[git] GnuPG - branch, STABLE-BRANCH-1-4, updated. gnupg-1.4.18-12-gf681235
by Werner Koch
cvs at cvs.gnupg.org
Fri Oct 3 18:28:55 CEST 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, STABLE-BRANCH-1-4 has been updated
via f68123551f4d5b286309006da67c57878f6cc619 (commit)
via 534e2876acc05f9f8d9b54c18511fe768d77dfb5 (commit)
from 2889a70c102271a1b6ff529bafb6748c4e773014 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f68123551f4d5b286309006da67c57878f6cc619
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 3 18:28:58 2014 +0200
mpi: Fix compiler warning.
* mpi/mpi-inv.c (mpi_invm): Do not return a value.
diff --git a/mpi/mpi-inv.c b/mpi/mpi-inv.c
index 361c57e..43e97d8 100644
--- a/mpi/mpi-inv.c
+++ b/mpi/mpi-inv.c
@@ -166,9 +166,9 @@ mpi_invm( MPI x, MPI a, MPI n )
int odd ;
if (!mpi_cmp_ui (a, 0))
- return 0; /* Inverse does not exists. */
+ return; /* Inverse does not exists. */
if (!mpi_cmp_ui (n, 1))
- return 0; /* Inverse does not exists. */
+ return; /* Inverse does not exists. */
u = mpi_copy(a);
v = mpi_copy(n);
commit 534e2876acc05f9f8d9b54c18511fe768d77dfb5
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Oct 3 12:01:11 2014 -0400
gpg: Add build and runtime support for larger RSA keys
* configure.ac: Added --enable-large-secmem option.
* g10/options.h: Add opt.flags.large_rsa.
* g10/gpg.c: Contingent on configure option: adjust secmem size,
add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
* g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
* doc/gpg.texi: Document --enable-large-rsa.
--
Some older implementations built and used RSA keys up to 16Kib, but
the larger secret keys now fail when used by more recent GnuPG, due to
secure memory limitations.
Building with ./configure --enable-large-secmem will make gpg
capable of working with those secret keys, as well as permitting the
use of a new gpg option --enable-large-rsa, which let gpg generate RSA
keys up to 8Kib when used with --batch --gen-key.
Debian-bug-id: 739424
Minor edits by wk.
GnuPG-bug-id: 1732
diff --git a/configure.ac b/configure.ac
index ae63a4a..1fd6253 100644
--- a/configure.ac
+++ b/configure.ac
@@ -158,6 +158,7 @@ use_exec=yes
card_support=yes
agent_support=yes
disable_keyserver_path=no
+large_secmem=no
AC_ARG_ENABLE(minimal,
AC_HELP_STRING([--enable-minimal],[build the smallest gpg binary possible]),
@@ -177,6 +178,21 @@ AC_ARG_ENABLE(minimal,
agent_support=no)
+AC_MSG_CHECKING([whether to allocate extra secure memory])
+AC_ARG_ENABLE(large-secmem,
+ AC_HELP_STRING([--enable-large-secmem],
+ [allocate extra secure memory]),
+ large_secmem=$enableval, large_secmem=no)
+AC_MSG_RESULT($large_secmem)
+if test "$large_secmem" = yes ; then
+ SECMEM_BUFFER_SIZE=65536
+else
+ SECMEM_BUFFER_SIZE=32768
+fi
+AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE,
+ [Size of secure memory buffer])
+
+
AC_MSG_CHECKING([whether OpenPGP card support is requested])
AC_ARG_ENABLE(card-support,
AC_HELP_STRING([--disable-card-support],
diff --git a/doc/gpg.texi b/doc/gpg.texi
index ded69ce..ae86809 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1104,6 +1104,15 @@ the opposite meaning. The options are:
validation. This option is only meaningful if pka-lookups is set.
