Comment changes.

Changed --learn-card.

g10/ChangeLog

@@ -54,7 +54,7 @@
 
 	* keygen.c (keygen_set_std_prefs): Remove RMD-160 from the list.
 	Change order to SHA-256, SHA-1, SHA-384, SHA-512, SHA-224.
-	(gen_dsa): Use a 256 bit Q for 2048 bit P.  Runt to FIPS allowed
+	(gen_dsa): Use a 256 bit Q for 2048 bit P.  Round to FIPS allowed
 	values in non-expert mode.
 
 2009-07-07  Werner Koch  <wk@g10code.com>

g10/passphrase.c

@@ -88,6 +88,10 @@ hash_passphrase ( DEK *dek, char *pw, STRING2KEY *s2k)
                 count = len2;
 	    }
 
+          /* Fixme: To avoid DoS attacks by sending an sym-encrypted
+             packet with a very high S2K count, we should either cap
+             the iteration count or CPU seconds based timeout.  */
+
           /* A little bit complicated because we need a ulong for count. */
           while ( count > len2 )  /* maybe iterated+salted */
             { 

sm/ChangeLog

@@ -1,3 +1,7 @@
+2009-07-30  Werner Koch  <wk@g10code.com>
+
+	* call-agent.c (learn_cb): Do not store as ephemeral.
+
 2009-07-29  Marcus Brinkmann  <marcus@g10code.com>
 
 	* keylist.c (print_capabilities): Print a trailing colon.

sm/call-agent.c

@@ -875,13 +875,11 @@ learn_cb (void *opaque, const void *buffer, size_t length)
       return 0;
     }
 
+  /* We do not store a certifciate with missing issuers as ephemeral
+     because we can assume that the --learn-card command has been used
+     on purpose.  */
   rc = gpgsm_basic_cert_check (parm->ctrl, cert);
-  if (gpg_err_code (rc) == GPG_ERR_MISSING_CERT)
-    { /* For later use we store it in the ephemeral database. */
-      log_info ("issuer certificate missing - storing as ephemeral\n");
-      keydb_store_cert (cert, 1, NULL);
-    }
-  else if (rc)
+  if (rc && gpg_err_code (rc) != GPG_ERR_MISSING_CERT)
     log_error ("invalid certificate: %s\n", gpg_strerror (rc));
   else
     {