[PATCH] gpg 2.0.x: Add build and runtime support for larger RSA keys
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 3 20:13:14 CEST 2014
On 10/03/2014 01:59 PM, Daniel Kahn Gillmor wrote:
> * configure.ac: Added --enable-large-secmem option.
> * g10/options.h: Add opt.flags.large_rsa.
> * g10/gpg.c: Contingent on configure option: adjust secmem size,
> add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
> * g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
> * doc/gpg.texi: Document --enable-large-rsa.
> This is a cherry-pick of 534e2876acc05f9f8d9b54c18511fe768d77dfb5 from
> STABLE-BRANCH-1-4 against STABLE-BRANCH-2-0
This patch (or something like it) should probably be applied to the
2.0.x branch so that gpg.conf is option-for-option compatible with 1.4.x.
fwiw, using a modern amd64 system, i tried using a 16Kib RSA secret key
with debian's 2.0.26-3 gnupg2 package (without this patch) and did not
get an out-of-memory fatal alert, even though the same operation *does*
give a fatal alert with an unpatched 1.4.18 .
I think this means that gpg1 is using more secure memory for the same
operations, which means that the #if SECMEM_BUFFER_SIZE >= 65536 test is
as unprincipled as we expected it to be :)
So another option would be to just introduce --disable-large-rsa as a
no-op, and --enable-large-rsa as an obsolete option, and not adjust
configure.ac at all. let me know if you'd like to see that patch instead.
I also note that this patchset only adjusts the secmem choices for
g10/gpg.c, but not for any of the following:
* agent/gpg-agent.c (currently 32768)
* agent/protect-tool.c (currently 16384)
* scd/scdaemon.c (currently 16384)
* sm/gpgsm.c (currently 16384)
* tools/gpg-check-pattern.c (currently 4096(!))
* tools/symcryptrun.c (currently 16384
Let me know what you think.
Once i see how it settles on the 2.0.x branch, and once i've imported
the latest 2.1.x beta for debian, i can take a look at applying these
something similar to master.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 949 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel