[git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864-11-g5b5e5a6
by Werner Koch
cvs at cvs.gnupg.org
Fri Oct 10 13:51:35 CEST 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 5b5e5a6027ae1743719e112aa4e9055f1b8133a7 (commit)
via 6cabb7a2a18f871b8c3d5de58bcdc5aaa5b201af (commit)
from 2ca90f78cee91c43b8d538d1cb92728f8e1452d5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5b5e5a6027ae1743719e112aa4e9055f1b8133a7
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 10 13:51:19 2014 +0200
doc: Fix a man page rendering problem.
* doc/gpg-agent.texi (Agent Configuration): Fix rendering of the
sshcontrol example.
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 36f0ed1..7eadf59 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -684,13 +684,13 @@ The following example lists exactly one key. Note that keys available
through a OpenPGP smartcard in the active smartcard reader are
implicitly added to this list; i.e. there is no need to list them.
- @cartouche
- @smallexample
- # Key added on: 2011-07-20 20:38:46
- # Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81
- 34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm
- @end smallexample
- @end cartouche
+ at cartouche
+ at smallexample
+ # Key added on: 2011-07-20 20:38:46
+ # Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81
+ 34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm
+ at end smallexample
+ at end cartouche
@item private-keys-v1.d/
commit 6cabb7a2a18f871b8c3d5de58bcdc5aaa5b201af
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Oct 9 16:54:15 2014 -0400
gpg: Add build and runtime support for larger RSA keys
* configure.ac: Added --enable-large-secmem option.
* g10/options.h: Add opt.flags.large_rsa.
* g10/gpg.c: Contingent on configure option: adjust secmem size,
add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
* g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
* doc/gpg.texi: Document --enable-large-rsa.
--
This is a cherry-pick of 534e2876acc05f9f8d9b54c18511fe768d77dfb5 from
STABLE-BRANCH-1-4 against master
Some older implementations built and used RSA keys up to 16Kib, but
the larger secret keys now fail when used by more recent GnuPG, due to
secure memory limitations.
Building with ./configure --enable-large-secmem will make gpg
capable of working with those secret keys, as well as permitting the
use of a new gpg option --enable-large-rsa, which let gpg generate RSA
keys up to 8Kib when used with --batch --gen-key.
Debian-bug-id: 739424
Minor edits by wk.
GnuPG-bug-id: 1732
diff --git a/configure.ac b/configure.ac
index 28268f1..7ce8c09 100644
--- a/configure.ac
+++ b/configure.ac
@@ -107,6 +107,7 @@ card_support=yes
use_ccid_driver=yes
dirmngr_auto_start=yes
use_tls_library=no
+large_secmem=no
GNUPG_BUILD_PROGRAM(gpg, yes)
GNUPG_BUILD_PROGRAM(gpgsm, yes)
@@ -223,6 +224,20 @@ AC_ARG_ENABLE(selinux-support,
AC_MSG_RESULT($selinux_support)
+AC_MSG_CHECKING([whether to allocate extra secure memory])
+AC_ARG_ENABLE(large-secmem,
+ AC_HELP_STRING([--enable-large-secmem],
+ [allocate extra secure memory]),
+ large_secmem=$enableval, large_secmem=no)
+AC_MSG_RESULT($large_secmem)
+if test "$large_secmem" = yes ; then
+ SECMEM_BUFFER_SIZE=65536
+else
+ SECMEM_BUFFER_SIZE=32768
+fi
+AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE,
+ [Size of secure memory buffer])
+
AC_MSG_CHECKING([whether to enable trust models])
AC_ARG_ENABLE(trust-models,
AC_HELP_STRING([--disable-trust-models],
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 002e888..e7360e9 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1181,6 +1181,15 @@ the opposite meaning. The options are:
validation. This option is only meaningful if pka-lookups is set.
