* sign.c (do_sign): Accept a truncated hash even for DSA1 keys (be liberal

in what you accept, etc).
author: David Shaw <[email protected]> 2006-06-22 19:17:21 +0000
committer: David Shaw <[email protected]> 2006-06-22 19:17:21 +0000
commit: 059c67ca6d8a563cd4e06f5ebde928a96b7304ed (patch)
tree: 15b341e081a00bb6664b6247004f383bcbcb2d42 /g10/sign.c
parent: * gpg.sgml: Note that --pgp8 does not include SHA224. Clarify that (diff)
download: gnupg-059c67ca6d8a563cd4e06f5ebde928a96b7304ed.tar.gz
gnupg-059c67ca6d8a563cd4e06f5ebde928a96b7304ed.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/g10/sign.c b/g10/sign.c
index d3d0c29b6..39e39c633 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -319,6 +319,12 @@ do_sign( PKT_secret_key *sk, PKT_signature *sig,
       }
     else 
       {
+#if 0
+	/* Disabled for now.  It seems reasonable to accept a
+	   truncated hash for a DSA1 key, even though we don't
+	   generate it without --enable-dsa2.  Be liberal in what you
+	   accept, etc. */
+
 	/* If it's a DSA key, and q is 160 bits, it might be an
 	   old-style DSA key.  If the hash doesn't match the q, fail
 	   unless --enable-dsa2 is set.  If the q isn't 160 bits, then
@@ -333,6 +339,7 @@ do_sign( PKT_secret_key *sk, PKT_signature *sig,
 	    log_error(_("DSA requires the use of a 160 bit hash algorithm\n"));
 	    return G10ERR_GENERAL;
 	  }
+#endif
 
         frame = encode_md_value( NULL, sk, md, digest_algo );
         if (!frame)
author	David Shaw <[email protected]>	2006-06-22 19:17:21 +0000
committer	David Shaw <[email protected]>	2006-06-22 19:17:21 +0000
commit	059c67ca6d8a563cd4e06f5ebde928a96b7304ed (patch)
tree	15b341e081a00bb6664b6247004f383bcbcb2d42 /g10/sign.c
parent	* gpg.sgml: Note that --pgp8 does not include SHA224. Clarify that (diff)
download	gnupg-059c67ca6d8a563cd4e06f5ebde928a96b7304ed.tar.gz gnupg-059c67ca6d8a563cd4e06f5ebde928a96b7304ed.zip