[git] GnuPG - branch, STABLE-BRANCH-2-2, updated. gnupg-2.2.3-23-g8ede3ae
by Daniel Kahn Gillmor
cvs at cvs.gnupg.org
Tue Dec 12 15:12:53 CET 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, STABLE-BRANCH-2-2 has been updated
via 8ede3ae29a39641a2f98ad9a4cf61ea99085a892 (commit)
from c81a447190d2763ac4c64b2e74e22e824da8aba3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 8ede3ae29a39641a2f98ad9a4cf61ea99085a892
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Sep 28 08:32:26 2017 -0400
gpg: default-preference-list: prefer SHA512.
* g10/keygen.c (keygen_set_std_prefs): when producing default internal
personal-digest-preferences, keep the same order. When publishing
external preferences, state preference for SHA512 first.
--
SHA-512 has a wider security margin than SHA-256. It is also slightly
faster on most of the architectures on which GnuPG runs today. New
keys should publish defaults that indicate we prefer the stronger,
more performant digest.
Specifically, this changes --default-preference-list from:
SHA256 SHA384 SHA512 SHA224
to:
SHA512 SHA384 SHA256 SHA224
This patch deliberately avoids touching --personal-digest-preferences
(which itself would affect the default of --digest-algo and
--cert-digest-algo), so that public-facing cleartext signatures and
identity certifications will continue to be made with SHA256 by
default.
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
diff --git a/g10/keygen.c b/g10/keygen.c
index 38686b2..7ef3cac 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -384,19 +384,36 @@ keygen_set_std_prefs (const char *string,int personal)
strcat(dummy_string,"S7 ");
strcat(dummy_string,"S2 "); /* 3DES */
- /* The default hash algo order is:
- SHA-256, SHA-384, SHA-512, SHA-224, SHA-1.
- */
- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
- strcat (dummy_string, "H8 ");
+ if (personal)
+ {
+ /* The default internal hash algo order is:
+ * SHA-256, SHA-384, SHA-512, SHA-224, SHA-1.
+ */
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
+ strcat (dummy_string, "H8 ");
+
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384))
+ strcat (dummy_string, "H9 ");
+
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
+ strcat (dummy_string, "H10 ");
+ }
+ else
+ {
+ /* The default advertised hash algo order is:
+ * SHA-512, SHA-384, SHA-256, SHA-224, SHA-1.
+ */
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
+ strcat (dummy_string, "H10 ");
- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384))
- strcat (dummy_string, "H9 ");
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384))
+ strcat (dummy_string, "H9 ");
- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
- strcat (dummy_string, "H10 ");
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
+ strcat (dummy_string, "H8 ");
+ }
- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA224))
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA224))
strcat (dummy_string, "H11 ");
strcat (dummy_string, "H2 "); /* SHA-1 */
-----------------------------------------------------------------------
Summary of changes:
g10/keygen.c | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list