release 0.2.14

NEWS

@@ -1,3 +1,19 @@
+Noteworthy changes in version 0.2.14
+------------------------------------
+
+    * Changed the internal handling of keyrings.
+
+    * Add support to list PGP 5 keyrings with supkeys
+
+    * Timestamps of signatures are now verified.
+
+    * A expiration time can now be specified during key generation.
+
+    * Some speedups for Blowfish and SHA-1, rewrote SHA-1 transform.
+      Reduced the amount of random bytes needed for key generation in
+      some cases.
+
+
 Noteworthy changes in version 0.2.13
 ------------------------------------
 

THANKS

@@ -7,6 +7,7 @@ exempt of errors.
 Anand Kumria		wildfire@progsoc.uts.edu.au
 Daniel Eisenbud 	eisenbud@cs.swarthmore.edu
 Detlef Lannert		lannert@lannert.rz.uni-duesseldorf.de
+Ed Boraas		ecxjo@esperanto.org
 Ernst Molitor		ernst.molitor@uni-bonn.de
 Hendrik Buschkamp	buschkamp@rheumanet.org
 James Troup		J.J.Troup@scm.brad.ac.uk
@@ -23,6 +24,7 @@ Walter Koch		walterk@ddorf.rhein-ruhr.de
 Werner Koch		werner.koch@guug.de
 Wim Vandeputte		bunbun@reptile.rug.ac.be
 
+
 Thanks to the German Unix User Group for providing FTP space and
 Martin Hamilton for hosting the mailing list.
 

TODO

@@ -2,7 +2,7 @@
     * improve iobuf by reading more than one byte at once,
       this shoud espceially done for the buffer in the chain.
       Change the buffering to a mbuf like scheme? Need it for PSST anyway.
-    * add a way to difference between errors and eof in the underflow/flush
+    * add a way to distinguish between errors and eof in the underflow/flush
       function of iobuf.
     * add checking of armor trailers
     * remove all "Fixmes"
@@ -38,7 +38,14 @@
 
     * remove key management stuff from sign.c.
 
-    * add fingerprint/keyid hashing. We need a new filed in PKC to
+    * add fingerprint/keyid hashing. We need a new field in PKC to
       flag that we may have a cached signature for this (and use the address
       of PKC to lookup the hash).
 
+    * change the misleading usage of public key certificate to public key data
+      or something like this.
+
+    * seckey_cert.c: merge all the check funtions into one.
+
+    * fix the problems with "\v" in gettext
+

VERSION

@@ -1 +1 @@
-0.2.13a
+0.2.14

checks/Makefile.am

@@ -8,7 +8,8 @@ TESTS = version.test decrypt.test clearsig.test armsigs.test \
 
 
 TEST_FILES = pubring.asc secring.asc gnupg.asc plain-1 plain-2 plain-3o.asc \
-	     plain-1.asc plain-2.asc plain-3.asc
+	     plain-1.asc plain-2.asc plain-3.asc \
+	     pubring.pkr.asc secring.skr.asc
 
 DATA_FILES = data-500 data-9000 data-32000 data-80000
 

cipher/ChangeLog

@@ -1,3 +1,7 @@
+Wed Apr  1 16:38:27 1998  Werner Koch  (wk@isil.d.shuttle.de)
+
+	* elgamla.c (elg_generate): Faster generation of x in some cases.
+
 Thu Mar 19 13:54:48 1998  Werner Koch  (wk@isil.d.shuttle.de)
 
 	* blowfish.c (blowfish_decode_cfb): changed XOR operation

cipher/Makefile.am

@@ -1,6 +1,6 @@
 ## Process this file with automake to produce Makefile.in
 
-INCLUDES =  -I$(top_srcdir)/include
+INCLUDES =  -I$(top_srcdir)/include -I$(top_srcdir)/intl -I../intl
 EXTRA_DIST = @CIPHER_EXTRA_DIST@
 
 noinst_LIBRARIES = libcipher.a

cipher/Makefile.in

@@ -92,7 +92,7 @@ VERSION = @VERSION@
 ZLIBS = @ZLIBS@
 l = @l@
 
-INCLUDES =  -I$(top_srcdir)/include
+INCLUDES =  -I$(top_srcdir)/include -I$(top_srcdir)/intl -I../intl
 EXTRA_DIST = @CIPHER_EXTRA_DIST@
 
 noinst_LIBRARIES = libcipher.a

cipher/elgamal.c

@@ -126,6 +126,7 @@ elg_generate( ELG_public_key *pk, ELG_secret_key *sk,
     MPI y;
     MPI temp;
     unsigned qbits;
+    byte *rndbuf;
 
     p_min1 = mpi_alloc( (nbits+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
     temp   = mpi_alloc( (nbits+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB );
@@ -145,22 +146,33 @@ elg_generate( ELG_public_key *pk, ELG_secret_key *sk,
     /* select a random number which has these properties:
      *	 0 < x < p-1
      * This must be a very good random number because this is the
-     * secret part.  The prime is public and may be shared anyware,
+     * secret part.  The prime is public and may be shared anyway,
-     * so a random generator level of 1 has been used for the prime
+     * so a random generator level of 1 is used for the prime.
      */
     x = mpi_alloc_secure( nbits/BITS_PER_MPI_LIMB );
     if( DBG_CIPHER )
 	log_debug("choosing a random x ");
+    rndbuf = NULL;
     do {
-	byte *rndbuf;
 	if( DBG_CIPHER )
 	    fputc('.', stderr);
+	if( rndbuf ) { /* change only some of the higher bits */
+	    if( nbits < 16 ) {/* should never happen ... */
+		m_free(rndbuf);
+		rndbuf = get_random_bits( nbits, 2, 1 );
+	    }
+	    else {
+		char *r = get_random_bits( 16, 2, 1 );
+		memcpy(rndbuf, r, 16 );
+		m_free(r);
+	    }
+	}
+	else
 	    rndbuf = get_random_bits( nbits, 2, 1 );
 	mpi_set_buffer( x, rndbuf, (nbits+7)/8, 0 );
-	m_free(rndbuf);
 	mpi_clear_highbit( x, nbits+1 );
-	log_mpidump("  x: ", x );
     } while( !( mpi_cmp_ui( x, 0 )>0 && mpi_cmp( x, p_min1 )<0 ) );
+    m_free(rndbuf);
 
     y = mpi_alloc(nbits/BITS_PER_MPI_LIMB);
     mpi_powm( y, g, x, p );

configure.in

@@ -99,9 +99,6 @@ dnl Checks for header files.
 AC_HEADER_STDC
 AC_CHECK_HEADERS(unistd.h)
 
-G10_LOCALEDIR="$g10_prefix/$DATADIRNAME/locale"
-AC_SUBST(G10_LOCALEDIR)
-AC_DEFINE_UNQUOTED(G10_LOCALEDIR, "$G10_LOCALEDIR")
 
 
 dnl Checks for typedefs, structures, and compiler characteristics.
@@ -210,6 +207,9 @@ AC_SUBST(CIPHER_EXTRA_OBJS)
 AC_SUBST(CIPHER_EXTRA_DIST)
 
 AM_GNU_GETTEXT
+G10_LOCALEDIR="$g10_prefix/$DATADIRNAME/locale"
+AC_SUBST(G10_LOCALEDIR)
+AC_DEFINE_UNQUOTED(G10_LOCALEDIR, "$G10_LOCALEDIR")
 WK_LINK_FILES($nls_cv_header_libgt, $nls_cv_header_intl )
 
 WK_DO_LINK_FILES

doc/Makefile.am

@@ -11,3 +11,23 @@ man_MANS = gpg.1
 		     >$@,$$$$ && mv -f $@,$$$$ $@\
 		    || rm -f $@,$$$$
 
+
+
+%.txt : %.sgml
+	 sgml2txt -c latin $*
+
+%.html : %.sgml
+	 sgml2html -l deutsch -c latin $*
+
+%.dvi : %.sgml
+	-rm $*.sgml.tmp
+	mv $*.sgml $*.sgml.tmp
+	sed -e '/<!entity/  s/"IGNORE">/"INCLUDE">/' $*.sgml.tmp >$*.sgml
+	sgml2latex -b -l deutsch -c latin $* ; mv $*.sgml.tmp $*.sgml
+
+%.ps : %.sgml
+	-rm $*.sgml.tmp
+	mv $*.sgml $*.sgml.tmp
+	sed -e '/<!entity/  s/"IGNORE">/"INCLUDE">/' $*.sgml.tmp >$*.sgml
+	sgml2latex -b -l deutsch -c latin -o ps $* ; mv $*.sgml.tmp $*.sgml
+

g10/ChangeLog

@@ -1,3 +1,24 @@
+Thu Apr  2 10:38:16 1998  Werner Koch  (wk@isil.d.shuttle.de)
+
+	* keygen.c (generate_keypair): Add valid_days stuff.
+	* trustdb.c (check_trust): Add check for valid_days.
+
+Wed Apr  1 16:15:58 1998  Werner Koch  (wk@isil.d.shuttle.de)
+
+	* keygen.c (generate_keypair): Addional question whether the
+	selected large keysize is really needed.
+
+Wed Apr  1 15:56:33 1998  Werner Koch  (wk@isil.d.shuttle.de)
+
+	* seckey-cert.c (protect_secret_key): merged protect_xxx to here.
+
+Wed Apr  1 10:34:46 1998  Werner Koch  (wk@isil.d.shuttle.de)
+
+	* Makefile.am (g10maint.c): Changed creation rule, so that it works
+	on FreeBSD (missing CFLAGS).
+
+	* parse-packet.c (parse_subkey): Removed.
+
 Thu Mar 19 15:22:36 1998  Werner Koch  (wk@isil.d.shuttle.de)
 
 	* ringedit.c (keyring_enum): Fixed problem with reading too

g10/Makefile.am

@@ -1,6 +1,6 @@
 ## Process this file with automake to produce Makefile.in
 
-INCLUDES = -I$(top_srcdir)/include
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/intl -I../intl
 EXTRA_DIST = OPTIONS  pubring.asc
 OMIT_DEPENDENCIES = zlib.h zconf.h
 BUILT_SOURCES = g10maint.c
@@ -67,7 +67,7 @@ gpgm_SOURCES = g10maint.c   \
 LDADD = @INTLLIBS@ $(needed_libs) @ZLIBS@
 
 g10maint.c : g10.c
-	    $(CPP) $(DEFS) $(INCLUDES) -DIS_G10MAINT  $<  > $@ || rm $@
+	    $(CPP) $(CFLAGS) $(DEFS) $(INCLUDES) -DIS_G10MAINT $< > $@ || rm $@
 
 $(PROGRAMS): $(needed_libs)
 

g10/Makefile.in

@@ -92,7 +92,7 @@ VERSION = @VERSION@
 ZLIBS = @ZLIBS@
 l = @l@
 
-INCLUDES = -I$(top_srcdir)/include
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/intl -I../intl
 EXTRA_DIST = OPTIONS  pubring.asc
 OMIT_DEPENDENCIES = zlib.h zconf.h
 BUILT_SOURCES = g10maint.c
@@ -404,7 +404,7 @@ maintainer-clean-generic clean mostlyclean distclean maintainer-clean
 
 
 g10maint.c : g10.c
-	    $(CPP) $(DEFS) $(INCLUDES) -DIS_G10MAINT  $<  > $@ || rm $@
+	    $(CPP) $(CFLAGS) $(DEFS) $(INCLUDES) -DIS_G10MAINT $< > $@ || rm $@
 
 $(PROGRAMS): $(needed_libs)
 

g10/armor.c

@@ -653,8 +653,6 @@ fake_packet( armor_filter_context_t *afx, IOBUF a,
     fhdr_state_t state = afx->parse_state;
     unsigned emplines = afx->empty;
 
-    size = 100; /* FIXME: only used for testing (remove it)  */
-
     len = 2;	/* reserve 2 bytes for the length header */
     size -= 3;	/* and 1 for empline handling and 2 for the term header */
     while( !rc && len < size ) {

g10/build-packet.c

@@ -267,31 +267,31 @@ do_secret_cert( IOBUF out, int ctb, PKT_secret_cert *skc )
 	mpi_write(a, skc->d.elg.p );
 	mpi_write(a, skc->d.elg.g );
 	mpi_write(a, skc->d.elg.y );
-	if( skc->d.elg.is_protected ) {
+	if( skc->is_protected ) {
 	    iobuf_put(a, 0xff );
-	    iobuf_put(a, skc->d.elg.protect.algo );
+	    iobuf_put(a, skc->protect.algo );
-	    iobuf_put(a, skc->d.elg.protect.s2k );
+	    iobuf_put(a, skc->protect.s2k );
-	    iobuf_put(a, skc->d.elg.protect.hash );
+	    iobuf_put(a, skc->protect.hash );
-	    if( skc->d.elg.protect.s2k == 1
+	    if( skc->protect.s2k == 1
-		|| skc->d.elg.protect.s2k == 3 )
+		|| skc->protect.s2k == 3 )
-		iobuf_write(a, skc->d.elg.protect.salt, 8 );
+		iobuf_write(a, skc->protect.salt, 8 );
-	    if( skc->d.elg.protect.s2k == 3 )
+	    if( skc->protect.s2k == 3 )
-		iobuf_put(a, skc->d.elg.protect.count );
+		iobuf_put(a, skc->protect.count );
-	    iobuf_write(a, skc->d.elg.protect.iv, 8 );
+	    iobuf_write(a, skc->protect.iv, 8 );
 	}
 	else
 	    iobuf_put(a, 0 );
 
 	mpi_write(a, skc->d.elg.x );
-	write_16(a, skc->d.elg.csum );
+	write_16(a, skc->csum );
     }
     else if( skc->pubkey_algo == PUBKEY_ALGO_RSA ) {
 	mpi_write(a, skc->d.rsa.rsa_n );
 	mpi_write(a, skc->d.rsa.rsa_e );
-	if( skc->d.rsa.is_protected ) {
+	if( skc->is_protected ) {
-	    assert( skc->d.rsa.protect_algo == CIPHER_ALGO_BLOWFISH );
+	    assert( skc->protect.algo == CIPHER_ALGO_BLOWFISH );
-	    iobuf_put(a, skc->d.rsa.protect_algo );
+	    iobuf_put(a, skc->protect.algo );
-	    iobuf_write(a, skc->d.rsa.protect.blowfish.iv, 8 );
+	    iobuf_write(a, skc->protect.iv, 8 );
 	}
 	else
 	    iobuf_put(a, 0 );
@@ -299,7 +299,7 @@ do_secret_cert( IOBUF out, int ctb, PKT_secret_cert *skc )
 	mpi_write(a, skc->d.rsa.rsa_p );
 	mpi_write(a, skc->d.rsa.rsa_q );
 	mpi_write(a, skc->d.rsa.rsa_u );
-	write_16(a, skc->d.rsa.csum );
+	write_16(a, skc->csum );
     }
     else {
 	rc = G10ERR_PUBKEY_ALGO;

g10/cipher.c

@@ -48,7 +48,7 @@ cipher_filter( void *opaque, int control,
     int rc=0;
 
     if( control == IOBUFCTRL_UNDERFLOW ) { /* decrypt */
-	rc = -1; /* FIXME:*/
+	rc = -1; /* not yet used */
     }
     else if( control == IOBUFCTRL_FLUSH ) { /* encrypt */
 	assert(a);

g10/compress.c

@@ -147,7 +147,7 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
 	    log_debug("inflate returned: avail_in=%u, avail_out=%u, zrc=%d\n",
 		   (unsigned)zs->avail_in, (unsigned)zs->avail_out, zrc);
 	if( zrc == Z_STREAM_END )
-	    rc = -1; /* eof FIXME: return remaining bytes until EOF */
+	    rc = -1; /* eof */
 	else if( zrc != Z_OK ) {
 	    if( zs->msg )
 		log_fatal("zlib inflate problem: %s\n", zs->msg );

g10/g10.c

@@ -635,8 +635,10 @@ main( int argc, char **argv )
 	    /* reading data and passphrase form stdin:
 	     * we assume the first line is the passphrase, so
 	     * we better should read it now.
+	     *
+	     * We should do it here, but for now it is not needed.
+	     * Anyway, this password scheme is not quite good
 	     */
-	    /* FIXME: doit */
 	}
     }
 

g10/getkey.c

@@ -81,8 +81,6 @@ add_keyring( const char *name )
     STRLIST sl;
     int rc;
 
-    /* FIXME: check wether this one is available etc */
-    /* maybe we should do this later */
     if( *name != '/' ) { /* do tilde expansion etc */
 	char *p ;
 
@@ -101,7 +99,7 @@ add_keyring( const char *name )
     sl->next = keyrings;
     keyrings = sl;
 
-    /* FIXME: We should remove much out of this module and
+    /* fixme: We should remove much out of this module and
      * combine it with the keyblock stuff from ringedit.c
      * For now we will simple add the filename as keyblock resource
      */
@@ -131,8 +129,6 @@ add_secret_keyring( const char *name )
     STRLIST sl;
     int rc;
 
-    /* FIXME: check wether this one is available etc */
-    /* my be we should do this later */
     if( *name != '/' ) { /* do tilde expansion etc */
 	char *p ;
 
@@ -151,7 +147,7 @@ add_secret_keyring( const char *name )
     sl->next = secret_keyrings;
     secret_keyrings = sl;
 
-    /* FIXME: We should remove much out of this mpdule and
+    /* fixme: We should remove much out of this mpdule and
      * combine it with the keyblock stuff from ringedit.c
      * For now we will simple add the filename as keyblock resource
      */

g10/import.c

@@ -580,7 +580,7 @@ delete_inv_parts( const char *fname, KBNODE keyblock, u32 *keyid )
  *
  * o compare the signatures: If we already have this signature, check
  *   that they compare okay; if not, issue a warning and ask the user.
- *   FIXME: add the check, that we don` have duplicate signatures and the
+ *   FIXME: add the check, that we don't have duplicate signatures and the
  *   warning in cases that the old/new signatures don't match.
  * o Simply add the signature.	Can't verify here because we may not have
  *   the signatures public key yet; verification is done when putting it

g10/keygen.c

@@ -34,11 +34,6 @@
 #include "keydb.h"
 #include "i18n.h"
 
-#if 0
-  #define TEST_ALGO  1
-  #define TEST_NBITS 256
-  #define TEST_UID   "Karl Test"
-#endif
 
 #if defined(HAVE_RSA_CIPHER) && 0
   #define ENABLE_RSA_KEYGEN 1
@@ -136,7 +131,7 @@ write_selfsig( KBNODE root, KBNODE pub_root, PKT_secret_cert *skc )
 
 static int
 gen_elg(unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
-	byte *salt, PKT_secret_cert **ret_skc )
+	byte *salt, PKT_secret_cert **ret_skc, u16 valid_days )
 {
     int rc;
     int i;
@@ -152,7 +147,7 @@ gen_elg(unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
     skc = m_alloc_clear( sizeof *skc );
     pkc = m_alloc_clear( sizeof *pkc );
     skc->timestamp = pkc->timestamp = make_timestamp();
-    skc->valid_days = pkc->valid_days = 0; /* fixme: make it configurable*/
+    skc->valid_days = pkc->valid_days = valid_days;
     skc->pubkey_algo = pkc->pubkey_algo = PUBKEY_ALGO_ELGAMAL;
 		       pkc->d.elg.p = pk.p;
 		       pkc->d.elg.g = pk.g;
@@ -161,19 +156,19 @@ gen_elg(unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
     skc->d.elg.g = sk.g;
     skc->d.elg.y = sk.y;
     skc->d.elg.x = sk.x;
-    skc->d.elg.is_protected = 0;
+    skc->is_protected = 0;
-    skc->d.elg.protect.algo = 0;
+    skc->protect.algo = 0;
 
-    skc->d.elg.csum = checksum_mpi( skc->d.elg.x );
+    skc->csum = checksum_mpi( skc->d.elg.x );
     /* return an unprotected version of the skc */
     *ret_skc = copy_secret_cert( NULL, skc );
 
     if( dek ) {
-	skc->d.elg.protect.algo = CIPHER_ALGO_BLOWFISH;
+	skc->protect.algo = CIPHER_ALGO_BLOWFISH;
-	skc->d.elg.protect.s2k	= 1;
+	skc->protect.s2k  = 1;
-	skc->d.elg.protect.hash = DIGEST_ALGO_RMD160;
+	skc->protect.hash = DIGEST_ALGO_RMD160;
-	memcpy(skc->d.elg.protect.salt, salt, 8);
+	memcpy(skc->protect.salt, salt, 8);
-	randomize_buffer(skc->d.elg.protect.iv, 8, 1);
+	randomize_buffer(skc->protect.iv, 8, 1);
 	rc = protect_secret_key( skc, dek );
 	if( rc ) {
 	    log_error("protect_secret_key failed: %s\n", g10_errstr(rc) );
@@ -206,7 +201,7 @@ gen_elg(unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
 #ifdef ENABLE_RSA_KEYGEN
 static int
 gen_rsa(unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
-	byte *salt, PKT_secret_cert **ret_skc )
+	byte *salt, PKT_secret_cert **ret_skc, u16 valid_days )
 {
     int rc;
     PACKET *pkt;
@@ -220,7 +215,7 @@ gen_rsa(unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
     skc = m_alloc_clear( sizeof *skc );
     pkc = m_alloc_clear( sizeof *pkc );
     skc->timestamp = pkc->timestamp = make_timestamp();
-    skc->valid_days = pkc->valid_days = 0; /* fixme: make it configurable*/
+    skc->valid_days = pkc->valid_days = valid_days;
     skc->pubkey_algo = pkc->pubkey_algo = PUBKEY_ALGO_RSA;
 		       memset(&pkc->mfx, 0, sizeof pkc->mfx);
 		       pkc->d.rsa.rsa_n = pk.n;
@@ -270,13 +265,41 @@ gen_rsa(unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
 
 static int
 gen_dsa(unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
-	 byte *salt, PKT_secret_cert **ret_skc )
+	 byte *salt, PKT_secret_cert **ret_skc, u16 valid_days )
 {
     return G10ERR_GENERAL;
 }
 
 
 
