Added support for DSA2 (key sizes for more than 1024 bits on DSA) via libgcrypt 1.3.0.

8 files changed, 9 insertions, 13 deletions

diff --git a/configure.in b/configure.in
index 86804b8499..c676a98d3a 100644
--- a/configure.in
+++ b/configure.in
@@ -44,7 +44,7 @@ ac_full=1
 SOVERSION=`expr ${LT_CURRENT} - ${LT_AGE}`
 AC_SUBST(SOVERSION)
 
-GNUTLS_GCRYPT_VERSION=1:1.2.2
+GNUTLS_GCRYPT_VERSION=1:1.3.0
 GNUTLS_LIBTASN1_VERSION=0.3.4
 AC_DEFINE_UNQUOTED(GNUTLS_GCRYPT_VERSION, "$GNUTLS_GCRYPT_VERSION", [version of gcrypt])
 AC_DEFINE_UNQUOTED(GNUTLS_LIBTASN1_VERSION, "$GNUTLS_LIBTASN1_VERSION", [version of libtasn1])
diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c
index e483ae16db..6bca42be67 100644
--- a/lib/gnutls_algorithms.c
+++ b/lib/gnutls_algorithms.c
@@ -202,8 +202,8 @@ struct gnutls_hash_entry
 {
   const char *name;
   const char *oid;
-  size_t key_size; /* in case of mac */
   gnutls_mac_algorithm_t id;
+  size_t key_size; /* in case of mac */
 };
 typedef struct gnutls_hash_entry gnutls_hash_entry;
 
diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c
index 528255b90d..04e42ca958 100644
--- a/lib/gnutls_pk.c
+++ b/lib/gnutls_pk.c
@@ -440,8 +440,8 @@ _gnutls_dsa_sign (gnutls_datum_t * signature,
   size_t k;
 
   k = hash->size;
-  if (k != 20)
-    {				/* SHA only */
+  if (k < 20)
+    {				/* SHA1 or better only */
       gnutls_assert ();
       return GNUTLS_E_PK_SIGN_FAILED;
     }
diff --git a/lib/x509/dsa.c b/lib/x509/dsa.c
index 46559746e1..5d46c26cac 100644
--- a/lib/x509/dsa.c
+++ b/lib/x509/dsa.c
@@ -39,7 +39,7 @@ _gnutls_dsa_generate_params (mpi_t * resarr, int *resarr_len, int bits)
   int ret;
   gcry_sexp_t parms, key, list;
 
-  if (bits < 512 || bits > 1024)
+  if (bits < 512)
     {
       gnutls_assert ();
       return GNUTLS_E_INVALID_REQUEST;
diff --git a/lib/x509/sign.c b/lib/x509/sign.c
index c1c230f7ff..80e7e8e232 100644
--- a/lib/x509/sign.c
+++ b/lib/x509/sign.c
@@ -60,6 +60,7 @@ encode_ber_digest_info (gnutls_digest_algorithm_t hash,
   if (algo == NULL)
     {
       gnutls_assert ();
+      _gnutls_x509_log("Hash algorithm: %d\n", hash);
       return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
     }
 
diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c
index 2f2266e577..3c9e75bbdf 100644
--- a/src/certtool-gaa.c
+++ b/src/certtool-gaa.c
@@ -1065,7 +1065,7 @@ int gaa(int argc, char **argv, gaainfo *gaaval)
     {
 
 #line 114 "certtool.gaa"
-{ gaaval->bits = 1024; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL; 
+{ gaaval->bits = 2048; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL; 
 	gaaval->debug=1; gaaval->request = NULL; gaaval->infile = NULL; gaaval->outfile = NULL; gaaval->cert = NULL; 
 	gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; 
 	gaaval->export = 0; gaaval->template = NULL; gaaval->hash=NULL; gaaval->fix_key = 0; gaaval->quick_random=0; ;};
diff --git a/src/certtool.c b/src/certtool.c
index 0ecfca88e2..16553899c3 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -122,12 +122,7 @@ generate_private_key_int (void)
   int ret, key_type;
 
   if (info.dsa)
-    {
-      key_type = GNUTLS_PK_DSA;
-
-      if (info.bits > 1024)
-	error (EXIT_FAILURE, 0, "--dsa is incompatible with --bits > 1024");
-    }
+    key_type = GNUTLS_PK_DSA;
   else
     key_type = GNUTLS_PK_RSA;
 
diff --git a/src/certtool.gaa b/src/certtool.gaa
index 828b3253f3..a854e1072a 100644
--- a/src/certtool.gaa
+++ b/src/certtool.gaa
@@ -111,7 +111,7 @@ option (h, help) { gaa_help(); exit(0); } "shows this help text"
 
 option (v, version) { certtool_version(); exit(0); } "shows the program's version"
 
-init { $bits = 1024; $pkcs8 = 0; $privkey = NULL; $ca=NULL; $ca_privkey = NULL; 
+init { $bits = 2048; $pkcs8 = 0; $privkey = NULL; $ca=NULL; $ca_privkey = NULL; 
 	$debug=1; $request = NULL; $infile = NULL; $outfile = NULL; $cert = NULL; 
 	$incert_format = 0; $outcert_format = 0; $action=-1; $pass = NULL; 
 	$export = 0; $template = NULL; $hash=NULL; $fix_key = 0; $quick_random=0; }