialno (16). Basically, it identifies the device by slot number.

Because it's the library which refuses null passphrase as input, only possible options are either:

Backported to GnuPG 2.2.

Applied the changes.

Now, it also supports a reader with pinpad.

Created gniibe/t5912 branch.
It works for me.

I can only find this one: https://github.com/patrickfav/singlestep-kdf/wiki/NIST-SP-800-56C-Rev1:-Non-Official-Test-Vectors

Updated (with T6012):