From d33246700578cddd1cb8ed8164cfbba50aba4ef3 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Sat, 27 Sep 2014 15:21:02 +0200 Subject: [PATCH] gpg: Default to SHA-256 for all signature types on RSA keys. * g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA256 in --gnupg and SHA1 in strict RFC or PGP modes. * g10/sign.c (make_keysig_packet): Use DEFAULT_DIGEST_ALGO also for RSA key signatures. * configure.ac: Do not allow to disable sha256. --- configure.ac | 2 +- g10/main.h | 2 +- g10/sign.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index a2f07cbb9..c627c27aa 100644 --- a/configure.ac +++ b/configure.ac @@ -254,7 +254,7 @@ GNUPG_GPG_DISABLE_ALGO([md5],[MD5 hash]) # SHA1 is a MUSt algorithm GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash]) GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash]) -GNUPG_GPG_DISABLE_ALGO([sha256],[SHA-256 hash]) +# SHA256 is a MUST algorithm for GnuPG. GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash]) GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash]) diff --git a/g10/main.h b/g10/main.h index 17a050d54..76541c771 100644 --- a/g10/main.h +++ b/g10/main.h @@ -38,7 +38,7 @@ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES #endif -#define DEFAULT_DIGEST_ALGO DIGEST_ALGO_SHA1 +#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1) #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1 #ifdef HAVE_ZIP # define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP diff --git a/g10/sign.c b/g10/sign.c index c8139d74c..bd78c1750 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -1499,7 +1499,7 @@ make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, (ecdsa_qbits_from_Q (gcry_mpi_get_nbits (pksk->pkey[1]))/8); } else - digest_algo = DIGEST_ALGO_SHA1; + digest_algo = DEFAULT_DIGEST_ALGO; } if ( gcry_md_open (&md, digest_algo, 0 ) )