@end table
+ at item --enable-large-rsa
+ at itemx --disable-large-rsa
+ at opindex enable-large-rsa
+ at opindex disable-large-rsa
+With --gen-key and --batch, enable the creation of larger RSA secret
+keys than is generally recommended (up to 8192 bits). These large
+keys are more expensive to use, and their signatures and
+certifications are also larger.
+
@item --enable-dsa2
@itemx --disable-dsa2
@opindex enable-dsa2
diff --git a/g10/gpg.c b/g10/gpg.c
index 1b0a364..6dc15fa 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -372,6 +372,8 @@ enum cmd_and_opt_values
oAutoKeyLocate,
oNoAutoKeyLocate,
oAllowMultisigVerification,
+ oEnableLargeRSA,
+ oDisableLargeRSA,
oEnableDSA2,
oDisableDSA2,
oAllowMultipleMessages,
@@ -719,6 +721,8 @@ static ARGPARSE_OPTS opts[] = {
{ oDebugCCIDDriver, "debug-ccid-driver", 0, "@"},
#endif
{ oAllowMultisigVerification, "allow-multisig-verification", 0, "@"},
+ { oEnableLargeRSA, "enable-large-rsa", 0, "@"},
+ { oDisableLargeRSA, "disable-large-rsa", 0, "@"},
{ oEnableDSA2, "enable-dsa2", 0, "@"},
{ oDisableDSA2, "disable-dsa2", 0, "@"},
{ oAllowMultipleMessages, "allow-multiple-messages", 0, "@"},
@@ -1995,7 +1999,7 @@ main (int argc, char **argv )
}
#endif
/* initialize the secure memory. */
- got_secmem=secmem_init( 32768 );
+ got_secmem=secmem_init( SECMEM_BUFFER_SIZE );
maybe_setuid = 0;
/* Okay, we are now working under our real uid */
@@ -2851,6 +2855,22 @@ main (int argc, char **argv )
release_akl();
break;
+ case oEnableLargeRSA:
+#if SECMEM_BUFFER_SIZE >= 65536
+ opt.flags.large_rsa=1;
+#else
+ if (configname)
+ log_info("%s:%d: WARNING: gpg not built with large secure "
+ "memory buffer. Ignoring enable-large-rsa\n",
+ configname,configlineno);
+ else
+ log_info("WARNING: gpg not built with large secure "
+ "memory buffer. Ignoring --enable-large-rsa\n");
+#endif /* SECMEM_BUFFER_SIZE >= 65536 */
+ break;
+ case oDisableLargeRSA: opt.flags.large_rsa=0;
+ break;
+
case oEnableDSA2: opt.flags.dsa2=1; break;
case oDisableDSA2: opt.flags.dsa2=0; break;
diff --git a/g10/keygen.c b/g10/keygen.c
index 84f852f..9020908 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -1253,6 +1253,7 @@ gen_rsa(int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
PKT_public_key *pk;
MPI skey[6];
MPI *factors;
+ const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096);
assert( is_RSA(algo) );
@@ -1260,8 +1261,8 @@ gen_rsa(int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
nbits = 2048;
log_info(_("keysize invalid; using %u bits\n"), nbits );
}
- else if (nbits > 4096) {
- nbits = 4096;
+ else if (nbits > maxsize) {
+ nbits = maxsize;
log_info(_("keysize invalid; using %u bits\n"), nbits );
}
diff --git a/g10/options.h b/g10/options.h
index d6326d8..670cf64 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -231,6 +231,7 @@ struct
unsigned int utf8_filename:1;
unsigned int dsa2:1;
unsigned int allow_multiple_messages:1;
+ unsigned int large_rsa:1;
} flags;
/* Linked list of ways to find a key if the key isn't on the local
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 16 ++++++++++++++++
doc/gpg.texi | 9 +++++++++
g10/gpg.c | 22 +++++++++++++++++++++-
g10/keygen.c | 5 +++--
g10/options.h | 1 +
mpi/mpi-inv.c | 4 ++--
6 files changed, 52 insertions(+), 5 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list