agent: New option --auto-expand-secmem.

* agent/gpg-agent.c (oAutoExpandSecmem): New enum value. (opts): New option --auto-expand-secmem. (main): Implement that option. -- Note that this option has an effect only if Libgcrypt >= 1.8.2 is used. GnuPG-bug-id: 3530
2017-11-24 10:30:25 +01:00 · 2017-11-24 10:30:25 +01:00 · 18af15249d
parent 531182b7f8
commit 18af15249d
2 changed files with 22 additions and 0 deletions
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@ -135,6 +135,7 @@ enum cmd_and_opt_values
  oDisableScdaemon,
  oDisableCheckOwnSocket,
  oS2KCount,
+  oAutoExpandSecmem,

  oWriteEnvFile
 };
@ -252,6 +253,8 @@ static ARGPARSE_OPTS opts[] = {

  ARGPARSE_s_u (oS2KCount, "s2k-count", "@"),

+  ARGPARSE_op_u (oAutoExpandSecmem, "auto-expand-secmem", "@"),
+
  /* Dummy options for backward compatibility.  */
  ARGPARSE_o_s (oWriteEnvFile, "write-env-file", "@"),
  ARGPARSE_s_n (oUseStandardSocket, "use-standard-socket", "@"),
@ -1233,6 +1236,14 @@ main (int argc, char **argv )
          socket_name_browser = pargs.r.ret_str;
          break;

+        case oAutoExpandSecmem:
+          /* Try to enable this option.  It will officially only be
+           * supported by Libgcrypt 1.9 but 1.8.2 already supports it
+           * on the quiet and thus we use the numeric value value.  */
+          gcry_control (78 /*GCRYCTL_AUTO_EXPAND_SECMEM*/,
+                        (unsigned int)pargs.r.ret_ulong,  0);
+          break;
+
        case oDebugQuickRandom:
          /* Only used by the first stage command line parser.  */
          break;
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@ -652,6 +652,17 @@ Select the digest algorithm used to compute ssh fingerprints that are
 communicated to the user, e.g. in pinentry dialogs.  OpenSSH has
 transitioned from using MD5 to the more secure SHA256.

+
+@item --auto-expand-secmem @var{n}
+@opindex auto-expand-secmem
+gAllow Libgcrypt to expand its secure memory area as required.  The
+optional value @var{n} is a non-negative integer with a suggested size
+in bytes of each additionally allocated secure memory area.  The value
+is rounded up to the next 32 KiB; usual C style prefixes are allowed.
+For an heavy loaded gpg-agent with many concurrent connection this
+option avoids sign or decrypt errors due to out of secure memory error
+returns.
+
@item --s2k-count @var{n}
@opindex s2k-count
 Specify the iteration count used to protect the passphrase.  This