+/****************
+ * check valid days:
+ * return 0 on error or the multiplier
+ */
+static int
+check_valid_days( const char *s )
+{
+    if( !isdigit(*s) )
+	return 0;
+    for( s++; *s; s++)
+	if( !isdigit(*s) )
+	    break;
+    if( !*s )
+	return 1;
+    if( s[1] )
+	return 0; /* e.g. "2323wc" */
+    if( *s == 'd' || *s == 'D' )
+	return 1;
+    if( *s == 'w' || *s == 'W' )
+	return 7;
+    if( *s == 'm' || *s == 'M' )
+	return 30;
+    if( *s == 'y' || *s == 'Y' )
+	return 365;
+    return 0;
+}
+
+
 /****************
  * Generate a keypair
  */
@@ -297,8 +320,8 @@ generate_keypair()
     int algo;
     const char *algo_name;
     char *aname, *acomment, *amail;
+    int valid_days=0;
 
-#ifndef TEST_ALGO
     if( opt.batch || opt.answer_yes || opt.answer_no ) {
 	log_error(_("Key generation can only be used in interactive mode\n"));
 	return;
@@ -310,12 +333,8 @@ generate_keypair()
   #ifdef ENABLE_RSA_KEYGEN
     tty_printf(_("   (3) RSA cannot be used in the U.S.\n"));
   #endif
-#endif
 
     for(;;) {
-      #ifdef TEST_ALGO
-	algo = TEST_ALGO;
-      #else
       #ifdef ENABLE_RSA_KEYGEN
 	answer = tty_get(_("Your selection? (1,2,3) "));
       #else
@@ -324,7 +343,6 @@ generate_keypair()
 	tty_kill_prompt();
 	algo = *answer? atoi(answer): 1;
 	m_free(answer);
-      #endif
 	if( algo == 1 ) {
 	    algo = PUBKEY_ALGO_ELGAMAL;
 	    algo_name = "ElGamal";
@@ -333,7 +351,7 @@ generate_keypair()
 	else if( algo == 2 ) {
 	    algo = PUBKEY_ALGO_DSA;
 	    algo_name = "DSA";
-	    tty_printf(_("Sorry; DSA is not yet supported.\n"));
+	    tty_printf(_("Sorry; DSA key generation is not yet supported.\n"));
 	}
       #ifdef ENABLE_RSA_KEYGEN
 	else if( algo == 3 ) {
@@ -351,14 +369,10 @@ generate_keypair()
 		 "              default keysize is 1024 bits\n"
 		 "    highest suggested keysize is 2048 bits\n"), algo_name );
     for(;;) {
-      #ifdef TEST_NBITS
-	nbits = TEST_NBITS;
-      #else
 	answer = tty_get(_("What keysize do you want? (1024) "));
 	tty_kill_prompt();
 	nbits = *answer? atoi(answer): 1024;
 	m_free(answer);
-      #endif
 	if( algo == PUBKEY_ALGO_DSA && (nbits < 512 || nbits > 1024) )
 	    tty_printf(_("DSA does only allow keysizes from 512 to 1024\n"));
 	else if( nbits < 768 )
@@ -377,6 +391,15 @@ generate_keypair()
 	    }
 	    m_free(answer);
 	}
+	else if( nbits > 1536 ) {
+	    answer = tty_get(_("Do you really need such a large keysize? "));
+	    tty_kill_prompt();
+	    if( answer_is_yes(answer) ) {
+		m_free(answer);
+		break;
+	    }
+	    m_free(answer);
+	}
 	else
 	    break;
     }
@@ -390,14 +413,53 @@ generate_keypair()
 	tty_printf(_("rounded up to %u bits\n"), nbits );
     }
 
-  #ifdef TEST_UID
+    tty_printf(_("Please specify how long the key should be valid.\n"
-    uid = m_alloc(strlen(TEST_UID)+1);
+		 "         0 = key does not expire\n"
-    strcpy(uid, TEST_UID);
+		 "      <n>  = key expires in n days\n"
-  #else
+		 "      <n>w = key expires in n weeks\n"
+		 "      <n>m = key expires in n months\n"
+		 "      <n>y = key expires in n years\n"));
+    answer = NULL;
+    for(;;) {
+	int mult;
+
+	m_free(answer);
+	answer = tty_get(_("Key is valid for? (0) "));
+	tty_kill_prompt();
+	trim_spaces(answer);
+	if( !*answer )
+	    valid_days = 0;
+	else if( (mult=check_valid_days(answer)) ) {
+	    valid_days = atoi(answer) * mult;
+	    if( valid_days < 0 || valid_days > 32767 )
+		valid_days = 0;
+	}
+	else {
+	    tty_printf(_("invalid value\n"));
+	    continue;
+	}
+
+	if( !valid_days )
+	    tty_printf(_("Key does not expire at all\n"));
+	else {
+	    tty_printf(_("Key expires at %s\n"), strtimestamp(
+		       add_days_to_timestamp( make_timestamp(), valid_days )));
+	}
+
+	m_free(answer);
+	answer = tty_get(_("Is this correct (y/n)? "));
+	tty_kill_prompt();
+	if( answer_is_yes(answer) )
+	    break;
+    }
+    m_free(answer);
+
+
+
     tty_printf( _("\n"
 "You need a User-ID to identify your key; the software constructs the user id\n"
 "from Real Name, Comment and Email Address in this form:\n"
-"    \"Heinrich Heine (Der Dichter) <heinrichh@uni-duesseldorf.de>\"\n\n") );
+"    \"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>\"\n\n") );
     uid = NULL;
     aname=acomment=amail=NULL;
     for(;;) {
@@ -469,6 +531,7 @@ generate_keypair()
 
 
 	tty_printf(_("You selected this USER-ID:\n    \"%s\"\n\n"), uid);
+	/* fixme: add a warning if this the user-id already exists */
 	for(;;) {
 	    answer = tty_get(_("Edit (N)ame, (C)omment, (E)mail or (O)kay? "));
 	    tty_kill_prompt();
@@ -499,7 +562,6 @@ generate_keypair()
 	    break;
 	m_free(uid); uid = NULL;
     }
-  #endif
 
 
     tty_printf(_("You need a Passphrase to protect your secret key.\n\n") );
@@ -555,13 +617,13 @@ generate_keypair()
 "number generator a better chance to gain enough entropy.\n") );
 
     if( algo == PUBKEY_ALGO_ELGAMAL )
-	rc = gen_elg(nbits, pub_root, sec_root, dek, salt,  &skc );
+	rc = gen_elg(nbits, pub_root, sec_root, dek, salt,  &skc, valid_days );
   #ifdef ENABLE_RSA_KEYGEN
     else if( algo == PUBKEY_ALGO_RSA )
-	rc = gen_rsa(nbits, pub_root, sec_root, dek, salt, &skc );
+	rc = gen_rsa(nbits, pub_root, sec_root, dek, salt, &skc, valid_days  );
   #endif
     else if( algo == PUBKEY_ALGO_DSA )
-	rc = gen_dsa(nbits, pub_root, sec_root, dek, salt, &skc );
+	rc = gen_dsa(nbits, pub_root, sec_root, dek, salt, &skc, valid_days  );
     else
 	BUG();
     if( !rc ) {
@@ -588,7 +650,6 @@ generate_keypair()
 	int rc2 = -1;
 
 	/* we can now write the certificates */
-	/* FIXME: should we check wether the user-id already exists? */
 
 	if( get_keyblock_handle( pub_fname, 0, &pub_kbpos ) ) {
 	    if( add_keyblock_resource( pub_fname, 1, 0 ) ) {

g10/keyid.c

@@ -115,16 +115,16 @@ elg_fingerprint_md( PKT_public_cert *pkc )
     unsigned nb1, nb3, nb4;
     unsigned n;
 
-    nb1 = mpi_get_nbits(pkc->d.dsa.p);
+    nb1 = mpi_get_nbits(pkc->d.elg.p);
-    p1 = buf1 = mpi_get_buffer( pkc->d.dsa.p, &n1, NULL );
+    p1 = buf1 = mpi_get_buffer( pkc->d.elg.p, &n1, NULL );
     for( ; !*p1 && n1; p1++, n1-- )  /* skip leading null bytes */
 	;
-    nb3 = mpi_get_nbits(pkc->d.dsa.g);
+    nb3 = mpi_get_nbits(pkc->d.elg.g);
-    p3 = buf3 = mpi_get_buffer( pkc->d.dsa.g, &n3, NULL );
+    p3 = buf3 = mpi_get_buffer( pkc->d.elg.g, &n3, NULL );
     for( ; !*p3 && n3; p3++, n3-- )
 	;
-    nb4 = mpi_get_nbits(pkc->d.dsa.y);
+    nb4 = mpi_get_nbits(pkc->d.elg.y);
-    p4 = buf4 = mpi_get_buffer( pkc->d.dsa.y, &n4, NULL );
+    p4 = buf4 = mpi_get_buffer( pkc->d.elg.y, &n4, NULL );
     for( ; !*p4 && n4; p4++, n4-- )
 	;
 

g10/keylist.c

@@ -111,19 +111,20 @@ list_one( const char *name )
     /* get the keyid from the keyblock */
     node = find_kbnode( keyblock, PKT_PUBLIC_CERT );
     if( !node ) {
-	log_error("Oops; public key not found anymore!\n");
+	log_error("Oops; public key lost!\n");
 	goto leave;
     }
 
     pkc = node->pkt->pkt.public_cert;
     keyid_from_pkc( pkc, keyid );
     if( opt.with_colons )
-	printf("pub::%u:%d:%08lX%08lX:%s:::",
+	printf("pub::%u:%d:%08lX%08lX:%s:%u:::",
 		/* fixme: add trust value here */
 		nbits_from_pkc( pkc ),
 		pkc->pubkey_algo,
 		(ulong)keyid[0],(ulong)keyid[1],
-		datestr_from_pkc( pkc )
+		datestr_from_pkc( pkc ),
+		(unsigned)pkc->valid_days
 		/* fixme: add LID and ownertrust here */
 					);
     else
@@ -136,7 +137,7 @@ list_one( const char *name )
 	if( node->pkt->pkttype == PKT_USER_ID ) {
 	    if( any ) {
 		if( opt.with_colons )
-		    printf("uid::::::::");
+		    printf("uid:::::::::");
 		else
 		    printf("uid%*s", 28, "");
 	    }
@@ -151,6 +152,34 @@ list_one( const char *name )
 		any = 1;
 	    }
 	}
+	else if( node->pkt->pkttype == PKT_PUBKEY_SUBCERT ) {
+	    u32 keyid2[2];
+	    PKT_public_cert *pkc2 = node->pkt->pkt.public_cert;
+
+	    if( !any ) {
+		putchar('\n');
+		if( opt.fingerprint )
+		    fingerprint( pkc ); /* of the main key */
+		any = 1;
+	    }
+
+	    keyid_from_pkc( pkc2, keyid2 );
+	    if( opt.with_colons )
+		printf("sub::%u:%d:%08lX%08lX:%s:%u:::\n",
+			/* fixme: add trust value here */
+			nbits_from_pkc( pkc2 ),
+			pkc2->pubkey_algo,
+			(ulong)keyid2[0],(ulong)keyid2[1],
+			datestr_from_pkc( pkc2 ),
+			(unsigned)pkc2->valid_days
+			/* fixme: add LID and ownertrust here */
+						);
+	    else
+		printf("sub  %4u%c/%08lX %s\n", nbits_from_pkc( pkc2 ),
+					   pubkey_letter( pkc2->pubkey_algo ),
+					   (ulong)keyid2[1],
+					   datestr_from_pkc( pkc2 ) );
+	}
 	else if( opt.list_sigs && node->pkt->pkttype == PKT_SIGNATURE ) {
 	    PKT_signature *sig = node->pkt->pkt.signature;
 	    int sigrc;
@@ -169,9 +198,11 @@ list_one( const char *name )
 		fputs("rev", stdout);
 	    else if( (sig->sig_class&~3) == 0x10 )
 		fputs("sig", stdout);
+	    else if( sig->sig_class == 0x18 )
+		fputs("sig", stdout);
 	    else {
 		if( opt.with_colons )
-		    printf("sig:::::::::%02x:\n",sig->sig_class );
+		    printf("sig::::::::::%02x:\n",sig->sig_class );
 		else
 		    printf("sig                             "
 		       "[unexpected signature class 0x%02x]\n",sig->sig_class );
@@ -195,7 +226,7 @@ list_one( const char *name )
 		putchar(':');
 		if( sigrc != ' ' )
 		    putchar(sigrc);
-		printf(":::%08lX%08lX:%s:::", (ulong)sig->keyid[0],
+		printf(":::%08lX%08lX:%s::::", (ulong)sig->keyid[0],
 			   (ulong)sig->keyid[1], datestr_from_sig(sig));
 	    }
 	    else
@@ -235,7 +266,7 @@ fingerprint( PKT_public_cert *pkc )
 
