mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
Changed default hash algorithm preferences
This commit is contained in:
parent
2e835fd6ab
commit
e50cac1d84
11
NEWS
11
NEWS
@ -1,14 +1,17 @@
|
||||
Noteworthy changes in version 2.0.13
|
||||
-------------------------------------------------
|
||||
|
||||
* GPG now generates 2048 bit RSA keys by default. The default hash
|
||||
algorithm preferences has changed to prefer SHA-256 over SHA-1.
|
||||
2048 bit DSA keys are now generated to use a 256 bit hash algorithm
|
||||
|
||||
* The envvars XMODIFIERS, GTK_IM_MODULE and QT_IM_MODULE are now
|
||||
passed to the Pinentry to make SCIM work.
|
||||
|
||||
* gpgsm --gen-key implements a --batch mode.
|
||||
* The GPGSM command --gen-key features a --batch mode and implements
|
||||
all features of gpgsm-gencert.sh in standard mode.
|
||||
|
||||
* gpgsm --gen-key implements all features of gpgsm-gencert.sh.
|
||||
|
||||
* New option --re-import for gpgsm's IMPORT server command.
|
||||
* New option --re-import for GPGSM's IMPORT server command.
|
||||
|
||||
* Minor bug fixes.
|
||||
|
||||
|
@ -1,3 +1,14 @@
|
||||
2009-07-09 Werner Koch <wk@g10code.com>
|
||||
|
||||
* gpg.c (main): Remove the SHA-1 default from the personal digest
|
||||
list. This was used in the past as a hack to avoid preferring
|
||||
RMD-160.
|
||||
|
||||
* keygen.c (keygen_set_std_prefs): Remove RMD-160 from the list.
|
||||
Change order to SHA-256, SHA-1, SHA-384, SHA-512, SHA-224.
|
||||
(gen_dsa): Use a 256 bit Q for 2048 bit P. Runt to FIPS allowed
|
||||
values in non-expert mode.
|
||||
|
||||
2009-07-07 Werner Koch <wk@g10code.com>
|
||||
|
||||
* gpg.c (set_opt_session_env): New.
|
||||
|
@ -3195,11 +3195,6 @@ main (int argc, char **argv)
|
||||
keygen_set_std_prefs(opt.def_preference_list,0))
|
||||
log_error(_("invalid default preferences\n"));
|
||||
|
||||
/* We provide defaults for the personal digest list. This is
|
||||
SHA-1. */
|
||||
if(!pers_digest_list)
|
||||
pers_digest_list="h2";
|
||||
|
||||
if(pers_cipher_list &&
|
||||
keygen_set_std_prefs(pers_cipher_list,PREFTYPE_SYM))
|
||||
log_error(_("invalid personal cipher preferences\n"));
|
||||
|
43
g10/keygen.c
43
g10/keygen.c
@ -1,6 +1,6 @@
|
||||
/* keygen.c - generate a key pair
|
||||
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
|
||||
* 2006, 2007 Free Software Foundation, Inc.
|
||||
* 2006, 2007, 2009 Free Software Foundation, Inc.
|
||||
*
|
||||
* This file is part of GnuPG.
|
||||
*
|
||||
@ -301,7 +301,7 @@ keygen_set_std_prefs (const char *string,int personal)
|
||||
byte sym[MAX_PREFS], hash[MAX_PREFS], zip[MAX_PREFS];
|
||||
int nsym=0, nhash=0, nzip=0, val, rc=0;
|
||||
int mdc=1, modify=0; /* mdc defaults on, modify defaults off. */
|
||||
char dummy_string[45+1]; /* Enough for 15 items. */
|
||||
char dummy_string[20*4+1]; /* Enough for 20 items. */
|
||||
|
||||
if (!string || !ascii_strcasecmp (string, "default"))
|
||||
{
|
||||
@ -345,15 +345,29 @@ keygen_set_std_prefs (const char *string,int personal)
|
||||
if ( !openpgp_cipher_test_algo (CIPHER_ALGO_IDEA) )
|
||||
strcat(dummy_string,"S1 ");
|
||||
|
||||
/* SHA-1 */
|
||||
strcat(dummy_string,"H2 ");
|
||||
|
||||
/* The default hash algo order is:
|
||||
SHA-256, SHA-1, SHA-384, SHA-512, SHA-224.
|
||||
Ordering SHA-1 before SHA-384 might be viewed as a bit
|
||||
strange; it is done because we expect that soon enough
|
||||
SHA-3 will be available and at that point there should
|
||||
be no more need for SHA-384 etc. Anyway this order is
|
||||
just a default and can easily be changed by a config
|
||||
option. */
|
||||
if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
|
||||
strcat (dummy_string, "H8 ");
|
||||
|
||||
/* RIPEMD160 */
|
||||
if (!openpgp_md_test_algo(DIGEST_ALGO_RMD160))
|
||||
strcat(dummy_string,"H3 ");
|
||||
strcat (dummy_string, "H2 "); /* SHA-1 */
|
||||
|
||||
if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384))
|
||||
strcat (dummy_string, "H9 ");
|
||||
|
||||
if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
|
||||
strcat (dummy_string, "H10 ");
|
||||
|
||||
if (!openpgp_md_test_algo (DIGEST_ALGO_SHA224))
|
||||
strcat (dummy_string, "H11 ");
|
||||
|
||||
|
||||
/* ZLIB */
|
||||
strcat(dummy_string,"Z2 ");
|
||||
@ -507,7 +521,8 @@ keygen_set_std_prefs (const char *string,int personal)
|
||||
|
||||
/* Return a fake user ID containing the preferences. Caller must
|
||||
free. */
|
||||
PKT_user_id *keygen_get_std_prefs(void)
|
||||
PKT_user_id *
|
||||
keygen_get_std_prefs(void)
|
||||
{
|
||||
int i,j=0;
|
||||
PKT_user_id *uid=xmalloc_clear(sizeof(PKT_user_id));
|
||||
@ -1280,6 +1295,14 @@ gen_dsa (unsigned int nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
|
||||
log_info(_("keysize rounded up to %u bits\n"), nbits );
|
||||
}
|
||||
|
||||
/* To comply with FIPS rules we round up to the next value unless in
|
||||
expert mode. */
|
||||
if (!opt.expert && nbits > 1024 && (nbits % 1024))
|
||||
{
|
||||
nbits = ((nbits + 1023) / 1024) * 1024;
|
||||
log_info(_("keysize rounded up to %u bits\n"), nbits );
|
||||
}
|
||||
|
||||
/*
|
||||
Figure out a q size based on the key size. FIPS 180-3 says:
|
||||
|
||||
@ -1291,11 +1314,11 @@ gen_dsa (unsigned int nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
|
||||
2048/256 is an odd pair since there is also a 2048/224 and
|
||||
3072/256. Matching sizes is not a very exact science.
|
||||
|
||||
We'll do 256 qbits for nbits over 2048, 224 for nbits over 1024
|
||||
We'll do 256 qbits for nbits over 2047, 224 for nbits over 1024
|
||||
but less than 2048, and 160 for 1024 (DSA1).
|
||||
*/
|
||||
|
||||
if (nbits > 2048)
|
||||
if (nbits > 2047)
|
||||
qbits = 256;
|
||||
else if ( nbits > 1024)
|
||||
qbits = 224;
|
||||
|
Loading…
x
Reference in New Issue
Block a user