@end table
+ at item --enable-large-rsa
+ at itemx --disable-large-rsa
+ at opindex enable-large-rsa
+ at opindex disable-large-rsa
+With --gen-key and --batch, enable the creation of larger RSA secret
+keys than is generally recommended (up to 8192 bits). These large
+keys are more expensive to use, and their signatures and
+certifications are also larger.
+
@item --enable-dsa2
@itemx --disable-dsa2
@opindex enable-dsa2
diff --git a/g10/gpg.c b/g10/gpg.c
index f586042..e7d6d00 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -376,6 +376,8 @@ enum cmd_and_opt_values
oAutoKeyLocate,
oNoAutoKeyLocate,
oAllowMultisigVerification,
+ oEnableLargeRSA,
+ oDisableLargeRSA,
oEnableDSA2,
oDisableDSA2,
oAllowMultipleMessages,
@@ -770,6 +772,8 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_n (oAllowMultisigVerification,
"allow-multisig-verification", "@"),
+ ARGPARSE_s_n (oEnableLargeRSA, "enable-large-rsa", "@"),
+ ARGPARSE_s_n (oDisableLargeRSA, "disable-large-rsa", "@"),
ARGPARSE_s_n (oEnableDSA2, "enable-dsa2", "@"),
ARGPARSE_s_n (oDisableDSA2, "disable-dsa2", "@"),
ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"),
@@ -2181,7 +2185,7 @@ main (int argc, char **argv)
#endif
/* Initialize the secure memory. */
- if (!gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0))
+ if (!gcry_control (GCRYCTL_INIT_SECMEM, SECMEM_BUFFER_SIZE, 0))
got_secmem = 1;
#if defined(HAVE_GETUID) && defined(HAVE_GETEUID)
/* There should be no way to get to this spot while still carrying
@@ -3099,6 +3103,22 @@ main (int argc, char **argv)
release_akl();
break;
+ case oEnableLargeRSA:
+#if SECMEM_BUFFER_SIZE >= 65536
+ opt.flags.large_rsa=1;
+#else
+ if (configname)
+ log_info("%s:%d: WARNING: gpg not built with large secure "
+ "memory buffer. Ignoring enable-large-rsa\n",
+ configname,configlineno);
+ else
+ log_info("WARNING: gpg not built with large secure "
+ "memory buffer. Ignoring --enable-large-rsa\n");
+#endif /* SECMEM_BUFFER_SIZE >= 65536 */
+ break;
+ case oDisableLargeRSA: opt.flags.large_rsa=0;
+ break;
+
case oEnableDSA2: opt.flags.dsa2=1; break;
case oDisableDSA2: opt.flags.dsa2=0; break;
diff --git a/g10/keygen.c b/g10/keygen.c
index 229f2bf..1c8d70e 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -1555,6 +1555,7 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root,
int err;
char *keyparms;
char nbitsstr[35];
+ const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096);
assert (is_RSA(algo));
@@ -1566,9 +1567,9 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root,
nbits = 2048;
log_info (_("keysize invalid; using %u bits\n"), nbits );
}
- else if (nbits > 4096)
+ else if (nbits > maxsize)
{
- nbits = 4096;
+ nbits = maxsize;
log_info (_("keysize invalid; using %u bits\n"), nbits );
}
diff --git a/g10/options.h b/g10/options.h
index 7efb3d6..edd31a9 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -229,6 +229,7 @@ struct
unsigned int dsa2:1;
unsigned int allow_multiple_messages:1;
unsigned int allow_weak_digest_algos:1;
+ unsigned int large_rsa:1;
} flags;
/* Linked list of ways to find a key if the key isn't on the local
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 15 +++++++++++++++
doc/gpg-agent.texi | 14 +++++++-------
doc/gpg.texi | 9 +++++++++
g10/gpg.c | 22 +++++++++++++++++++++-
g10/keygen.c | 5 +++--
g10/options.h | 1 +
6 files changed, 56 insertions(+), 10 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list