     p = array = fingerprint_from_pkc( pkc, &n );
     if( opt.with_colons ) {
-	printf("fpr::::::::");
+	printf("fpr:::::::::");
 	for(i=0; i < n ; i++, p++ )
 	    printf("%02X", *p );
 	putchar(':');

g10/mainproc.c

@@ -93,22 +93,6 @@ add_onepass_sig( CTX c, PACKET *pkt )
 }
 
 
-static int
-add_public_cert( CTX c, PACKET *pkt )
-{
-    release_list( c );
-    c->list = new_kbnode( pkt );
-    return 1;
-}
-
-static int
-add_secret_cert( CTX c, PACKET *pkt )
-{
-    release_list( c );
-    c->list = new_kbnode( pkt );
-    return 1;
-}
-
 
 static int
 add_user_id( CTX c, PACKET *pkt )
@@ -121,6 +105,17 @@ add_user_id( CTX c, PACKET *pkt )
     return 1;
 }
 
+static int
+add_subkey( CTX c, PACKET *pkt )
+{
+    if( !c->list ) {
+	log_error("subkey w/o mainkey\n" );
+	return 0;
+    }
+    add_kbnode( c->list, new_kbnode( pkt ) );
+    return 1;
+}
+
 
 static int
 add_signature( CTX c, PACKET *pkt )
@@ -309,30 +304,11 @@ do_check_sig( CTX c, KBNODE node )
 	    md = md_open( 0, 0 ); /* signature_check() will enable the md*/
     }
     else if( (sig->sig_class&~3) == 0x10
+	     || sig->sig_class == 0x18
 	     || sig->sig_class == 0x20
 	     || sig->sig_class == 0x30	) { /* classes 0x10..0x13,0x20,0x30 */
-	if( c->list->pkt->pkttype == PKT_PUBLIC_CERT ) {
+	if( c->list->pkt->pkttype == PKT_PUBLIC_CERT
-	  #if 0
+	    || c->list->pkt->pkttype == PKT_PUBKEY_SUBCERT ) {
-	    KBNODE n1;
-
-	    if( sig->sig_class == 0x20 ) {
-		md = md_open( algo, 0 );
-		hash_public_cert( md, c->list->pkt->pkt.public_cert );
-	    }
-	    else if( (n1=find_prev_kbnode( c->list, node, PKT_USER_ID )) ) {
-		md = md_open( algo, 0 );
-		hash_public_cert( md, c->list->pkt->pkt.public_cert );
-		if( sig->sig_class != 0x20 )
-		    md_write( md, n1->pkt->pkt.user_id->name,
-				  n1->pkt->pkt.user_id->len);
-	    }
-	    else {
-		log_error("invalid parent packet for sigclass %02x\n",
-							sig->sig_class);
-		return G10ERR_SIG_CLASS;
-	    }
-	  #endif
-
 	    return check_key_signature( c->list, node, NULL );
 	}
 	else {
@@ -374,7 +350,7 @@ print_fingerprint( PKT_public_cert *pkc, PKT_secret_cert *skc )
     p = array = skc? fingerprint_from_skc( skc, &n )
 		   : fingerprint_from_pkc( pkc, &n );
     if( opt.with_colons ) {
-	printf("fpr::::::::");
+	printf("fpr:::::::::");
 	for(i=0; i < n ; i++, p++ )
 	    printf("%02X", *p );
 	putchar(':');
@@ -409,26 +385,32 @@ static void
 list_node( CTX c, KBNODE node )
 {
     int any=0;
+    int mainkey;
 
     if( !node )
 	;
-    else if( node->pkt->pkttype == PKT_PUBLIC_CERT ) {
+    else if( (mainkey = (node->pkt->pkttype == PKT_PUBLIC_CERT) )
+	     || node->pkt->pkttype == PKT_PUBKEY_SUBCERT ) {
 	PKT_public_cert *pkc = node->pkt->pkt.public_cert;
 
 	if( opt.with_colons ) {
 	    u32 keyid[2];
 	    keyid_from_pkc( pkc, keyid );
-	    printf("pub::%u:%d:%08lX%08lX:%s:::",
+	    printf("%s::%u:%d:%08lX%08lX:%s:%u:::",
+		    mainkey? "pub":"sub",
 		    /* fixme: add trust value here */
 		    nbits_from_pkc( pkc ),
 		    pkc->pubkey_algo,
 		    (ulong)keyid[0],(ulong)keyid[1],
-		    datestr_from_pkc( pkc )
+		    datestr_from_pkc( pkc ),
+		    (unsigned)pkc->valid_days
 		    /* fixme: add LID and ownertrust here */
 					    );
 	}
 	else
-	    printf("pub  %4u%c/%08lX %s ", nbits_from_pkc( pkc ),
+	    printf("%s  %4u%c/%08lX %s ",
+				      mainkey? "pub":"sub",
+				      nbits_from_pkc( pkc ),
 				      pubkey_letter( pkc->pubkey_algo ),
 				      (ulong)keyid_from_pkc( pkc, NULL ),
 				      datestr_from_pkc( pkc )	  );
@@ -449,7 +431,7 @@ list_node( CTX c, KBNODE node )
 
 		if( any ) {
 		    if( opt.with_colons )
-			printf("uid::::::::");
+			printf("uid:::::::::");
 		    else
 			printf( "uid%*s", 28, "" );
 		}
@@ -467,14 +449,26 @@ list_node( CTX c, KBNODE node )
 		}
 		any=2;
 	    }
+	    else if( mainkey && node->pkt->pkttype == PKT_PUBKEY_SUBCERT ) {
+		if( !any ) {
+		    putchar('\n');
+		    any = 1;
 		}
-	if( any != 2 )
+		list_node(c,  node );
+	    }
+	}
+	if( any != 2 && mainkey )
 	    printf("ERROR: no user id!\n");
+	else if( any != 2 )
+	    putchar('\n');
     }
-    else if( node->pkt->pkttype == PKT_SECRET_CERT ) {
+    else if( (mainkey = (node->pkt->pkttype == PKT_SECRET_CERT) )
+	     || node->pkt->pkttype == PKT_SECKEY_SUBCERT ) {
 	PKT_secret_cert *skc = node->pkt->pkt.secret_cert;
 
-	printf("sec  %4u%c/%08lX %s ", nbits_from_skc( skc ),
+	printf("%s  %4u%c/%08lX %s ",
+				      mainkey? "sec":"ssb",
+				       nbits_from_skc( skc ),
 				      pubkey_letter( skc->pubkey_algo ),
 				      (ulong)keyid_from_skc( skc, NULL ),
 				      datestr_from_skc( skc )	);
@@ -486,8 +480,10 @@ list_node( CTX c, KBNODE node )
 		print_fingerprint( NULL, skc );
 	    any=1;
 	}
-	if( !any )
+	if( !any && mainkey )
 	    printf("ERROR: no user id!\n");
+	else if( !any )
+	    putchar('\n');
     }
     else if( node->pkt->pkttype == PKT_SIGNATURE  ) {
 	PKT_signature *sig = node->pkt->pkt.signature;
@@ -516,7 +512,7 @@ list_node( CTX c, KBNODE node )
 	    putchar(':');
 	    if( sigrc != ' ' )
 		putchar(sigrc);
-	    printf(":::%08lX%08lX:%s:::", (ulong)sig->keyid[0],
+	    printf(":::%08lX%08lX:%s::::", (ulong)sig->keyid[0],
 		       (ulong)sig->keyid[1], datestr_from_sig(sig));
 	}
 	else
@@ -638,8 +634,16 @@ do_proc_packets( CTX c, IOBUF a )
 	}
 	else {
 	    switch( pkt->pkttype ) {
-	      case PKT_PUBLIC_CERT: newpkt = add_public_cert( c, pkt ); break;
+	      case PKT_PUBLIC_CERT:
-	      case PKT_SECRET_CERT: newpkt = add_secret_cert( c, pkt ); break;
+	      case PKT_SECRET_CERT:
+		release_list( c );
+		c->list = new_kbnode( pkt );
+		newpkt = 1;
+		break;
+	      case PKT_PUBKEY_SUBCERT:
+	      case PKT_SECKEY_SUBCERT:
+		newpkt = add_subkey( c, pkt );
+		break;
 	      case PKT_USER_ID:     newpkt = add_user_id( c, pkt ); break;
 	      case PKT_SIGNATURE:   newpkt = add_signature( c, pkt ); break;
 	      case PKT_PUBKEY_ENC:  proc_pubkey_enc( c, pkt ); break;
@@ -730,7 +734,8 @@ proc_tree( CTX c, KBNODE node )
     if( opt.list_packets )
 	return;
 
