Bug 230610 - security/gnupg request missing build option --enable-large-rsa
Summary: security/gnupg request missing build option --enable-large-rsa
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Adam Weinberger
Depends on:
Reported: 2018-08-13 23:10 UTC by p5B2E9A8F
Modified: 2018-08-30 14:49 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (adamw)
p5B2E9A8F: maintainer-feedback?

gnupg_batch_only-2.2.9_2.patch (1.02 KB, patch)
2018-08-14 14:19 UTC, Dmitri Goutnik
dmgk: maintainer-approval?
Details | Diff
gnupg_interactive-2.2.9_2.patch (1.11 KB, patch)
2018-08-14 14:24 UTC, Dmitri Goutnik
adamw: maintainer-approval-
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description p5B2E9A8F 2018-08-13 23:10:17 UTC
From file ChangeLog:
2014-10-10  Daniel Kahn Gillmor  <dkg@fifthhorseman.net>

        gpg: Add build and runtime support for larger RSA keys.
        + commit 6cabb7a2a18f871b8c3d5de58bcdc5aaa5b201af
        * configure.ac: Added --enable-large-secmem option.
        * g10/options.h: Add opt.flags.large_rsa.
        * g10/gpg.c: Contingent on configure option: adjust secmem size,
        add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
        * g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
        * doc/gpg.texi: Document --enable-large-rsa.

Please add this build option to selectable port options.
Comment 1 Adam Weinberger freebsd_committer 2018-08-13 23:22:10 UTC
I like this idea.

Does it require both --enable-large-secmem and --enable-large-rsa to be enabled at the same time? Or is just --enable-large-rsa sufficient?

Have you tested it out? Does --enable-large-rsa do the right thing?
Comment 2 Dmitri Goutnik freebsd_committer 2018-08-14 14:19:29 UTC
Created attachment 196194 [details]

Hmm.. Turns out, --enable-large-secmem is a configure knob that enables --enable-large-rsa gpg2 command line option. With --enable-large-rsa, gpg2 is able to generate 8192 bit RSA keys but only in batch non-interactive mode:

$ cat | ./work/stage/usr/local/bin/gpg2 --batch --generate-key --enable-large-rsa <<EOD
  Key-Type: 1
  Key-Length: 8192
  Name-Real: Joe Tester
  Name-Email: joe@foo.bar
  Passphrase: abc

$ gpg -K

sec   rsa8192/0xE777A5ECF0FFEED0 2018-08-14 [SCEA]
uid                   [ultimate] Joe Tester <joe@foo.bar>

Attached patch adds a new LARGE_RSA config knob (off by default).
Comment 3 Dmitri Goutnik freebsd_committer 2018-08-14 14:24:33 UTC
Created attachment 196195 [details]

Patch to allow selecting 8192-bit keys during interactive key generation (--full-generate-key --enable-large-rsa).

This is not officially supported GnuPG behaviour, so I'm not sure if we want to enable this either.
Comment 4 Adam Weinberger freebsd_committer 2018-08-14 14:29:45 UTC
Comment on attachment 196195 [details]

I'm definitely not adding that interactive patch. If you want that capability, submit it upstream.
Comment 5 commit-hook freebsd_committer 2018-08-30 14:46:10 UTC
A commit references this bug:

Author: adamw
Date: Thu Aug 30 14:45:56 UTC 2018
New revision: 478464
URL: https://svnweb.freebsd.org/changeset/ports/478464

  Update gnupg to 2.2.10 and add LARGE_RSA option

  The LARGE_RSA option [1] enables 8192-bit keys, though GnuPG's lead
  author does not recommend using it routinely.

  Also, sort OPTIONS, and move an explanation of the SUID option from
  the Makefile into pkg-help, where it belongs.

  Major changes:
    gpg: Refresh expired keys originating from the WKD.
    gpg: Use a 256 KiB limit for a WKD imported key.
    gpg: New option --known-notation.
    scd: Add support for the Trustica Cryptoucan reader.
    agent: Speed up starting during on-demand launching.
    dirmngr: Validate SRV records in WKD queries.
    Release-info: https://dev.gnupg.org/T4112

  PR:		230610 [1]
  Submitted by:	Dmitri Goutnik
  Reported by:	p5B2E9A8F t online de

Comment 6 Adam Weinberger freebsd_committer 2018-08-30 14:49:28 UTC
I've added the LARGE_RSA patch, but not the interactive patch. Thanks to you both for the work here.