diff -uraN a/agent/command-ssh.c b/agent/command-ssh.c --- a/agent/command-ssh.c 2015-09-08 14:39:24.000000000 +0200 +++ b/agent/command-ssh.c 2016-02-26 21:42:52.000000000 +0100 @@ -592,7 +592,7 @@ not too large. */ if (mpi_data_size > 520) { - log_error (_("ssh keys greater than %d bits are not supported\n"), 4096); + log_error (_("ssh keys greater than %d bits are not supported\n"), KEY_MAX_SIZE_LOOKSLIKE); err = GPG_ERR_TOO_LARGE; goto out; } diff -uraN a/agent/gpg-agent.c b/agent/gpg-agent.c --- a/agent/gpg-agent.c 2015-09-08 14:39:24.000000000 +0200 +++ b/agent/gpg-agent.c 2016-02-26 21:42:52.000000000 +0100 @@ -233,7 +233,7 @@ /* To avoid surprises we limit the size of the mapped IPC file to this value. Putty currently (0.62) uses 8k, thus 16k should be enough for the foreseeable future. */ -#define PUTTY_IPC_MAXLEN 16384 +#define PUTTY_IPC_MAXLEN KEY_MAX_SIZE_LOOKSLIKE #endif /*HAVE_W32_SYSTEM*/ /* The list of open file descriptors at startup. Note that this list @@ -743,7 +743,7 @@ } /* Initialize the secure memory. */ - gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0); + gcry_control (GCRYCTL_INIT_SECMEM, SECMEM_BUFFER_SIZE, 0); maybe_setuid = 0; /* diff -uraN a/agent/protect-tool.c b/agent/protect-tool.c --- a/agent/protect-tool.c 2015-09-08 14:39:24.000000000 +0200 +++ b/agent/protect-tool.c 2016-02-26 21:42:52.000000000 +0100 @@ -1036,7 +1036,7 @@ } setup_libgcrypt_logging (); - gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + gcry_control (GCRYCTL_INIT_SECMEM, SECMEM_BUFFER_SIZE, 0); opt_homedir = default_homedir (); diff -uraN a/ChangeLog b/ChangeLog --- a/ChangeLog 2015-09-08 16:15:30.000000000 +0200 +++ b/ChangeLog 2016-02-26 21:42:52.000000000 +0100 @@ -1,3 +1,28 @@ +2016-02-26 Nikita S. + + * g10/misc.c (pct_expando): maxlen returned back to 8192, there is no link with maxkeysize, tested. + +2016-02-24 Nikita S. + + Release 2.0.29.RSA32k (https://github.com/nikitasius/GnuPG/tree/2.0.29-RSA32k) + + Add: RSA-32768 keypair support. + * config.h.in (KEY_MAX_SIZE_LOOKSLIKE): new . + configure: SECMEM_BUFFER_SIZE always 262144 (not depends of --enable-large-secmem). + configure: new constant KEY_MAX_SIZE_LOOKSLIKE with value 32768. + agent: use KEY_MAX_SIZE_LOOKSLIKE instead of hardcoded values for some maxlen/keymaxsize. + agent: use SECMEM_BUFFER_SIZE in gcry_control instead of hardcoded values. + * common/dns-cert.c (get_dns_cert): use KEY_MAX_SIZE_LOOKSLIKE as max_size . + g10: use KEY_MAX_SIZE_LOOKSLIKE instead of hardcoded values for some maxlen/keymaxsize/nbis/mpi. + g10: use SECMEM_BUFFER_SIZE in gcry_control instead of hardcoded values. + scd: use KEY_MAX_SIZE_LOOKSLIKE instead of hardcoded values for some maxlen. + scd: use SECMEM_BUFFER_SIZE in gcry_control instead of hardcoded values. + sm: use SECMEM_BUFFER_SIZE in gcry_control instead of hardcoded values. + tools: use SECMEM_BUFFER_SIZE in gcry_control instead of hardcoded values. + * tools/make-dns-cert.c (cert_key): use KEY_MAX_SIZE_LOOKSLIKE instead of hardcoded value. + * g10/misc.c (pct_expando): maxlen compared with current maxkeysize (32768 + 1024), i.e. 33792. + * gnupg-2.0.29-RSA32k.patch: patch for vanilla gnupg-2.0.29 to have RSA-32768 support. + 2015-09-08 Werner Koch Release 2.0.29. diff -uraN a/common/dns-cert.c b/common/dns-cert.c --- a/common/dns-cert.c 2015-09-08 14:39:24.000000000 +0200 +++ b/common/dns-cert.c 2016-02-26 