-    if( node->pkt->pkttype == PKT_PUBLIC_CERT )
+    if( node->pkt->pkttype == PKT_PUBLIC_CERT
+	|| node->pkt->pkttype == PKT_PUBKEY_SUBCERT )
 	list_node( c, node );
     else if( node->pkt->pkttype == PKT_SECRET_CERT )
 	list_node( c, node );

g10/packet.h

@@ -130,15 +130,10 @@ typedef struct {
     byte    hdrbytes;	    /* number of header bytes */
     byte    version;
     byte    pubkey_algo;    /* algorithm used for public key scheme */
-    union {
+    byte is_protected;	/* The secret infos are protected and must */
-      struct {
+			/* be decrypteded before use, the protected */
-	MPI p;		    /* prime */
+			/* MPIs are simply (void*) pointers to memory */
-	MPI g;		    /* group generator */
+			/* and should never be passed to a mpi_xxx() */
-	MPI y;		    /* g^x mod p */
-	MPI x;		    /* secret exponent */
-	u16 csum;	    /* checksum */
-	byte is_protected;  /* The above infos are protected and must */
-			    /* be decrypteded before use. */
     struct {
 	byte algo;  /* cipher used to protect the secret informations*/
 	byte s2k;
@@ -146,8 +141,13 @@ typedef struct {
 	byte salt[8];
 	byte count;
 	byte iv[8]; /* initialization vector for CFB mode */
-	} protect;	    /* when protected, the MPIs above are pointers
+    } protect;
-			     * to plain storage */
+    union {
+      struct {
+	MPI p;		    /* prime */
+	MPI g;		    /* group generator */
+	MPI y;		    /* g^x mod p */
+	MPI x;		    /* secret exponent */
       } elg;
       struct {
 	MPI p;		    /* prime */
@@ -155,18 +155,6 @@ typedef struct {
 	MPI g;		    /* group generator */
 	MPI y;		    /* g^x mod p */
 	MPI x;		    /* secret exponent */
-	u16 csum;	    /* checksum */
-	byte is_protected;  /* The above infos are protected and must */
-			    /* be decrypteded before use. */
-	struct {
-	    byte algo;	/* cipher used to protect the secret informations*/
-	    byte s2k;
-	    byte hash;
-	    byte salt[8];
-	    byte count;
-	    byte iv[8]; /* initialization vector for CFB mode */
-	} protect;	    /* when protected, the MPIs above are pointers
-			     * to plain storage */
       } dsa;
       struct {
 	MPI rsa_n;	    /* public modulus */
@@ -175,19 +163,9 @@ typedef struct {
 	MPI rsa_p;	    /* secret first prime number */
 	MPI rsa_q;	    /* secret second prime number */
 	MPI rsa_u;	    /* secret multiplicative inverse */
-	u16 csum;	    /* checksum */
-	byte is_protected;  /* The above infos are protected and must */
-			    /* be decrypteded before use */
-	byte protect_algo;  /* cipher used to protect the secret informations*/
-	union { 	    /* information for the protection */
-	  struct {
-	    byte iv[8];     /* initialization vector for CFB mode */
-			    /* when protected, the MPIs above are pointers
-			     * to plain storage */
-	  } blowfish;
-	} protect;
       } rsa;
     } d;
+    u16 csum;		/* checksum */
 } PKT_secret_cert;
 
 

g10/parse-packet.c

@@ -52,7 +52,6 @@ static int  parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 				      byte *hdr, int hdrlen, PACKET *packet );
 static int  parse_user_id( IOBUF inp, int pkttype, unsigned long pktlen,
 							   PACKET *packet );
-static void parse_subkey( IOBUF inp, int pkttype, unsigned long pktlen );
 static int  parse_comment( IOBUF inp, int pkttype, unsigned long pktlen,
 							   PACKET *packet );
 static void parse_trust( IOBUF inp, int pkttype, unsigned long pktlen );
@@ -289,6 +288,7 @@ parse( IOBUF inp, PACKET *pkt, int reqtype, ulong *retpos,
     rc = G10ERR_UNKNOWN_PACKET; /* default error */
     switch( pkttype ) {
       case PKT_PUBLIC_CERT:
+      case PKT_PUBKEY_SUBCERT:
 	pkt->pkt.public_cert = m_alloc_clear(sizeof *pkt->pkt.public_cert );
 	rc = parse_certificate(inp, pkttype, pktlen, hdr, hdrlen, pkt );
 	break;
@@ -311,9 +311,6 @@ parse( IOBUF inp, PACKET *pkt, int reqtype, ulong *retpos,
       case PKT_USER_ID:
 	rc = parse_user_id(inp, pkttype, pktlen, pkt );
 	break;
-      case PKT_PUBKEY_SUBCERT:
-	parse_subkey(inp, pkttype, pktlen);
-	break;
       case PKT_COMMENT:
 	rc = parse_comment(inp, pkttype, pktlen, pkt);
 	break;
@@ -767,19 +764,37 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
     int is_v4=0;
     int rc=0;
 
-
-    if( pktlen < 12 ) {
-	log_error("packet(%d) too short\n", pkttype);
-	goto leave;
-    }
     version = iobuf_get_noeof(inp); pktlen--;
-    if( version == 4 )
+    if( pkttype == PKT_PUBKEY_SUBCERT && version == '#' ) {
+	/* early versions of G10 use old comments packets; luckily all those
+	 * comments are started by a hash */
+	if( list_mode ) {
+	    printf(":old comment packet: \"" );
+	    for( ; pktlen; pktlen-- ) {
+		int c;
+		c = iobuf_get_noeof(inp);
+		if( c >= ' ' && c <= 'z' )
+		    putchar(c);
+		else
+		    printf("\\x%02x", c );
+	    }
+	    printf("\"\n");
+	}
+	skip_rest(inp, pktlen);
+	return 0;
+    }
+    else if( version == 4 )
 	is_v4=1;
     else if( version != 2 && version != 3 ) {
 	log_error("packet(%d) with unknown version %d\n", pkttype, version);
 	goto leave;
     }
 
+    if( pktlen < 11 ) {
+	log_error("packet(%d) too short\n", pkttype);
+	goto leave;
+    }
+
     timestamp = read_32(inp); pktlen -= 4;
     if( is_v4 )
 	valid_period = 0;
@@ -795,7 +810,7 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 		pkttype == PKT_PUBKEY_SUBCERT? "public sub" :
 		pkttype == PKT_SECKEY_SUBCERT? "secret sub" : "??",
 		version, timestamp, valid_period );
-    if( pkttype == PKT_SECRET_CERT )  {
+    if( pkttype == PKT_SECRET_CERT || pkttype == PKT_SECKEY_SUBCERT )  {
 	pkt->pkt.secret_cert->timestamp = timestamp;
 	pkt->pkt.secret_cert->valid_days = valid_period;
 	pkt->pkt.secret_cert->hdrbytes = hdrlen;
@@ -824,7 +839,7 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 	    mpi_print(stdout, elg_y, mpi_print_mode  );
 	    putchar('\n');
 	}
-	if( pkttype == PKT_PUBLIC_CERT ) {
+	if( pkttype == PKT_PUBLIC_CERT || pkttype == PKT_PUBKEY_SUBCERT ) {
 	    pkt->pkt.public_cert->d.elg.p = elg_p;
 	    pkt->pkt.public_cert->d.elg.g = elg_g;
 	    pkt->pkt.public_cert->d.elg.y = elg_y;
@@ -836,27 +851,27 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 	    pkt->pkt.secret_cert->d.elg.p = elg_p;
 	    pkt->pkt.secret_cert->d.elg.g = elg_g;
 	    pkt->pkt.secret_cert->d.elg.y = elg_y;
-	    cert->d.elg.protect.algo = iobuf_get_noeof(inp); pktlen--;
+	    cert->protect.algo = iobuf_get_noeof(inp); pktlen--;
-	    if( cert->d.elg.protect.algo ) {
+	    if( cert->protect.algo ) {
-		cert->d.elg.is_protected = 1;
+		cert->is_protected = 1;
-		cert->d.elg.protect.count = 0;
+		cert->protect.count = 0;
-		if( cert->d.elg.protect.algo == 255 ) {
+		if( cert->protect.algo == 255 ) {
 		    if( pktlen < 3 ) {
 			rc = G10ERR_INVALID_PACKET;
 			goto leave;
 		    }
-		    cert->d.elg.protect.algo = iobuf_get_noeof(inp); pktlen--;
+		    cert->protect.algo = iobuf_get_noeof(inp); pktlen--;
-		    cert->d.elg.protect.s2k  = iobuf_get_noeof(inp); pktlen--;
+		    cert->protect.s2k  = iobuf_get_noeof(inp); pktlen--;
-		    cert->d.elg.protect.hash = iobuf_get_noeof(inp); pktlen--;
+		    cert->protect.hash = iobuf_get_noeof(inp); pktlen--;
-		    switch( cert->d.elg.protect.s2k ) {
+		    switch( cert->protect.s2k ) {
 		      case 1:
 		      case 3:
 			for(i=0; i < 8 && pktlen; i++, pktlen-- )
 			    temp[i] = iobuf_get_noeof(inp);
-			memcpy(cert->d.elg.protect.salt, temp, 8 );
+			memcpy(cert->protect.salt, temp, 8 );
 			break;
 		    }
-		    switch( cert->d.elg.protect.s2k ) {
+		    switch( cert->protect.s2k ) {
 		      case 0: if( list_mode ) printf(  "\tsimple S2K" );
 			break;
 		      case 1: if( list_mode ) printf(  "\tsalted S2K" );
@@ -866,30 +881,30 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 		      default:
 			if( list_mode )
 			    printf(  "\tunknown S2K %d\n",
-						cert->d.elg.protect.s2k );
+						cert->protect.s2k );
 			rc = G10ERR_INVALID_PACKET;
 			goto leave;
 		    }
 
 		    if( list_mode ) {
 			printf(", algo: %d, hash: %d",
-					 cert->d.elg.protect.algo,
+					 cert->protect.algo,
-					 cert->d.elg.protect.hash );
+					 cert->protect.hash );
-			if( cert->d.elg.protect.s2k == 1
+			if( cert->protect.s2k == 1
-			    || cert->d.elg.protect.s2k == 3 ) {
+			    || cert->protect.s2k == 3 ) {
 			    printf(", salt: ");
 			    for(i=0; i < 8; i++ )
-				printf("%02x", cert->d.elg.protect.salt[i]);
+				printf("%02x", cert->protect.salt[i]);
 			}
 			putchar('\n');
 		    }
 
-		    if( cert->d.elg.protect.s2k == 3 ) {
+		    if( cert->protect.s2k == 3 ) {
 			if( !pktlen ) {
 			    rc = G10ERR_INVALID_PACKET;
 			    goto leave;
 			}
-			cert->d.elg.protect.count = iobuf_get_noeof(inp);
+			cert->protect.count = iobuf_get_noeof(inp);
 			pktlen--;
 		    }
 
@@ -897,12 +912,12 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 		else {
 		    if( list_mode )
 			printf(  "\tprotect algo: %d\n",
-						cert->d.elg.protect.algo);
+						cert->protect.algo);
 		    /* old version, we don't have a S2K, so we fake one */
-		    cert->d.elg.protect.s2k = 0;
+		    cert->protect.s2k = 0;
 		    /* We need this kludge to cope with old GNUPG versions */
-		    cert->d.elg.protect.hash =
+		    cert->protect.hash =
-			 cert->d.elg.protect.algo == CIPHER_ALGO_BLOWFISH?
+			 cert->protect.algo == CIPHER_ALGO_BLOWFISH?
 				      DIGEST_ALGO_RMD160 : DIGEST_ALGO_MD5;
 		}
 		if( pktlen < 8 ) {
@@ -917,20 +932,20 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 			printf(" %02x", temp[i] );
 		    putchar('\n');
 		}
-		memcpy(cert->d.elg.protect.iv, temp, 8 );
+		memcpy(cert->protect.iv, temp, 8 );
 	    }
 	    else
-		cert->d.elg.is_protected = 0;
+		cert->is_protected = 0;
 	    /* It does not make sense to read it into secure memory.
 	     * If the user is so careless, not to protect his secret key,
 	     * we can assume, that he operates an open system :=(.
 	     * So we put the key into secure memory when we unprotect him. */
 	    n = pktlen; cert->d.elg.x = mpi_read(inp, &n, 0 ); pktlen -=n;
 
