Page MenuHome GnuPG

DebianUmbrella
ActivePublic

Recent Activity

Oct 23 2023

jukivili closed T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY as Resolved.
Oct 23 2023, 6:56 PM · Debian, libgcrypt, Bug Report

Jul 24 2023

ebo moved T5231: Debian: Get recent GnuPG stable into bullseye from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Jul 24 2023, 2:13 PM · Debian, Restricted Project

Apr 23 2023

jukivili added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

Here's fix for mode specific setkey clearing error code:

Apr 23 2023, 2:38 PM · Debian, libgcrypt, Bug Report

Apr 21 2023

werner added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

There is still a buglet because in some modes the weak key error can be swallowed by other errors. A fix would be something like:

Apr 21 2023, 9:09 AM · Debian, libgcrypt, Bug Report
gniibe added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

@jukivili Yes, please go ahead for both branches. Thank you.

Apr 21 2023, 5:06 AM · Debian, libgcrypt, Bug Report

Apr 20 2023

jukivili added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

About error code. You need to use gcry_err_code(error_code) to get the GPG_ERR_WEAK_KEY value.

Apr 20 2023, 6:22 PM · Debian, libgcrypt, Bug Report

Apr 17 2023

Wolff17 added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

Ok sorry, my bad, I have to use DES Keying option 2 to have 45 de ae ae e1 f4 6a 29, problem solved.

Apr 17 2023, 3:02 PM · Debian, libgcrypt, Bug Report
werner added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

Reading the commit rC5beadf201312: Add gcry_cipher_ctl command to allow weak keys in testing use-cases,
The test code in basic.c assumes that it is an application responsibility to confirm&ignore GPG_ERR_WEAK_KEY error when using GCRYCTL_SET_ALLOW_WEAK_KEY.

Apr 17 2023, 1:25 PM · Debian, libgcrypt, Bug Report
Wolff17 added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

Thank you for you responses! :)

Apr 17 2023, 9:50 AM · Debian, libgcrypt, Bug Report
jukivili added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

I'll add documentation about GCRYCTL_SET_ALLOW_WEAK_KEY which was missing from be original commit.

Apr 17 2023, 8:36 AM · Debian, libgcrypt, Bug Report
jukivili added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

tests/basic now actually fail because setkey not returning GPG_ERR_WEAK_KEY for weak keys with GCRYCTL_SET_ALLOW_WEAK_KEY.

Apr 17 2023, 8:34 AM · Debian, libgcrypt, Bug Report
jukivili added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

That's right. With GCRYCTL_SET_ALLOW_WEAK_KEY, setkey still returns GPG_ERR_WEAK_KEY when weak key is detected. However, cipher handle can still be used as if setkey succeeded.

Apr 17 2023, 8:31 AM · Debian, libgcrypt, Bug Report
gniibe added a comment to T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.

Reading the commit rC5beadf201312: Add gcry_cipher_ctl command to allow weak keys in testing use-cases,
The test code in basic.c assumes that it is an application responsibility to confirm&ignore GPG_ERR_WEAK_KEY error when using GCRYCTL_SET_ALLOW_WEAK_KEY.

Apr 17 2023, 2:50 AM · Debian, libgcrypt, Bug Report

Apr 16 2023

werner triaged T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY as Low priority.

Thanks for the report. Fix is easy. I only wonder why you want to use a weak DES key.

Apr 16 2023, 8:31 PM · Debian, libgcrypt, Bug Report

Apr 14 2023

Wolff17 created T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY.
Apr 14 2023, 6:17 PM · Debian, libgcrypt, Bug Report

Apr 13 2023

gniibe closed T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt as Resolved.

Fixed in 1.10.2.

Apr 13 2023, 3:13 AM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS

Apr 3 2023

Wolff17 added a comment to T6435: libgcrypt | gcry_mpi_ec_mul return a truncated point coordinate.

Your quick support solve my problem, I am thanking you :)
Bye bye

Apr 3 2023, 10:25 AM · Debian, libgcrypt, Bug Report
werner closed T6435: libgcrypt | gcry_mpi_ec_mul return a truncated point coordinate as Resolved.

I added a remark to the print function. Thanks for the suggestion.

Apr 3 2023, 10:22 AM · Debian, libgcrypt, Bug Report
Wolff17 added a comment to T6435: libgcrypt | gcry_mpi_ec_mul return a truncated point coordinate.

You are right, w.y should be "00039E2C9AEC146C5799651C42691A3E35E291B6BC45FF079DDA3E70E709BF33".

Apr 3 2023, 9:39 AM · Debian, libgcrypt, Bug Report
werner added a comment to T6435: libgcrypt | gcry_mpi_ec_mul return a truncated point coordinate.

Can you please share the expected result with us? Note that Libgcrypt strips leading zeroes except when it is required to keep the value positive.

Apr 3 2023, 9:30 AM · Debian, libgcrypt, Bug Report
Wolff17 created T6435: libgcrypt | gcry_mpi_ec_mul return a truncated point coordinate.
Apr 3 2023, 9:24 AM · Debian, libgcrypt, Bug Report

Mar 8 2023

gniibe moved T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt from Backlog to Next on the FIPS board.
Mar 8 2023, 2:39 AM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
gniibe changed the status of T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt from Open to Testing.

Thank you.
Applied to both (master and 1.10).

Mar 8 2023, 2:39 AM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS

Mar 6 2023

tobhe added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

Right, thanks for the review! Updated patches below.