21:42:52.000000000 +0100 @@ -305,7 +305,7 @@ printf("CERT lookup on %s\n",argv[1]); - rc=get_dns_cert (argv[1],16384,&iobuf,&fpr,&fpr_len,&url); + rc=get_dns_cert (argv[1],KEY_MAX_SIZE_LOOKSLIKE,&iobuf,&fpr,&fpr_len,&url); if(rc==-1) printf("error\n"); else if(rc==0) diff -uraN a/config.h.in b/config.h.in --- a/config.h.in 2015-09-08 15:30:25.000000000 +0200 +++ b/config.h.in 2016-02-26 21:42:52.000000000 +0100 @@ -608,6 +608,9 @@ /* Size of secure memory buffer */ #undef SECMEM_BUFFER_SIZE +/* Maximum key size or lookslike */ +#undef KEY_MAX_SIZE_LOOKSLIKE + /* defines the filename of the shred program */ #undef SHRED diff -uraN a/configure b/configure --- a/configure 2015-09-08 16:12:06.000000000 +0200 +++ b/configure 2016-02-26 21:42:52.000000000 +0100 @@ -5307,13 +5307,13 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $large_secmem" >&5 $as_echo "$large_secmem" >&6; } if test "$large_secmem" = yes ; then - SECMEM_BUFFER_SIZE=65536 + SECMEM_BUFFER_SIZE=262144 else - SECMEM_BUFFER_SIZE=32768 + SECMEM_BUFFER_SIZE=262144 fi - cat >>confdefs.h <<_ACEOF #define SECMEM_BUFFER_SIZE $SECMEM_BUFFER_SIZE +#define KEY_MAX_SIZE_LOOKSLIKE 32768 _ACEOF diff -uraN a/configure.ac b/configure.ac --- a/configure.ac 2015-09-08 14:39:24.000000000 +0200 +++ b/configure.ac 2016-02-26 21:42:52.000000000 +0100 @@ -183,12 +183,15 @@ large_secmem=$enableval, large_secmem=no) AC_MSG_RESULT($large_secmem) if test "$large_secmem" = yes ; then - SECMEM_BUFFER_SIZE=65536 + SECMEM_BUFFER_SIZE=262144 else - SECMEM_BUFFER_SIZE=32768 + SECMEM_BUFFER_SIZE=262144 fi AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE, [Size of secure memory buffer]) + +AC_DEFINE_UNQUOTED(KEY_MAX_SIZE_LOOKSLIKE,32768, + [Maximum key size or lookslike]) # Allow disabling of bzib2 support. diff -uraN a/doc/gnupg.info-1 b/doc/gnupg.info-1 --- a/doc/gnupg.info-1 2015-09-08 16:15:29.000000000 +0200 +++ b/doc/gnupg.info-1 2016-02-26 21:42:52.000000000 +0100 @@ -2552,7 +2552,7 @@ max-cert-size When retrieving a key via DNS CERT, only accept keys up to - this size. Defaults to 16384 bytes. + this size. Defaults to 32768 bytes. debug Turn on debug output in the keyserver helper program. Note diff -uraN a/doc/gpg.texi b/doc/gpg.texi --- a/doc/gpg.texi 2015-09-08 14:39:24.000000000 +0200 +++ b/doc/gpg.texi 2016-02-26 21:42:52.000000000 +0100 @@ -1645,7 +1645,7 @@ @ifclear gpgtwoone @item max-cert-size When retrieving a key via DNS CERT, only accept keys up to this size. - Defaults to 16384 bytes. + Defaults to 32768 bytes. @end ifclear @item debug diff -uraN a/g10/card-util.c b/g10/card-util.c --- a/g10/card-util.c 2015-09-08 14:39:24.000000000 +0200 +++ b/g10/card-util.c 2016-02-26 21:42:52.000000000 +0100 @@ -946,7 +946,7 @@ { for (args++; spacep (args); args++) ; - n = get_data_from_file (args, 16384, &data); + n = get_data_from_file (args, KEY_MAX_SIZE_LOOKSLIKE, &data); if (n < 0) return -1; } @@ -1285,7 +1285,7 @@ ask_card_keysize (int keyno, unsigned int nbits) { unsigned int min_nbits = 1024; - unsigned int max_nbits = 4096; + unsigned int max_nbits = KEY_MAX_SIZE_LOOKSLIKE; char *prompt, *answer; unsigned int req_nbits; diff -uraN a/g10/gpg.h b/g10/gpg.h --- a/g10/gpg.h 2015-09-08 14:39:24.000000000 +0200 +++ b/g10/gpg.h 2016-02-26 21:42:52.000000000 +0100 @@ -35,7 +35,7 @@ /* Number of bits we accept when reading or writing MPIs. */ -#define MAX_EXTERN_MPI_BITS 16384 +#define MAX_EXTERN_MPI_BITS KEY_MAX_SIZE_LOOKSLIKE /* The maximum length of a binary fingerprints. */ #define MAX_FINGERPRINT_LEN 20 diff -uraN a/g10/keygen.c b/g10/keygen.c --- a/g10/keygen.c 2015-09-08 14:39:24.000000000 +0200 +++ b/g10/keygen.c 2016-02-26 21:42:52.000000000 +0100 @@ -1429,7 +1429,7 @@ PKT_secret_key *sk; PKT_public_key *pk; gcry_sexp_t s_parms, s_key; - const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096); + const unsigned maxsize = KEY_MAX_SIZE_LOOKSLIKE; assert (is_RSA(algo)); @@ -1798,7 +1798,7 @@ static unsigned ask_keysize (int algo, unsigned int primary_keysize) { - unsigned int nbits, min, def = DEFAULT_STD_KEYSIZE, max=4096; + unsigned int nbits, min, def = DEFAULT_STD_KEYSIZE, max=KEY_MAX_SIZE_LOOKSLIKE; int for_subkey = !!primary_keysize; int autocomp = 0; diff -uraN a/g10/keyserver.c b/g10/keyserver.c --- a/g10/keyserver.c 2015-09-08 14:39:24.000000000 +0200 +++ b/g10/keyserver.c 2016-02-26 21:42:52.000000000 +0100 @@ -94,7 +94,7 @@ struct keyserver_spec *keyserver); /* Reasonable guess */ -#define DEFAULT_MAX_CERT_SIZE 16384 +#define DEFAULT_MAX_CERT_SIZE KEY_MAX_SIZE_LOOKSLIKE static size_t max_cert_size=DEFAULT_MAX_CERT_SIZE; diff -uraN a/g10/parse-packet.c b/g10/parse-packet.c --- a/g10/parse-packet.c 2015-09-08 14:39:24.000000000 +0200 +++ b/g10/parse-packet.c 2016-02-26 21:42:52.000000000 +0100 @@ -1681,7 +1681,7 @@ --*length; nbits |= c; - if (nbits > 16384) + if (nbits > KEY_MAX_SIZE_LOOKSLIKE) { log_error ("mpi too large (%u bits)\n", nbits); return NULL; diff -uraN a/g10/plaintext.c b/g10/plaintext.c --- a/g10/plaintext.c 2015-09-08 14:39:24.000000000 +0200 +++ b/g10/plaintext.c 2016-02-26 21:42:52.000000000 +0100 @@ -225,9 +225,9 @@ } } else { /* binary mode */ - byte *buffer = xmalloc( 32768 ); + byte *buffer = xmalloc( KEY_MAX_SIZE_LOOKSLIKE ); while( pt->len ) { - int len = pt->len > 32768 ? 32768 : pt->len; + int len = pt->len > KEY_MAX_SIZE_LOOKSLIKE ? KEY_MAX_SIZE_LOOKSLIKE : pt->len; len = iobuf_read( pt->buf, buffer, len ); if( len == -1 ) { rc = gpg_error_from_syserror (); @@ -294,7 +294,7 @@ } } else { /* binary mode */ - byte *buffer = xmalloc( 32768 ); + byte *buffer = xmalloc( KEY_MAX_SIZE_LOOKSLIKE ); int eof_seen = 0; while ( !eof_seen ) { @@ -304,10 +304,10 @@ * off and therefore we don't catch the boundary. * So, always assume EOF if iobuf_read returns less bytes * then requested */ - int len = iobuf_read( pt->buf, buffer, 32768 ); + int len = iobuf_read( pt->buf, buffer, KEY_MAX_SIZE_LOOKSLIKE ); if( len == -1 ) break; - if( len < 32768 ) + if( len < KEY_MAX_SIZE_LOOKSLIKE ) eof_seen = 1; if( mfx->md ) gcry_md_write ( mfx->md, buffer, len ); diff -uraN a/README.md b/README.md --- a/README.md 1970-01-01 01:00:00.000000000 +0100 +++ b/README.md 2016-02-26 21:42:52.000000000 +0100 @@ -0,0 +1,169 @@ +# GnuPG (2.0.29) with large RSA keys (up to 32768) + +## WARNING +## USE MODIFIED GNUPG AT YOUR OWN RISK. SOFTWARE MAY CAUSE DATA LOSS, SYSTEM CRASHES, AND RED EYES. +### Large keys, created in modified GnuPG with modified libgcrypt CANNOT be read by vanilla versions! It mean, that if you have another PGP stuff in your PC which work with keys, you should to export keys OR create another keyring for vanilla versions. + +## Description +GnuPG with large RSA keys support (up to 32768 bytes). + +This version based on GnuPG version [2.0.29](https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.0.29.tar.bz2), which can be downloaded from official https://gnupg.org website. To start i copied original GnuPG into the branch `gnupg-2.0.29`, where it stays **non**-modified. After it goes into `devel` branch where im working with. And after it goes into `2.0.29-RSA32k` branch, where can be downloaded. + +## Preparation +###Debian +You need enought entropy. You can check your current entropy level via `cat /proc/sys/kernel/random/entropy_avail`. + +Your maximum entropy level here: `cat /proc/sys/kernel/random/poolsize`. For last linux distro we have `4096` as poolsize value. For better keys generation you should have 3000+. + +To increase your entropy level you can install `rng-tools` and `haveged`. + +`rng-tools` - there is many guides how to tune it. Being once installed it will boost well your entropy level. Same time if your PC support TPM and you have *hardware random generators*, you can tune `rng-tools` to use them. In another case it will use `rdrand` CPU flag (if your CPU have it) to boost entropy level. + +`haveged` - i don't have TPM module in my laptop, so i use `haveged` to boost my entropy level with `rng-tools` same time. `haveged` run with default param `1024`. Without `haveged` (but with `rng-tools`) i had 1600-2000 entropy, so i've increased from `1024` to `3072` for `haveged` service to have at least 3100 of entropy. Each time when you configure `haveged` **check CPU consumption**, because it's a software generator and if you don't have entropy as is, it will consume a lot of CPU time. In my case with i5-5200U and `3072` for `haveged` all cores have 3%-7% in idle time on `4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-7~bpo8+1 (2016-01-19) x86_64 GNU/Linux`. + +## Configuration +### Patching vanilla gnupg-2.0.29 +If by some private reasons you don't want to download this version from this Github repo, you can download patch [gnupg-2.0.29-RSA32k.patch](https://raw.githubusercontent.com/nikitasius/GnuPG/2.0.29-RSA32k/gnupg-2.0.29-RSA32k.patch) and download [vanilla gnupg-2.0.29](https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.0.29.tar.bz2). + +After you can check patch content and if all is ok, copy it inside folder with vanilla gnupg-2.0.29 and run `patch -p1 < gnupg-2.0.29-RSA32k.patch`. After patching your gnupg-2.0.29 will be able to work with RSA-32768 keys. + +### Debian +In case if you want to install current release follow instructions below. +Update your aptitude: `aptitude update` + +Install packets for compilation: `aptitude install gcc make checkinstall` + +Install [**modified** libgcrypt](https://github.com/nikitasius/libgcrypt). + +To build with BZIP2 support you need: `aptitude install libbz2-dev` + +Download and execute from folder: `./configure` + +To see help and detail configuration run `./configure --help` + + +##Compilation +If all is how you want, you can run `make` + +##Tests +To pass the tests run `make check` + +I've tested on my laptop: RSA1024-OK, RSA2048-OK,RSA3072-OK, RSA4096-OK, RSA8192-OK, RSA16384-OK, RSA32768-OK. + +##Installation +If all tests are passed well, execute`checkinstall` and fill the fields like below: + +> 1 - Summary: [ gnupg2-2.0.29 ] + +> 2 - Name: [ gnupg2 ] + +> 3 - Version: [ 2.0.29 ] + +> 11 - Provides: [ gnupg2 ] + +After this you will be able to delete it via gpkg as `dpkg -r gnupg2` **or** run `make