-	    cert->d.elg.csum = read_16(inp); pktlen -= 2;
+	    cert->csum = read_16(inp); pktlen -= 2;
 	    if( list_mode ) {
 		printf("\t[secret value x is not shown]\n"
-		       "\tchecksum: %04hx\n", cert->d.elg.csum);
+		       "\tchecksum: %04hx\n", cert->csum);
 	    }
 	  /*log_mpidump("elg p=", cert->d.elg.p );
 	    log_mpidump("elg g=", cert->d.elg.g );
@@ -955,7 +970,7 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 	    mpi_print(stdout, dsa_y, mpi_print_mode  );
 	    putchar('\n');
 	}
-	if( pkttype == PKT_PUBLIC_CERT ) {
+	if( pkttype == PKT_PUBLIC_CERT || pkttype == PKT_PUBKEY_SUBCERT ) {
 	    pkt->pkt.public_cert->d.dsa.p = dsa_p;
 	    pkt->pkt.public_cert->d.dsa.q = dsa_q;
 	    pkt->pkt.public_cert->d.dsa.g = dsa_g;
@@ -969,27 +984,27 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 	    pkt->pkt.secret_cert->d.dsa.q = dsa_q;
 	    pkt->pkt.secret_cert->d.dsa.g = dsa_g;
 	    pkt->pkt.secret_cert->d.dsa.y = dsa_y;
-	    cert->d.dsa.protect.algo = iobuf_get_noeof(inp); pktlen--;
+	    cert->protect.algo = iobuf_get_noeof(inp); pktlen--;
-	    if( cert->d.dsa.protect.algo ) {
+	    if( cert->protect.algo ) {
-		cert->d.dsa.is_protected = 1;
+		cert->is_protected = 1;
-		cert->d.dsa.protect.count = 0;
+		cert->protect.count = 0;
-		if( cert->d.dsa.protect.algo == 255 ) {
+		if( cert->protect.algo == 255 ) {
 		    if( pktlen < 3 ) {
 			rc = G10ERR_INVALID_PACKET;
 			goto leave;
 		    }
-		    cert->d.dsa.protect.algo = iobuf_get_noeof(inp); pktlen--;
+		    cert->protect.algo = iobuf_get_noeof(inp); pktlen--;
-		    cert->d.dsa.protect.s2k  = iobuf_get_noeof(inp); pktlen--;
+		    cert->protect.s2k  = iobuf_get_noeof(inp); pktlen--;
-		    cert->d.dsa.protect.hash = iobuf_get_noeof(inp); pktlen--;
+		    cert->protect.hash = iobuf_get_noeof(inp); pktlen--;
-		    switch( cert->d.dsa.protect.s2k ) {
+		    switch( cert->protect.s2k ) {
 		      case 1:
 		      case 3:
 			for(i=0; i < 8 && pktlen; i++, pktlen-- )
 			    temp[i] = iobuf_get_noeof(inp);
-			memcpy(cert->d.dsa.protect.salt, temp, 8 );
+			memcpy(cert->protect.salt, temp, 8 );
 			break;
 		    }
-		    switch( cert->d.dsa.protect.s2k ) {
+		    switch( cert->protect.s2k ) {
 		      case 0: if( list_mode ) printf(  "\tsimple S2K" );
 			break;
 		      case 1: if( list_mode ) printf(  "\tsalted S2K" );
@@ -998,42 +1013,39 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 			break;
 		      default:
 			if( list_mode )
-			    printf(  "\tunknown S2K %d\n",
+			    printf(  "\tunknown S2K %d\n", cert->protect.s2k );
-						cert->d.dsa.protect.s2k );
 			rc = G10ERR_INVALID_PACKET;
 			goto leave;
 		    }
 
 		    if( list_mode ) {
 			printf(", algo: %d, hash: %d",
-					 cert->d.dsa.protect.algo,
+					 cert->protect.algo,
-					 cert->d.dsa.protect.hash );
+					 cert->protect.hash );
-			if( cert->d.dsa.protect.s2k == 1
+			if( cert->protect.s2k == 1 || cert->protect.s2k == 3 ){
-			    || cert->d.dsa.protect.s2k == 3 ) {
 			    printf(", salt: ");
 			    for(i=0; i < 8; i++ )
-				printf("%02x", cert->d.dsa.protect.salt[i]);
+				printf("%02x", cert->protect.salt[i]);
 			}
 			putchar('\n');
 		    }
 
-		    if( cert->d.dsa.protect.s2k == 3 ) {
+		    if( cert->protect.s2k == 3 ) {
 			if( !pktlen ) {
 			    rc = G10ERR_INVALID_PACKET;
 			    goto leave;
 			}
-			cert->d.dsa.protect.count = iobuf_get_noeof(inp);
+			cert->protect.count = iobuf_get_noeof(inp);
 			pktlen--;
 		    }
 
 		}
 		else {
 		    if( list_mode )
-			printf(  "\tprotect algo: %d\n",
+			printf(  "\tprotect algo: %d\n", cert->protect.algo);
-						cert->d.dsa.protect.algo);
 		    /* old version, we don't have a S2K, so we fake one */
-		    cert->d.dsa.protect.s2k = 0;
+		    cert->protect.s2k = 0;
-		    cert->d.dsa.protect.hash = DIGEST_ALGO_MD5;
+		    cert->protect.hash = DIGEST_ALGO_MD5;
 		}
 		if( pktlen < 8 ) {
 		    rc = G10ERR_INVALID_PACKET;
@@ -1047,20 +1059,20 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 			printf(" %02x", temp[i] );
 		    putchar('\n');
 		}
-		memcpy(cert->d.dsa.protect.iv, temp, 8 );
+		memcpy(cert->protect.iv, temp, 8 );
 	    }
 	    else
-		cert->d.dsa.is_protected = 0;
+		cert->is_protected = 0;
 	    /* It does not make sense to read it into secure memory.
 	     * If the user is so careless, not to protect his secret key,
 	     * we can assume, that he operates an open system :=(.
 	     * So we put the key into secure memory when we unprotect him. */
 	    n = pktlen; cert->d.dsa.x = mpi_read(inp, &n, 0 ); pktlen -=n;
 
-	    cert->d.dsa.csum = read_16(inp); pktlen -= 2;
+	    cert->csum = read_16(inp); pktlen -= 2;
 	    if( list_mode ) {
 		printf("\t[secret value x is not shown]\n"
-		       "\tchecksum: %04hx\n", cert->d.dsa.csum);
+		       "\tchecksum: %04hx\n", cert->csum);
 	    }
 	  /*log_mpidump("dsa p=", cert->d.dsa.p );
 	    log_mpidump("dsa q=", cert->d.dsa.q );
@@ -1081,7 +1093,7 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 	    mpi_print(stdout, rsa_pub_exp, mpi_print_mode  );
 	    putchar('\n');
 	}
-	if( pkttype == PKT_PUBLIC_CERT ) {
+	if( pkttype == PKT_PUBLIC_CERT || pkttype == PKT_PUBKEY_SUBCERT ) {
 	    pkt->pkt.public_cert->d.rsa.rsa_n = rsa_pub_mod;
 	    pkt->pkt.public_cert->d.rsa.rsa_e = rsa_pub_exp;
 	}
@@ -1091,11 +1103,11 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 
 	    pkt->pkt.secret_cert->d.rsa.rsa_n = rsa_pub_mod;
 	    pkt->pkt.secret_cert->d.rsa.rsa_e = rsa_pub_exp;
-	    cert->d.rsa.protect_algo = iobuf_get_noeof(inp); pktlen--;
+	    cert->protect.algo = iobuf_get_noeof(inp); pktlen--;
 	    if( list_mode )
-		printf(  "\tprotect algo: %d\n", cert->d.rsa.protect_algo);
+		printf(  "\tprotect algo: %d\n", cert->protect.algo);
-	    if( cert->d.rsa.protect_algo ) {
+	    if( cert->protect.algo ) {
-		cert->d.rsa.is_protected = 1;
+		cert->is_protected = 1;
 		for(i=0; i < 8 && pktlen; i++, pktlen-- )
 		    temp[i] = iobuf_get_noeof(inp);
 		if( list_mode ) {
@@ -1104,21 +1116,21 @@ parse_certificate( IOBUF inp, int pkttype, unsigned long pktlen,
 			printf(" %02x", temp[i] );
 		    putchar('\n');
 		}
-		if( cert->d.rsa.protect_algo == CIPHER_ALGO_BLOWFISH )
+		if( cert->protect.algo == CIPHER_ALGO_BLOWFISH )
-		    memcpy(cert->d.rsa.protect.blowfish.iv, temp, 8 );
+		    memcpy(cert->protect.iv, temp, 8 );
 	    }
 	    else
-		cert->d.rsa.is_protected = 0;
+		cert->is_protected = 0;
 	    /* (See comments at the code for elg keys) */
 	    n = pktlen; cert->d.rsa.rsa_d = mpi_read(inp, &n, 0 ); pktlen -=n;
 	    n = pktlen; cert->d.rsa.rsa_p = mpi_read(inp, &n, 0 ); pktlen -=n;
 	    n = pktlen; cert->d.rsa.rsa_q = mpi_read(inp, &n, 0 ); pktlen -=n;
 	    n = pktlen; cert->d.rsa.rsa_u = mpi_read(inp, &n, 0 ); pktlen -=n;
 
-	    cert->d.rsa.csum = read_16(inp); pktlen -= 2;
+	    cert->csum = read_16(inp); pktlen -= 2;
 	    if( list_mode ) {
 		printf("\t[secret values d,p,q,u are not shown]\n"
-		       "\tchecksum: %04hx\n", cert->d.rsa.csum);
+		       "\tchecksum: %04hx\n", cert->csum);
 	    }
 	 /* log_mpidump("rsa n=", cert->d.rsa.rsa_n );
 	    log_mpidump("rsa e=", cert->d.rsa.rsa_e );
@@ -1164,37 +1176,6 @@ parse_user_id( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
 }
 
