diff options
| -rw-r--r-- | configure.ac | 16 | ||||
| -rw-r--r-- | doc/gpg.texi | 9 | ||||
| -rw-r--r-- | g10/gpg.c | 22 | ||||
| -rw-r--r-- | g10/keygen.c | 5 | ||||
| -rw-r--r-- | g10/options.h | 1 |
5 files changed, 50 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index ae63a4ac2..1fd625339 100644 --- a/configure.ac +++ b/configure.ac @@ -158,6 +158,7 @@ use_exec=yes card_support=yes agent_support=yes disable_keyserver_path=no +large_secmem=no AC_ARG_ENABLE(minimal, AC_HELP_STRING([--enable-minimal],[build the smallest gpg binary possible]), @@ -177,6 +178,21 @@ AC_ARG_ENABLE(minimal, agent_support=no) +AC_MSG_CHECKING([whether to allocate extra secure memory]) +AC_ARG_ENABLE(large-secmem, + AC_HELP_STRING([--enable-large-secmem], + [allocate extra secure memory]), + large_secmem=$enableval, large_secmem=no) +AC_MSG_RESULT($large_secmem) +if test "$large_secmem" = yes ; then + SECMEM_BUFFER_SIZE=65536 +else + SECMEM_BUFFER_SIZE=32768 +fi +AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE, + [Size of secure memory buffer]) + + AC_MSG_CHECKING([whether OpenPGP card support is requested]) AC_ARG_ENABLE(card-support, AC_HELP_STRING([--disable-card-support], diff --git a/doc/gpg.texi b/doc/gpg.texi index ded69cef1..ae8680965 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1104,6 +1104,15 @@ the opposite meaning. The options are: validation. This option is only meaningful if pka-lookups is set. @end table +@item --enable-large-rsa +@itemx --disable-large-rsa +@opindex enable-large-rsa +@opindex disable-large-rsa +With --gen-key and --batch, enable the creation of larger RSA secret +keys than is generally recommended (up to 8192 bits). These large +keys are more expensive to use, and their signatures and +certifications are also larger. + @item --enable-dsa2 @itemx --disable-dsa2 @opindex enable-dsa2 @@ -372,6 +372,8 @@ enum cmd_and_opt_values oAutoKeyLocate, oNoAutoKeyLocate, oAllowMultisigVerification, + oEnableLargeRSA, + oDisableLargeRSA, oEnableDSA2, oDisableDSA2, oAllowMultipleMessages, @@ -719,6 +721,8 @@ static ARGPARSE_OPTS opts[] = { { oDebugCCIDDriver, "debug-ccid-driver", 0, "@"}, #endif { oAllowMultisigVerification, "allow-multisig-verification", 0, "@"}, + { oEnableLargeRSA, "enable-large-rsa", 0, "@"}, + { oDisableLargeRSA, "disable-large-rsa", 0, "@"}, { oEnableDSA2, "enable-dsa2", 0, "@"}, { oDisableDSA2, "disable-dsa2", 0, "@"}, { oAllowMultipleMessages, "allow-multiple-messages", 0, "@"}, @@ -1995,7 +1999,7 @@ main (int argc, char **argv ) } #endif /* initialize the secure memory. */ - got_secmem=secmem_init( 32768 ); + got_secmem=secmem_init( SECMEM_BUFFER_SIZE ); maybe_setuid = 0; /* Okay, we are now working under our real uid */ @@ -2851,6 +2855,22 @@ main (int argc, char **argv ) release_akl(); break; + case oEnableLargeRSA: +#if SECMEM_BUFFER_SIZE >= 65536 + opt.flags.large_rsa=1; +#else + if (configname) + log_info("%s:%d: WARNING: gpg not built with large secure " + "memory buffer. Ignoring enable-large-rsa\n", + configname,configlineno); + else + log_info("WARNING: gpg not built with large secure " + "memory buffer. Ignoring --enable-large-rsa\n"); +#endif /* SECMEM_BUFFER_SIZE >= 65536 */ + break; + case oDisableLargeRSA: opt.flags.large_rsa=0; + break; + case oEnableDSA2: opt.flags.dsa2=1; break; case oDisableDSA2: opt.flags.dsa2=0; break; diff --git a/g10/keygen.c b/g10/keygen.c index 84f852f3f..90209083f 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -1253,6 +1253,7 @@ gen_rsa(int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek, PKT_public_key *pk; MPI skey[6]; MPI *factors; + const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096); assert( is_RSA(algo) ); @@ -1260,8 +1261,8 @@ gen_rsa(int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek, nbits = 2048; log_info(_("keysize invalid; using %u bits\n"), nbits ); } - else if (nbits > 4096) { - nbits = 4096; + else if (nbits > maxsize) { + nbits = maxsize; log_info(_("keysize invalid; using %u bits\n"), nbits ); } diff --git a/g10/options.h b/g10/options.h index d6326d8d7..670cf64c2 100644 --- a/g10/options.h +++ b/g10/options.h @@ -231,6 +231,7 @@ struct unsigned int utf8_filename:1; unsigned int dsa2:1; unsigned int allow_multiple_messages:1; + unsigned int large_rsa:1; } flags; /* Linked list of ways to find a key if the key isn't on the local |