install` if you do not use `checkinstall`. + +##Perfomance +On i5-5200U laptop under debian 8.3 (`4.3.0-0.bpo.1-amd64 #1 SMP Debian 4.3.3-7~bpo8+1 (2016-01-19) x86_64 GNU/Linux`) + +>RSA 16384 - 19 minutes + +>RSA 32768 - 106 minutes + +**Encryption with RSA 32k** file.gz - 12Mb file from debian [ls-lR.gz](http://ftp.debian.org/debian/ls-lR.gz) + +> time gpg2 --out file.gz.enc --recipient "test32768pair" --encrypt file.gz + +> + +>real 0m0.079s + +>user 0m0.072s + +>sys 0m0.004s + +**decryption with RSA 32k** + +> time gpg2 --out file.gz.gz --decrypt file.gz.enc + +> + +>real 0m7.610s + +>user 0m5.624s + +>sys 0m0.024s + +**sha1sum file.* ** + +>7ab98fd4a154fad5f5bbe0d698178783cd2ac994 file.gz + +>9773bb1b9d7f75f408f562d476e8936aafa0f3b9 file.gz.enc + +>7ab98fd4a154fad5f5bbe0d698178783cd2ac994 file.gz.gz + +##Errors +###gpg: problem with the agent: No pinentry +This problem common for all versions of GnuPG (modified and vanilla) which was installed manually and here is **two solutions**: + + 1) delete `gnupg-agent` and `gpa` from previous version: `aptitude remove gnupg-agent gpa`. After you need configure/compile/install modified GnuPG again which will install correcly **new** version of gnupg-agent. Process `gnupg-agent` **must be stopped**! + + 2) install 3rd-party pinentry, for example `pinentry-curses`: `aptitude install pinentry-curses` and configure your gnupg to use this as adding `--with-pinentry-pgm=/usr/bin/pinentry-curses` to `./configure`. After you need to create in `.gnupg` folder (which in your HOME directory) file `gpg-agent.conf` with `pinentry-program /usr/bin/pinentry-curses` and restart `gnupg-agent` *or* `reboot` system. + +**Both** solution can work, but i recommend to start with **solution#1**, and if it changed nothing, apply **solution#2**. In my case i've used both solution, because i prefer curses as pinentry. + +### mpi too large for this implementation +> gpg: mpi too large for this implementation (32768 bits) + +> gpg: mpi too large for this implementation (46842 bits) + +> gpg: keyring_get_keyblock: read error: invalid packet + +> gpg: keydb_get_keyblock failed: invalid keyring + +It happen when you try to read keys from keyring with **vanilla** GnuPG(`gpg -K`/`gpg2 -K`) and keyring contain **large RSA** keys, generated in **modified GnuPG**. + +**Solution:** + +Install **modified** GnuPG with **modified** libgcrypt. + + +### keyring_get_keyblock/keydb_get_keyblock/Invalid packet + +> gpg: checking the trustdb + +> gpg: keyring_get_keyblock: read error: Invalid packet + +> gpg: keyring_get_keyblock failed: Invalid keyring + +> gpg: failed to rebuild keyring cache: Invalid keyring + +> gpg: keydb_search failed: Invalid packet + +> gpg: public key of ultimately trusted key C6890411 not found + +> gpg: keydb_search failed: Invalid packet + +> gpg: public key of ultimately trusted key 8BF0E8A4 not found + +> gpg: keyring_get_keyblock: read error: Invalid packet + +> gpg: keydb_get_keyblock failed: Invalid keyring + +> gpg: keydb_search failed: Invalid keyring + +> gpg: public key of ultimately trusted key BE98D714 not found + +> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model + +> gpg: keyring_get_keyblock: read error: Invalid packet + +> gpg: keydb_get_keyblock failed: Invalid keyring + +> gpg: validate_key_list failed + +> /home/USERNAME/.gnupg/secring.gpg + +This happen when you generated