 
-static void
-parse_subkey( IOBUF inp, int pkttype, unsigned long pktlen )
-{
-    int version;
-
-    version = iobuf_get_noeof(inp); pktlen--;
-    if( pkttype == PKT_PUBKEY_SUBCERT && version == '#' ) {
-	/* early versions of G10 use old comments packets; luckily all those
-	 * comments are started by a hash */
-	if( list_mode ) {
-	    printf(":old comment packet: \"" );
-	    for( ; pktlen; pktlen-- ) {
-		int c;
-		c = iobuf_get_noeof(inp);
-		if( c >= ' ' && c <= 'z' )
-		    putchar(c);
-		else
-		    printf("\\x%02x", c );
-	    }
-	    printf("\"\n");
-	}
-	skip_rest(inp, pktlen);
-	return;
-    }
-
-    if( list_mode )
-	printf(":public subkey packet: \"" );
-    skip_rest(inp, pktlen);
-}
-
-
 
 static int
 parse_comment( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )

g10/pkclist.c

@@ -202,7 +202,7 @@ do_we_trust( PKT_public_cert *pkc, int trustlevel )
 	return do_we_trust( pkc, trustlevel );
 
       case TRUST_EXPIRED:
-	log_info("trust has expired: NOT yet implemented\n");
+	log_info("key has expired\n");
 	return 0; /* no */
 
       case TRUST_UNDEFINED:
@@ -215,11 +215,11 @@ do_we_trust( PKT_public_cert *pkc, int trustlevel )
 		if( rc )
 		    log_fatal("trust check after add_ownertrust failed: %s\n",
 							      g10_errstr(rc) );
-		/* FIXME: this is recursive; we better should unroll it */
+		/* fixme: this is recursive; we better should unroll it */
 		return do_we_trust( pkc, trustlevel );
 	    }
 	}
-	return 0; /* no FIXME: add "Proceed anyway?" */
+	return 0;
 
       case TRUST_NEVER:
 	log_info("We do NOT trust this key\n");

g10/revoke.c

@@ -89,7 +89,7 @@ gen_revoke( const char *uname )
 	goto leave;
     }
 
-    /* FIXME: should make a function out of this stuff,
+    /* fixme: should make a function out of this stuff,
      * it's used all over the source */
     skc = node->pkt->pkt.secret_cert;
     keyid_from_skc( skc, skc_keyid );

g10/ringedit.c

@@ -674,6 +674,7 @@ keyring_read( KBPOS *kbpos, KBNODE *ret_root )
 		rc = G10ERR_INV_KEYRING;
 		goto ready;
 	    }
+		log_info("read_keyblock: read error: %s\n", g10_errstr(rc) );
 	    kbpos->count++;
 	    free_packet( pkt );
 	    init_packet( pkt );

g10/seckey-cert.c

@@ -67,19 +67,18 @@ check_elg( PKT_secret_cert *cert )
     ELG_secret_key skey;
     char save_iv[8];
 
-    if( cert->d.elg.is_protected ) { /* remove the protection */
+    if( cert->is_protected ) { /* remove the protection */
 	DEK *dek = NULL;
 	MPI test_x;
 	BLOWFISH_context *blowfish_ctx=NULL;
 
-	switch( cert->d.elg.protect.algo ) {
+	switch( cert->protect.algo ) {
 	  case CIPHER_ALGO_NONE: BUG(); break;
 	  case CIPHER_ALGO_BLOWFISH:
 	    keyid_from_skc( cert, keyid );
-	    if( cert->d.elg.protect.s2k == 1
+	    if( cert->protect.s2k == 1 || cert->protect.s2k == 3 )
-		|| cert->d.elg.protect.s2k == 3 )
 		dek = get_passphrase_hash( keyid, NULL,
-						 cert->d.elg.protect.salt );
+						 cert->protect.salt );
 	    else
 		dek = get_passphrase_hash( keyid, NULL, NULL );
 
@@ -87,10 +86,9 @@ check_elg( PKT_secret_cert *cert )
 	    blowfish_setkey( blowfish_ctx, dek->key, dek->keylen );
 	    m_free(dek); /* pw is in secure memory, so m_free() burns it */
 	    blowfish_setiv( blowfish_ctx, NULL );
-	    memcpy(save_iv, cert->d.elg.protect.iv, 8 );
+	    memcpy(save_iv, cert->protect.iv, 8 );
-	    blowfish_decode_cfb( blowfish_ctx,
+	    blowfish_decode_cfb( blowfish_ctx, cert->protect.iv,
-				 cert->d.elg.protect.iv,
+					       cert->protect.iv, 8 );
-				 cert->d.elg.protect.iv, 8 );
 	    mpi_set_secure(cert->d.elg.x );
 	    /*fixme: maybe it is better to set the buffer secure with a
 	     * new get_buffer_secure() function */
@@ -103,9 +101,9 @@ check_elg( PKT_secret_cert *cert )
 	    m_free( buffer );
 	    m_free( blowfish_ctx );
 	    /* now let's see wether we have used the right passphrase */
-	    if( csum != cert->d.elg.csum ) {
+	    if( csum != cert->csum ) {
 		mpi_free(test_x);
-		memcpy( cert->d.elg.protect.iv, save_iv, 8 );
+		memcpy( cert->protect.iv, save_iv, 8 );
 		return G10ERR_BAD_PASS;
 	    }
 
@@ -117,16 +115,16 @@ check_elg( PKT_secret_cert *cert )
 	    memset( &skey, 0, sizeof skey );
 	    if( !res ) {
 		mpi_free(test_x);
-		memcpy( cert->d.elg.protect.iv, save_iv, 8 );
+		memcpy( cert->protect.iv, save_iv, 8 );
 		return G10ERR_BAD_PASS;
 	    }
 	    mpi_set(cert->d.elg.x, test_x);
 	    mpi_free(test_x);
-	    cert->d.elg.is_protected = 0;
+	    cert->is_protected = 0;
 	    break;
 
 	  default:
-	    return G10ERR_CIPHER_ALGO; /* unsupport protection algorithm */
+	    return G10ERR_CIPHER_ALGO; /* unsupported protection algorithm */
 	}
     }
     else { /* not protected */
@@ -134,7 +132,7 @@ check_elg( PKT_secret_cert *cert )
 	csum = checksum_u16( nbytes*8 );
 	csum += checksum( buffer, nbytes );
 	m_free( buffer );
-	if( csum != cert->d.elg.csum )
+	if( csum != cert->csum )
 	    return G10ERR_CHECKSUM;
     }
 
@@ -142,39 +140,6 @@ check_elg( PKT_secret_cert *cert )
 }
 
 
-static int
-protect_elg( PKT_secret_cert *cert, DEK *dek )
-{
-    byte *buffer;
-    unsigned nbytes;
-
-    if( !cert->d.elg.is_protected ) { /* add the protection */
-	BLOWFISH_context *blowfish_ctx=NULL;
-
-	switch( cert->d.elg.protect.algo ) {
-	  case CIPHER_ALGO_NONE: BUG(); break;
-	  case CIPHER_ALGO_BLOWFISH:
-	    blowfish_ctx = m_alloc_secure( sizeof *blowfish_ctx );
-	    blowfish_setkey( blowfish_ctx, dek->key, dek->keylen );
-	    blowfish_setiv( blowfish_ctx, NULL );
-	    blowfish_encode_cfb( blowfish_ctx,
-				 cert->d.elg.protect.iv,
-				 cert->d.elg.protect.iv, 8 );
-	    buffer = mpi_get_buffer( cert->d.elg.x, &nbytes, NULL );
-	    blowfish_encode_cfb( blowfish_ctx, buffer, buffer, nbytes );
-	    mpi_set_buffer( cert->d.elg.x, buffer, nbytes, 0 );
-	    m_free( buffer );
-	    m_free( blowfish_ctx );
-	    cert->d.elg.is_protected = 1;
-	    break;
-
-	  default:
-	    return G10ERR_CIPHER_ALGO; /* unsupport protection algorithm */
-	}
-    }
-    return 0;
-}
-
 static int
 check_dsa( PKT_secret_cert *cert )
 {
@@ -186,19 +151,18 @@ check_dsa( PKT_secret_cert *cert )
     DSA_secret_key skey;
     char save_iv[8];
 
-    if( cert->d.dsa.is_protected ) { /* remove the protection */
+    if( cert->is_protected ) { /* remove the protection */
 	DEK *dek = NULL;
 	MPI test_x;
 	BLOWFISH_context *blowfish_ctx=NULL;
 
-	switch( cert->d.dsa.protect.algo ) {
+	switch( cert->protect.algo ) {
 	  case CIPHER_ALGO_NONE: BUG(); break;
 	  case CIPHER_ALGO_BLOWFISH:
 	    keyid_from_skc( cert, keyid );
-	    if( cert->d.dsa.protect.s2k == 1
+	    if( cert->protect.s2k == 1 || cert->protect.s2k == 3 )
-		|| cert->d.dsa.protect.s2k == 3 )
 		dek = get_passphrase_hash( keyid, NULL,
-						 cert->d.dsa.protect.salt );
+						 cert->protect.salt );
 	    else
 		dek = get_passphrase_hash( keyid, NULL, NULL );
 
@@ -206,10 +170,10 @@ check_dsa( PKT_secret_cert *cert )
 	    blowfish_setkey( blowfish_ctx, dek->key, dek->keylen );
 	    m_free(dek); /* pw is in secure memory, so m_free() burns it */
 	    blowfish_setiv( blowfish_ctx, NULL );
-	    memcpy(save_iv, cert->d.dsa.protect.iv, 8 );
+	    memcpy(save_iv, cert->protect.iv, 8 );
 	    blowfish_decode_cfb( blowfish_ctx,
-				 cert->d.dsa.protect.iv,
+				 cert->protect.iv,
-				 cert->d.dsa.protect.iv, 8 );
+				 cert->protect.iv, 8 );
 	    mpi_set_secure(cert->d.dsa.x );
 	    /*fixme: maybe it is better to set the buffer secure with a
 	     * new get_buffer_secure() function */
@@ -222,9 +186,9 @@ check_dsa( PKT_secret_cert *cert )
 	    m_free( buffer );
 	    m_free( blowfish_ctx );
 	    /* now let's see wether we have used the right passphrase */
-	    if( csum != cert->d.dsa.csum ) {
+	    if( csum != cert->csum ) {
 		mpi_free(test_x);
-		memcpy( cert->d.dsa.protect.iv, save_iv, 8 );
+		memcpy( cert->protect.iv, save_iv, 8 );
 		return G10ERR_BAD_PASS;
 	    }
 
@@ -237,12 +201,12 @@ check_dsa( PKT_secret_cert *cert )
 	    memset( &skey, 0, sizeof skey );
 	    if( !res ) {
 		mpi_free(test_x);
-		memcpy( cert->d.dsa.protect.iv, save_iv, 8 );
+		memcpy( cert->protect.iv, save_iv, 8 );
 		return G10ERR_BAD_PASS;
 	    }
 	    mpi_set(cert->d.dsa.x, test_x);
 	    mpi_free(test_x);
-	    cert->d.dsa.is_protected = 0;
+	    cert->is_protected = 0;
 	    break;
 
 	  default:
@@ -254,7 +218,7 @@ check_dsa( PKT_secret_cert *cert )
 	csum = checksum_u16( nbytes*8 );
 	csum += checksum( buffer, nbytes );
 	m_free( buffer );
-	if( csum != cert->d.dsa.csum )
+	if( csum != cert->csum )
 	    return G10ERR_CHECKSUM;
     }
 
