Bug 230610

Summary:

security/gnupg request missing build option --enable-large-rsa

Product:

Ports & Packages

Reporter:

p5B2EA84B3

Component:

Individual Port(s)

Assignee:

Adam Weinberger <adamw>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

dmgk

Priority:

---

Flags:

bugzilla: maintainer-feedback? (adamw)
p5B2EA84B3: maintainer-feedback?

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
gnupg_batch_only-2.2.9_2.patch	dmgk: maintainer-approval?
gnupg_interactive-2.2.9_2.patch	adamw: maintainer-approval-

Description p5B2EA84B3 2018-08-13 23:10:17 UTC

From file ChangeLog:
2014-10-10  Daniel Kahn Gillmor  <dkg@fifthhorseman.net>

        gpg: Add build and runtime support for larger RSA keys.
        + commit 6cabb7a2a18f871b8c3d5de58bcdc5aaa5b201af
        * configure.ac: Added --enable-large-secmem option.
        * g10/options.h: Add opt.flags.large_rsa.
        * g10/gpg.c: Contingent on configure option: adjust secmem size,
        add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
        * g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
        * doc/gpg.texi: Document --enable-large-rsa.

Please add this build option to selectable port options.

Comment 1 Adam Weinberger freebsd_committer

2018-08-13 23:22:10 UTC

I like this idea.

Does it require both --enable-large-secmem and --enable-large-rsa to be enabled at the same time? Or is just --enable-large-rsa sufficient?

Have you tested it out? Does --enable-large-rsa do the right thing?

Comment 2 Dmitri Goutnik freebsd_committer

2018-08-14 14:19:29 UTC

Created attachment 196194 [details]
gnupg_batch_only-2.2.9_2.patch

Hmm.. Turns out, --enable-large-secmem is a configure knob that enables --enable-large-rsa gpg2 command line option. With --enable-large-rsa, gpg2 is able to generate 8192 bit RSA keys but only in batch non-interactive mode:

$ cat | ./work/stage/usr/local/bin/gpg2 --batch --generate-key --enable-large-rsa <<EOD
  Key-Type: 1
  Key-Length: 8192
  Name-Real: Joe Tester
  Name-Email: joe@foo.bar
  Passphrase: abc
EOD

$ gpg -K

sec   rsa8192/0xE777A5ECF0FFEED0 2018-08-14 [SCEA]
      9384623D3A4C6B95CD32ECF9E777A5ECF0FFEED0
uid                   [ultimate] Joe Tester <joe@foo.bar>


Attached patch adds a new LARGE_RSA config knob (off by default).

Comment 3 Dmitri Goutnik freebsd_committer

2018-08-14 14:24:33 UTC

Created attachment 196195 [details]
gnupg_interactive-2.2.9_2.patch

Patch to allow selecting 8192-bit keys during interactive key generation (--full-generate-key --enable-large-rsa).

This is not officially supported GnuPG behaviour, so I'm not sure if we want to enable this either.

Comment 4 Adam Weinberger freebsd_committer

2018-08-14 14:29:45 UTC

Comment on attachment 196195 [details]
gnupg_interactive-2.2.9_2.patch

I'm definitely not adding that interactive patch. If you want that capability, submit it upstream.

Comment 5 commit-hook freebsd_committer

2018-08-30 14:46:10 UTC

A commit references this bug:

Author: adamw
Date: Thu Aug 30 14:45:56 UTC 2018
New revision: 478464
URL: https://svnweb.freebsd.org/changeset/ports/478464

Log:
  Update gnupg to 2.2.10 and add LARGE_RSA option

  The LARGE_RSA option [1] enables 8192-bit keys, though GnuPG's lead
  author does not recommend using it routinely.

  Also, sort OPTIONS, and move an explanation of the SUID option from
  the Makefile into pkg-help, where it belongs.

  Major changes:
    gpg: Refresh expired keys originating from the WKD.
    gpg: Use a 256 KiB limit for a WKD imported key.
    gpg: New option --known-notation.
    scd: Add support for the Trustica Cryptoucan reader.
    agent: Speed up starting during on-demand launching.
    dirmngr: Validate SRV records in WKD queries.
    Release-info: https://dev.gnupg.org/T4112

  PR:		230610 [1]
  Submitted by:	Dmitri Goutnik
  Reported by:	p5B2E9A8F t online de

Changes:
  head/security/gnupg/Makefile
  head/security/gnupg/distinfo
  head/security/gnupg/pkg-help

Comment 6 Adam Weinberger freebsd_committer

2018-08-30 14:49:28 UTC

I've added the LARGE_RSA patch, but not the interactive patch. Thanks to you both for the work here.