large RSA key in **modified** GnuPG but in system you have **vanilla** libgcrypt. + +**Solution:** install both modified. \ No newline at end of file diff -uraN a/scd/apdu.c b/scd/apdu.c --- a/scd/apdu.c 2015-09-08 14:39:24.000000000 +0200 +++ b/scd/apdu.c 2016-02-26 21:42:52.000000000 +0100 @@ -2964,7 +2964,7 @@ if (opt.ctapi_driver && *opt.ctapi_driver) { - int port = portstr? atoi (portstr) : 32768; + int port = portstr? atoi (portstr) : KEY_MAX_SIZE_LOOKSLIKE; if (!ct_api_loaded) { @@ -3612,7 +3612,7 @@ else if (extended_mode < 0) { /* Send APDU using chaining mode. */ - if (lc > 16384) + if (lc > KEY_MAX_SIZE_LOOKSLIKE) return SW_WRONG_LENGTH; /* Sanity check. */ if ((class&0xf0) != 0) return SW_HOST_INV_VALUE; /* Upper 4 bits need to be 0. */ diff -uraN a/scd/command.c b/scd/command.c --- a/scd/command.c 2015-09-08 14:39:24.000000000 +0200 +++ b/scd/command.c 2016-02-26 21:42:52.000000000 +0100 @@ -45,13 +45,13 @@ #define MAXLEN_PIN 100 /* Maximum allowed size of key data as used in inquiries. */ -#define MAXLEN_KEYDATA 4096 +#define MAXLEN_KEYDATA KEY_MAX_SIZE_LOOKSLIKE /* Maximum allowed total data size for SETDATA. */ -#define MAXLEN_SETDATA 4096 +#define MAXLEN_SETDATA KEY_MAX_SIZE_LOOKSLIKE /* Maximum allowed size of certificate data as used in inquiries. */ -#define MAXLEN_CERTDATA 16384 +#define MAXLEN_CERTDATA KEY_MAX_SIZE_LOOKSLIKE #define set_error(e,t) assuan_set_error (ctx, gpg_error (e), (t)) diff -uraN a/scd/scdaemon.c b/scd/scdaemon.c --- a/scd/scdaemon.c 2015-09-08 14:39:24.000000000 +0200 +++ b/scd/scdaemon.c 2016-02-26 21:42:52.000000000 +0100 @@ -497,7 +497,7 @@ } /* initialize the secure memory. */ - gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + gcry_control (GCRYCTL_INIT_SECMEM, SECMEM_BUFFER_SIZE, 0); maybe_setuid = 0; /* diff -uraN a/sm/gpgsm.c b/sm/gpgsm.c --- a/sm/gpgsm.c 2015-09-08 14:39:24.000000000 +0200 +++ b/sm/gpgsm.c 2016-02-26 21:42:52.000000000 +0100 @@ -965,7 +965,7 @@ /* Initialize the secure memory. */ - gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + gcry_control (GCRYCTL_INIT_SECMEM, SECMEM_BUFFER_SIZE, 0); maybe_setuid = 0; /* diff -uraN a/tools/gpg-check-pattern.c b/tools/gpg-check-pattern.c --- a/tools/gpg-check-pattern.c 2015-09-08 14:39:24.000000000 +0200 +++ b/tools/gpg-check-pattern.c 2016-02-26 21:42:52.000000000 +0100 @@ -179,7 +179,7 @@ } setup_libgcrypt_logging (); - gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); + gcry_control (GCRYCTL_INIT_SECMEM, SECMEM_BUFFER_SIZE, 0); opt.homedir = default_homedir (); diff -uraN a/tools/make-dns-cert.c b/tools/make-dns-cert.c --- a/tools/make-dns-cert.c 2015-09-01 08:52:21.000000000 +0200 +++ b/tools/make-dns-cert.c 2016-02-26 21:42:52.000000000 +0100 @@ -64,7 +64,7 @@ goto fail; } - if(statbuf.st_size>16384) + if(statbuf.st_size>KEY_MAX_SIZE_LOOKSLIKE) fprintf(stderr,"Warning: key file %s is larger than the default" " GnuPG max-cert-size\n",keyfile); diff -uraN a/tools/symcryptrun.c b/tools/symcryptrun.c --- a/tools/symcryptrun.c 2015-09-08 14:39:24.000000000 +0200 +++ b/tools/symcryptrun.c 2016-02-26 21:42:52.000000000 +0100 @@ -999,7 +999,7 @@ NEED_LIBGCRYPT_VERSION, gcry_check_version (NULL) ); } setup_libgcrypt_logging (); - gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + gcry_control (GCRYCTL_INIT_SECMEM, SECMEM_BUFFER_SIZE, 0); /* Tell simple-pwquery about the the standard socket name. */ {