diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 0b2b98212..1696e4ecd 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -135,6 +135,7 @@ enum cmd_and_opt_values oDisableScdaemon, oDisableCheckOwnSocket, oS2KCount, + oAutoExpandSecmem, oWriteEnvFile }; @@ -252,6 +253,8 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_u (oS2KCount, "s2k-count", "@"), + ARGPARSE_op_u (oAutoExpandSecmem, "auto-expand-secmem", "@"), + /* Dummy options for backward compatibility. */ ARGPARSE_o_s (oWriteEnvFile, "write-env-file", "@"), ARGPARSE_s_n (oUseStandardSocket, "use-standard-socket", "@"), @@ -1233,6 +1236,14 @@ main (int argc, char **argv ) socket_name_browser = pargs.r.ret_str; break; + case oAutoExpandSecmem: + /* Try to enable this option. It will officially only be + * supported by Libgcrypt 1.9 but 1.8.2 already supports it + * on the quiet and thus we use the numeric value value. */ + gcry_control (78 /*GCRYCTL_AUTO_EXPAND_SECMEM*/, + (unsigned int)pargs.r.ret_ulong, 0); + break; + case oDebugQuickRandom: /* Only used by the first stage command line parser. */ break; diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index afe280462..10f8900ca 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -652,6 +652,17 @@ Select the digest algorithm used to compute ssh fingerprints that are communicated to the user, e.g. in pinentry dialogs. OpenSSH has transitioned from using MD5 to the more secure SHA256. + +@item --auto-expand-secmem @var{n} +@opindex auto-expand-secmem +gAllow Libgcrypt to expand its secure memory area as required. The +optional value @var{n} is a non-negative integer with a suggested size +in bytes of each additionally allocated secure memory area. The value +is rounded up to the next 32 KiB; usual C style prefixes are allowed. +For an heavy loaded gpg-agent with many concurrent connection this +option avoids sign or decrypt errors due to out of secure memory error +returns. + @item --s2k-count @var{n} @opindex s2k-count Specify the iteration count used to protect the passphrase. This