diff options
Diffstat (limited to 'debian/patches/update-defaults')
2 files changed, 110 insertions, 0 deletions
diff --git a/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch b/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch new file mode 100644 index 0000000..ae00d38 --- /dev/null +++ b/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch @@ -0,0 +1,64 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Thu, 7 Sep 2017 18:49:35 -0400 +Subject: gpg: Default to SHA-512 for all signature types on RSA keys. + +* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in +--gnupg mode (leave strict RFC and PGP modes alone). +* configure.ac: Do not allow disabling sha512. +* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512. + +-- + +SHA512 is more performant on most 64-bit platforms than SHA256, and +offers a better security margin. It is also widely implemented. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + configure.ac | 2 +- + g10/main.h | 2 +- + g10/misc.c | 5 +---- + 3 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 6e44af2..0a4ae1e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -317,7 +317,7 @@ GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash]) + GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash]) + # SHA256 is a MUST algorithm for GnuPG. + GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash]) +-GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash]) ++# SHA512 is a MUST algorithm for GnuPG. + + + # Allow disabling of zip support. +diff --git a/g10/main.h b/g10/main.h +index d1a54db..50ebad0 100644 +--- a/g10/main.h ++++ b/g10/main.h +@@ -41,7 +41,7 @@ + # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES + #endif + +-#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1) ++#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA512:DIGEST_ALGO_SHA1) + #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1 + #ifdef HAVE_ZIP + # define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP +diff --git a/g10/misc.c b/g10/misc.c +index 0b19e1a..79c285c 100644 +--- a/g10/misc.c ++++ b/g10/misc.c +@@ -867,11 +867,8 @@ map_md_openpgp_to_gcry (digest_algo_t algo) + case DIGEST_ALGO_SHA384: return 0; + #endif + +-#ifdef GPG_USE_SHA512 + case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512; +-#else +- case DIGEST_ALGO_SHA512: return 0; +-#endif ++ + default: return 0; + } + } diff --git a/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch b/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch new file mode 100644 index 0000000..bdb33f9 --- /dev/null +++ b/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch @@ -0,0 +1,46 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Wed, 3 Jan 2018 12:34:26 -0500 +Subject: gpg: Prefer SHA-512 and SHA-384 in personal-digest-preferences. + +* g10/keygen.c (keygen_set_std_prefs): prefer SHA-512 +and SHA-384 by default. + +-- + +In 8ede3ae29a39641a2f98ad9a4cf61ea99085a892, upstream changed the +defaults for --default-preference-list to advertise a preference for +SHA-512, without touching --personal-digest-preferences. This makes +the same change for --personal-digest-preferences, since every modern +OpenPGP library supports them all. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + g10/keygen.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/g10/keygen.c b/g10/keygen.c +index 5b4a785..2066bf1 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -391,16 +391,16 @@ keygen_set_std_prefs (const char *string,int personal) + if (personal) + { + /* The default internal hash algo order is: +- * SHA-256, SHA-384, SHA-512, SHA-224, SHA-1. ++ * SHA-512, SHA-384, SHA-256, SHA-224, SHA-1. + */ +- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256)) +- strcat (dummy_string, "H8 "); ++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) ++ strcat (dummy_string, "H10 "); + + if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384)) + strcat (dummy_string, "H9 "); + +- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) +- strcat (dummy_string, "H10 "); ++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256)) ++ strcat (dummy_string, "H8 "); + } + else + { |