Mar 6 2023, 5:11 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
Jakuje added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

Actually, the same issue is in the mac case, which I missed on first couple of reviews:

-  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_cipher_algos);
+  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
Mar 6 2023, 5:01 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
Jakuje added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

Going through the code once more, there is one typo to be fixed:

+_gcry_fips_indicator_md (va_list arg_ptr)
+{
+  enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_cipher_algos);

should say

+_gcry_fips_indicator_md (va_list arg_ptr)
+{
+  enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);

otherwise ack.

Mar 6 2023, 4:46 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS

Mar 1 2023

Jakuje added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

We came to the same conclusion -- the SHAKE digests are not usable for sign/verify operations the way how it is implemented now. But it would be more clear if we would have explicit allow-list.

Mar 1 2023, 7:57 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
tobhe added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

After consulting with our certs lab and studying the code I think SHAKE should not be a problem for now. All of the _gcry_digest_spec_shakeXXX seem to neither have an mdlen nor a read() function. pk_sign and pk_verify seem to both call md_read() which should fail because of the missing read function, kdf checks _gcry_md_get_algo_dlen() which should also disallow SHAKE.

Mar 1 2023, 12:55 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS

Feb 27 2023

tobhe added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

Good catch. A similar problem might arise with SHA384 according to section D.R which states

Feb 27 2023, 3:15 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
neverpanic added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

One potential pitfall here is that SHAKE-128 and SHAKE-256 must not be available for use in signature operations. That's because https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf section C.C disallows the use of SHAKE in higher-level algorithms:

Feb 27 2023, 3:01 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
neverpanic added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

These look good to me.

Feb 27 2023, 1:45 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
tobhe added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

Right, we have received the same feedback from our cert lab but I haven't found time to update the bug yet. Here are the updated patches:

Feb 27 2023, 12:19 PM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
neverpanic added a comment to T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.

This marks GCRY_MD_CRC32, GCRY_MD_CRC24_RFC2440 and GCRY_MD_CRC32_RFC1510 as approved.

Feb 27 2023, 11:44 AM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS

Feb 16 2023

werner triaged T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt as Low priority.
Feb 16 2023, 11:43 AM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS
tobhe created T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt.
Feb 16 2023, 3:41 AM · libgcrypt, Feature Request, Ubuntu, Debian, FIPS

May 27 2022

sergi added a watcher for Debian: sergi.
May 27 2022, 10:04 PM
srgblnchtrn removed a watcher for Debian: srgblnchtrn.
May 27 2022, 10:04 PM

Aug 13 2021

werner changed the edit policy for Debian.
Aug 13 2021, 3:56 PM

Jun 2 2021

werner closed T5423: libgcrypt 1.8 ECDH as Resolved.
Jun 2 2021, 12:57 PM · Debian, libgcrypt

May 6 2021

werner added a project to T5423: libgcrypt 1.8 ECDH: Debian.

FWIW, I think that it is a Bad Thing to use unreleased stuff from 1.8 for Debian packages. Only released versions sshould be used or patches we explicitly made to fix a bug. At the very least Andreas should have asked upstream whether this commit should be used for Sid.

May 6 2021, 9:00 AM · Debian, libgcrypt

Mar 1 2021

cbiedl closed T5231: Debian: Get recent GnuPG stable into bullseye as Resolved.

[2021-02-24] gnupg2 2.2.27-1 MIGRATED to testing (Debian testing watch)

Mar 1 2021, 10:16 AM · Debian, Restricted Project

Feb 10 2021

werner closed T1089: Please store requests in a cache to avoid sending out duplicate requests (mailto: interface) as Wontfix.
Feb 10 2021, 10:59 AM · gnupg (gpg23), gnupg, Debian, Feature Request

Jan 11 2021

aheinecke created T5231: Debian: Get recent GnuPG stable into bullseye.
Jan 11 2021, 3:21 PM · Debian, Restricted Project

Jul 15 2020

werner closed T4982: [PATCH] qt libraries should be linked with -fPIC instead of -fpic as Wontfix.

We can't do anything about it except for corner cases which we won't do right now. In case there will be an easy solution to help Debian please re-open this bug.

Jul 15 2020, 4:45 PM · Debian, gpgme
werner edited projects for T4982: [PATCH] qt libraries should be linked with -fPIC instead of -fpic, added: Debian; removed Info Needed, Bug Report.
Jul 15 2020, 12:19 PM · Debian, gpgme

Jun 3 2019

gniibe closed T4031: gpg-check-pattern.1 in Debian generates warnings from test-groff as Resolved.

I added the section in tools.texi. Closing.

Jun 3 2019, 5:00 AM · Debian, gnupg, Bug Report

May 20 2019

dkg added a comment to T4106: Terminal use case for gpg-agent and gpg-agent for ssh-agent feature.

trigger what command? i'm pretty sure gpgconf --reload gpg-agent does not trigger updatestartuptty. And it should not do so, afaict -- if you think it should, i'd be interested in hearing the rationale for it.

May 20 2019, 5:28 AM · Debian, gpgagent, Bug Report
ageis added a comment to T4106: Terminal use case for gpg-agent and gpg-agent for ssh-agent feature.

Does gpgconf --reload gpg-agent trigger that command? that's the ExecReload setting in the systemd service unit I'm looking at.

May 20 2019, 1:05 AM · Debian, gpgagent, Bug Report

May 19 2019

dkg added a comment to T4106: Terminal use case for gpg-agent and gpg-agent for ssh-agent feature.

This doesn't sound systemd-specific to me, fwiw, though i don't understand how to reproduce the problem from the given description here.

May 19 2019, 9:05 PM · Debian, gpgagent, Bug Report

Sep 11 2018

werner closed T2968: gpg --search: Connection closed in DNS as Resolved.

We assume that this has meanwhile been fixed.

Sep 11 2018, 10:34 AM · Info Needed, gnupg (gpg22), Bug Report, Debian, Keyserver, dirmngr