From 6870dcf05dd994aafb634a06f5736a671b9eaf1b Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 29 Aug 2006 13:12:01 +0000
Subject: [PATCH] Allow for 4k ssh keys and better error reporting.

---
 agent/ChangeLog     |  8 ++++++++
 agent/command-ssh.c |  9 +++++++++
 agent/gpg-agent.c   | 27 +++++++++++++++++++++++++--
 3 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/agent/ChangeLog b/agent/ChangeLog
index 19f711e23..b9555cacb 100644
--- a/agent/ChangeLog
+++ b/agent/ChangeLog
@@ -1,3 +1,11 @@
+2006-08-29  Werner Koch  <wk@g10code.com>
+
+	* command-ssh.c (stream_read_mpi): Sanity check for early
+	detecting of too large keys.
+	* gpg-agent.c (my_gcry_outofcore_handler): New.
+	(main): Register it.
+	(main): No allocate 32k secure memory (was 16k).
+
 2006-07-31  Werner Koch  <wk@g10code.com>
 
 	* preset-passphrase.c (make_hexstring): For conistency use
diff --git a/agent/command-ssh.c b/agent/command-ssh.c
index 4e81aa2f2..d038768fe 100644
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -526,6 +526,15 @@ stream_read_mpi (estream_t stream, unsigned int secure, gcry_mpi_t *mpint)
   if (err)
     goto out;
 
+  /* To avoid excessive use of secure memory we check that an MPI is
+     not too large. */
+  if (mpi_data_size > 520)
+    {
+      log_error (_("ssh keys greater than %d bits are not supported\n"), 4096);
+      err = GPG_ERR_TOO_LARGE;
+      goto out;
+    }
+
   err = gcry_mpi_scan (&mpi, GCRYMPI_FMT_STD, mpi_data, mpi_data_size, NULL);
   if (err)
     goto out;
diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 24e0b588b..17370c4c5 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -285,6 +285,28 @@ my_gcry_logger (void *dummy, int level, const char *fmt, va_list arg_ptr)
 }
 
 
+/* This function is called by libgcrypt if it ran out of core and
+   there is no way to return that error to the caller.  We do our own
+   function here to make use of our logging functions. */
+static int
+my_gcry_outofcore_handler ( void *opaque, size_t req_n, unsigned int flags)
+{
+  static int been_here;  /* Used to protect against recursive calls. */
+
+  if (!been_here)
+    {
+      been_here = 1;
+      if ( (flags & 1) )
+        log_fatal (_("out of core in secure memory "
+                     "while allocating %lu bytes"), (unsigned long)req_n);
+      else
+        log_fatal (_("out of core while allocating %lu bytes"),
+                   (unsigned long)req_n);
+    }
+  return 0; /* Let libgcrypt call its own fatal error handler. */
+}
+
+
 /* Setup the debugging.  With the global variable DEBUG_LEVEL set to NULL
    only the active debug flags are propagated to the subsystems.  With
    DEBUG_LEVEL set, a specific set of debug flags is set; thus overriding
@@ -489,6 +511,7 @@ main (int argc, char **argv )
   assuan_set_assuan_log_prefix (log_get_prefix (NULL));
 
   gcry_set_log_handler (my_gcry_logger, NULL);
+  gcry_set_outofcore_handler (my_gcry_outofcore_handler, NULL);
   gcry_control (GCRYCTL_USE_SECURE_RNDPOOL);
 
   may_coredump = disable_core_dumps ();
@@ -546,8 +569,8 @@ main (int argc, char **argv )
           opt.homedir = pargs.r.ret_str;
     }
 
-  /* initialize the secure memory. */
-  gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
+  /* Initialize the secure memory. */
+  gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
   maybe_setuid = 0;
 
   /*