diff --git a/g10/ChangeLog b/g10/ChangeLog index 4bf4b4601..0d008ca44 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -54,7 +54,7 @@ * keygen.c (keygen_set_std_prefs): Remove RMD-160 from the list. Change order to SHA-256, SHA-1, SHA-384, SHA-512, SHA-224. - (gen_dsa): Use a 256 bit Q for 2048 bit P. Runt to FIPS allowed + (gen_dsa): Use a 256 bit Q for 2048 bit P. Round to FIPS allowed values in non-expert mode. 2009-07-07 Werner Koch diff --git a/g10/passphrase.c b/g10/passphrase.c index d34f5fa92..83a6b0cf8 100644 --- a/g10/passphrase.c +++ b/g10/passphrase.c @@ -88,6 +88,10 @@ hash_passphrase ( DEK *dek, char *pw, STRING2KEY *s2k) count = len2; } + /* Fixme: To avoid DoS attacks by sending an sym-encrypted + packet with a very high S2K count, we should either cap + the iteration count or CPU seconds based timeout. */ + /* A little bit complicated because we need a ulong for count. */ while ( count > len2 ) /* maybe iterated+salted */ { diff --git a/sm/ChangeLog b/sm/ChangeLog index 4cf1f6703..a88b07919 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,7 @@ +2009-07-30 Werner Koch + + * call-agent.c (learn_cb): Do not store as ephemeral. + 2009-07-29 Marcus Brinkmann * keylist.c (print_capabilities): Print a trailing colon. diff --git a/sm/call-agent.c b/sm/call-agent.c index 47e45aba3..190931f42 100644 --- a/sm/call-agent.c +++ b/sm/call-agent.c @@ -875,13 +875,11 @@ learn_cb (void *opaque, const void *buffer, size_t length) return 0; } + /* We do not store a certifciate with missing issuers as ephemeral + because we can assume that the --learn-card command has been used + on purpose. */ rc = gpgsm_basic_cert_check (parm->ctrl, cert); - if (gpg_err_code (rc) == GPG_ERR_MISSING_CERT) - { /* For later use we store it in the ephemeral database. */ - log_info ("issuer certificate missing - storing as ephemeral\n"); - keydb_store_cert (cert, 1, NULL); - } - else if (rc) + if (rc && gpg_err_code (rc) != GPG_ERR_MISSING_CERT) log_error ("invalid certificate: %s\n", gpg_strerror (rc)); else {