* options.h, gpg.c (main): Add --enable-dsa2 and --disable-dsa2. Defaults

to disable.

* pkclist.c (algo_available): If --enable-dsa2 is set, we're allowed to
truncate hashes to fit DSA keys.

* sign.c (match_dsa_hash): New.  Return the best match hash for a given q
size. (do_sign, hash_for, sign_file): When signing with a DSA key, if it
has q==160, assume it is an old DSA key and don't allow truncation unless
--enable-dsa2 is also set.  q!=160 always allows truncation since they
must be DSA2 keys. (make_keysig_packet): If the user doesn't specify a
--cert-digest-algo, use match_dsa_hash to pick the best hash for key
signatures.

1 files changed, 7 insertions, 0 deletions

diff --git a/g10/gpg.c b/g10/gpg.c
index 276a35b43..ac4df6b41 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -362,6 +362,8 @@ enum cmd_and_opt_values
     oAutoKeyLocate,
     oNoAutoKeyLocate,
     oAllowMultisigVerification,
+    oEnableDSA2,
+    oDisableDSA2,
 
     oNoop
   };
@@ -699,6 +701,8 @@ static ARGPARSE_OPTS opts[] = {
     { oDebugCCIDDriver, "debug-ccid-driver", 0, "@"},
 #endif
     { oAllowMultisigVerification, "allow-multisig-verification", 0, "@"},
+    { oEnableDSA2, "enable-dsa2", 0, "@"},
+    { oDisableDSA2, "disable-dsa2", 0, "@"},
 
     /* These two are aliases to help users of the PGP command line
        product use gpg with minimal pain.  Many commands are common
@@ -2659,6 +2663,9 @@ main (int argc, char **argv )
             opt.allow_multisig_verification = 1;
             break;
 
+	  case oEnableDSA2: opt.flags.dsa2=1; break;
+	  case oDisableDSA2: opt.flags.dsa2=0; break;
+
 	  case oNoop: break;
 
 	  default : pargs.err = configfp? 1:2; break;