Allow for 4k ssh keys and better error reporting.

2006-08-29 13:12:01 +00:00 · 2006-08-29 13:12:01 +00:00 · 6870dcf05d
parent 6434e92379
commit 6870dcf05d
3 changed files with 42 additions and 2 deletions
--- a/agent/ChangeLog
+++ b/agent/ChangeLog
@ -1,3 +1,11 @@
+2006-08-29  Werner Koch  <wk@g10code.com>
+
+	* command-ssh.c (stream_read_mpi): Sanity check for early
+	detecting of too large keys.
+	* gpg-agent.c (my_gcry_outofcore_handler): New.
+	(main): Register it.
+	(main): No allocate 32k secure memory (was 16k).
+
 2006-07-31  Werner Koch  <wk@g10code.com>

 	* preset-passphrase.c (make_hexstring): For conistency use
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@ -526,6 +526,15 @@ stream_read_mpi (estream_t stream, unsigned int secure, gcry_mpi_t *mpint)
  if (err)
    goto out;

+  /* To avoid excessive use of secure memory we check that an MPI is
+     not too large. */
+  if (mpi_data_size > 520)
+    {
+      log_error (_("ssh keys greater than %d bits are not supported\n"), 4096);
+      err = GPG_ERR_TOO_LARGE;
+      goto out;
+    }
+
  err = gcry_mpi_scan (&mpi, GCRYMPI_FMT_STD, mpi_data, mpi_data_size, NULL);
  if (err)
    goto out;
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@ -285,6 +285,28 @@ my_gcry_logger (void *dummy, int level, const char *fmt, va_list arg_ptr)
 }


+/* This function is called by libgcrypt if it ran out of core and
+   there is no way to return that error to the caller.  We do our own
+   function here to make use of our logging functions. */
+static int
+my_gcry_outofcore_handler ( void *opaque, size_t req_n, unsigned int flags)
+{
+  static int been_here;  /* Used to protect against recursive calls. */
+
+  if (!been_here)
+    {
+      been_here = 1;
+      if ( (flags & 1) )
+        log_fatal (_("out of core in secure memory "
+                     "while allocating %lu bytes"), (unsigned long)req_n);
+      else
+        log_fatal (_("out of core while allocating %lu bytes"),
+                   (unsigned long)req_n);
+    }
+  return 0; /* Let libgcrypt call its own fatal error handler. */
+}
+
+
 /* Setup the debugging.  With the global variable DEBUG_LEVEL set to NULL
   only the active debug flags are propagated to the subsystems.  With
   DEBUG_LEVEL set, a specific set of debug flags is set; thus overriding
@ -489,6 +511,7 @@ main (int argc, char **argv )
  assuan_set_assuan_log_prefix (log_get_prefix (NULL));

  gcry_set_log_handler (my_gcry_logger, NULL);
+  gcry_set_outofcore_handler (my_gcry_outofcore_handler, NULL);
  gcry_control (GCRYCTL_USE_SECURE_RNDPOOL);

  may_coredump = disable_core_dumps ();
@ -546,8 +569,8 @@ main (int argc, char **argv )
          opt.homedir = pargs.r.ret_str;
    }

-  /* initialize the secure memory. */
-  gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
+  /* Initialize the secure memory. */
+  gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
  maybe_setuid = 0;

  /*