* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in
--gnupg mode (leave strict RFC and PGP modes alone).
* configure.ac: Do not allow disabling sha512.
* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512.
--
SHA512 is more performant on most 64-bit platforms than SHA256, and
offers a better security margin. It is also widely implemented.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic update-defaults
Gbp-Pq: Name gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash])
# SHA256 is a MUST algorithm for GnuPG.
GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash])
-GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash])
+# SHA512 is a MUST algorithm for GnuPG.
# Allow disabling of zip support.
# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES
#endif
-#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1)
+#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA512:DIGEST_ALGO_SHA1)
#define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1
#ifdef HAVE_ZIP
# define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP
case DIGEST_ALGO_SHA384: return 0;
#endif
-#ifdef GPG_USE_SHA512
case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512;
-#else
- case DIGEST_ALGO_SHA512: return 0;
-#endif
+
default: return 0;
}
}
projects / gnupg2.git / commitdiff