@@ -262,39 +226,6 @@ check_dsa( PKT_secret_cert *cert )
 }
 
 
-static int
-protect_dsa( PKT_secret_cert *cert, DEK *dek )
-{
-    byte *buffer;
-    unsigned nbytes;
-
-    if( !cert->d.dsa.is_protected ) { /* add the protection */
-	BLOWFISH_context *blowfish_ctx=NULL;
-
-	switch( cert->d.dsa.protect.algo ) {
-	  case CIPHER_ALGO_NONE: BUG(); break;
-	  case CIPHER_ALGO_BLOWFISH:
-	    blowfish_ctx = m_alloc_secure( sizeof *blowfish_ctx );
-	    blowfish_setkey( blowfish_ctx, dek->key, dek->keylen );
-	    blowfish_setiv( blowfish_ctx, NULL );
-	    blowfish_encode_cfb( blowfish_ctx,
-				 cert->d.dsa.protect.iv,
-				 cert->d.dsa.protect.iv, 8 );
-	    buffer = mpi_get_buffer( cert->d.dsa.x, &nbytes, NULL );
-	    blowfish_encode_cfb( blowfish_ctx, buffer, buffer, nbytes );
-	    mpi_set_buffer( cert->d.dsa.x, buffer, nbytes, 0 );
-	    m_free( buffer );
-	    m_free( blowfish_ctx );
-	    cert->d.dsa.is_protected = 1;
-	    break;
-
-	  default:
-	    return G10ERR_CIPHER_ALGO; /* unsupport protection algorithm */
-	}
-    }
-    return 0;
-}
-
 
 #ifdef HAVE_RSA_CIPHER
 static int
@@ -307,11 +238,11 @@ check_rsa( PKT_secret_cert *cert )
     u32 keyid[2];
     RSA_secret_key skey;
 
-    if( cert->d.rsa.is_protected ) { /* remove the protection */
+    if( cert->is_protected ) { /* remove the protection */
 	DEK *dek = NULL;
 	BLOWFISH_context *blowfish_ctx=NULL;
 
-	switch( cert->d.rsa.protect_algo ) {
+	switch( cert->protect.algo ) {
 	    /* FIXME: use test variables to check for the correct key */
 	  case CIPHER_ALGO_NONE: BUG(); break;
 	  case CIPHER_ALGO_BLOWFISH:
@@ -321,9 +252,8 @@ check_rsa( PKT_secret_cert *cert )
 	    blowfish_setkey( blowfish_ctx, dek->key, dek->keylen );
 	    m_free(dek); /* pw is in secure memory, so m_free() burns it */
 	    blowfish_setiv( blowfish_ctx, NULL );
-	    blowfish_decode_cfb( blowfish_ctx,
+	    blowfish_decode_cfb( blowfish_ctx, cert->protect.iv,
-				 cert->d.rsa.protect.blowfish.iv,
+					       cert->protect.iv, 8 );
-				 cert->d.rsa.protect.blowfish.iv, 8 );
 	    csum = 0;
 	    #define X(a) do { \
 		mpi_set_secure(cert->d.rsa.rsa_##a); \
@@ -339,10 +269,10 @@ check_rsa( PKT_secret_cert *cert )
 	    X(q);
 	    X(u);
 	    #undef X
-	    cert->d.rsa.is_protected = 0;
+	    cert->is_protected = 0;
 	    m_free( blowfish_ctx );
 	    /* now let's see wether we have used the right passphrase */
-	    if( csum != cert->d.rsa.csum )
+	    if( csum != cert->csum )
 		return G10ERR_BAD_PASS;
 
 	    skey.d = cert->d.rsa.rsa_d;
@@ -377,7 +307,7 @@ check_rsa( PKT_secret_cert *cert )
 	csum += checksum_u16( nbytes*8 );
 	csum += checksum( buffer, nbytes );
 	m_free( buffer );
-	if( csum != cert->d.rsa.csum )
+	if( csum != cert->csum )
 	    return G10ERR_CHECKSUM;
     }
 
@@ -424,16 +354,35 @@ check_secret_key( PKT_secret_cert *cert )
 int
 is_secret_key_protected( PKT_secret_cert *cert )
 {
-    if( cert->pubkey_algo == PUBKEY_ALGO_ELGAMAL )
+    return cert->is_protected? cert->protect.algo : 0;
-	return cert->d.elg.is_protected? cert->d.elg.protect.algo : 0;
+}
-    else if( cert->pubkey_algo == PUBKEY_ALGO_DSA )
+
-	return cert->d.dsa.is_protected? cert->d.dsa.protect.algo : 0;
+
-  #ifdef HAVE_RSA_CIPHER
+static int
-    else if( cert->pubkey_algo == PUBKEY_ALGO_RSA )
+do_protect( void (*fnc)(void *, byte *, byte *, unsigned),
-	return cert->d.rsa.is_protected? cert->d.rsa.protect_algo : 0;
+	    void *fncctx, PKT_secret_cert *cert )
-  #endif
+{
-    else
+    byte *buffer;
-	return -1; /* unsupported */
+    unsigned nbytes;
+
+    switch( cert->pubkey_algo ) {
+      case PUBKEY_ALGO_ELGAMAL:
+	buffer = mpi_get_buffer( cert->d.elg.x, &nbytes, NULL );
+	(*fnc)( fncctx, buffer, buffer, nbytes );
+	mpi_set_buffer( cert->d.elg.x, buffer, nbytes, 0 );
+	m_free( buffer );
+	break;
+
+      case PUBKEY_ALGO_DSA:
+	buffer = mpi_get_buffer( cert->d.dsa.x, &nbytes, NULL );
+	(*fnc)( fncctx, buffer, buffer, nbytes );
+	mpi_set_buffer( cert->d.dsa.x, buffer, nbytes, 0 );
+	m_free( buffer );
+	break;
+
+      default: return G10ERR_PUBKEY_ALGO;
+    }
+    return 0;
 }
 
 
@@ -443,14 +392,33 @@ is_secret_key_protected( PKT_secret_cert *cert )
 int
 protect_secret_key( PKT_secret_cert *cert, DEK *dek )
 {
+    int rc=0;
+
     if( !dek )
 	return 0;
 
-    if( cert->pubkey_algo == PUBKEY_ALGO_ELGAMAL )
+    if( !cert->is_protected ) { /* okay, apply the protection */
-	return protect_elg( cert, dek );
+	BLOWFISH_context *blowfish_ctx=NULL;
-    else if( cert->pubkey_algo == PUBKEY_ALGO_DSA )
+
-	return protect_dsa( cert, dek );
+	switch( cert->protect.algo ) {
-    else
+	  case CIPHER_ALGO_NONE: BUG(); break;
-	return G10ERR_PUBKEY_ALGO;
+	  case CIPHER_ALGO_BLOWFISH:
+	    blowfish_ctx = m_alloc_secure( sizeof *blowfish_ctx );
+	    blowfish_setkey( blowfish_ctx, dek->key, dek->keylen );
+	    blowfish_setiv( blowfish_ctx, NULL );
+	    blowfish_encode_cfb( blowfish_ctx, cert->protect.iv,
+					       cert->protect.iv, 8 );
+	    if( !do_protect( (void (*)(void*,byte*,byte*,unsigned))
+			     &blowfish_encode_cfb, blowfish_ctx, cert ) )
+		cert->is_protected = 1;
+	    m_free( blowfish_ctx );
+	    break;
+
+	  default:
+	    rc = G10ERR_CIPHER_ALGO; /* unsupport protection algorithm */
+	    break;
+	}
+    }
+    return rc;
 }
 

g10/sig-check.c

@@ -251,7 +251,6 @@ do_check( PKT_public_cert *pkc, PKT_signature *sig, MD_HANDLE digest )
 int
 check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
 {
-    KBNODE unode;
     MD_HANDLE md;
     PKT_public_cert *pkc;
     PKT_signature *sig;
@@ -283,8 +282,23 @@ check_key_signature( KBNODE root, KBNODE node, int *is_selfsig )
 	rc = do_check( pkc, sig, md );
 	md_close(md);
     }
+    else if( sig->sig_class == 0x18 ) {
+	KBNODE snode = find_prev_kbnode( root, node, PKT_PUBKEY_SUBCERT );
+
+	if( snode ) {
+	    md = md_open( algo, 0 );
+	    hash_public_cert( md, pkc );
+	    hash_public_cert( md, snode->pkt->pkt.public_cert );
+	    rc = do_check( pkc, sig, md );
+	    md_close(md);
+	}
 	else {
-	unode = find_prev_kbnode( root, node, PKT_USER_ID );
+	    log_error("no subkey for key signature packet\n");
+	    rc = G10ERR_SIG_CLASS;
+	}
+    }
+    else {
+	KBNODE unode = find_prev_kbnode( root, node, PKT_USER_ID );
 
 	if( unode ) {
 	    PKT_user_id *uid = unode->pkt->pkt.user_id;

g10/sign.c

@@ -57,7 +57,8 @@ complete_sig( PKT_signature *sig, PKT_secret_cert *skc, MD_HANDLE md )
     else
 	BUG();
 
-    /* fixme: should we check wether the signature is okay? */
+    /* fixme: should we check wether the signature is okay?
+     * maybe by using an option */
 
     return rc;
 }
@@ -1072,12 +1073,11 @@ change_passphrase( const char *username )
 		break;
 	    }
 	    else { /* okay */
-		/* FIXME: what about dsa */
+		skc->protect.algo = CIPHER_ALGO_BLOWFISH;
-		skc->d.elg.protect.algo = CIPHER_ALGO_BLOWFISH;
+		skc->protect.s2k  = 1;
-		skc->d.elg.protect.s2k	= 1;
+		skc->protect.hash = DIGEST_ALGO_RMD160;
-		skc->d.elg.protect.hash = DIGEST_ALGO_RMD160;
+		memcpy(skc->protect.salt, salt, 8);
-		memcpy(skc->d.elg.protect.salt, salt, 8);
+		randomize_buffer(skc->protect.iv, 8, 1);
-		randomize_buffer(skc->d.elg.protect.iv, 8, 1);
 		rc = protect_secret_key( skc, dek );
 		if( rc )
 		    log_error("protect_secret_key failed: %s\n", g10_errstr(rc) );

g10/signal.c

@@ -35,7 +35,7 @@
 #include "ttyio.h"
 
 
-
+#if 0
 static RETSIGTYPE
 print_and_exit( int sig )
 {
@@ -53,7 +53,7 @@ print_and_exit( int sig )
     secmem_term();
     exit(2); /* not correct but .. */
 }
-
+#endif
 
 void
 init_signals()

g10/trustdb.c

@@ -38,6 +38,7 @@
 #include "options.h"
 #include "packet.h"
 #include "main.h"
+#include "i18n.h"
 
 
 #define TRUST_RECORD_LEN 40
@@ -1708,6 +1709,7 @@ check_trust( PKT_public_cert *pkc, unsigned *r_trustlevel )
     TRUSTREC rec;
     unsigned trustlevel = TRUST_UNKNOWN;
     int rc=0;
+    int cur_time;
 
     if( DBG_TRUST )
 	log_info("check_trust() called.\n");
@@ -1736,17 +1738,26 @@ check_trust( PKT_public_cert *pkc, unsigned *r_trustlevel )
 				    pkc->local_id );
 	}
     }
-    if( pkc->timestamp > make_timestamp() ) {
+    cur_time = make_timestamp();
+    if( pkc->timestamp > cur_time ) {
 	log_info("public key created in future (time warp or clock problem)\n");
 	return G10ERR_TIME_CONFLICT;
     }
 
-
+    if( pkc->valid_days && add_days_to_timestamp(pkc->timestamp,
+						pkc->valid_days) < cur_time ) {
+	log_info(_("key expiration date is %s\n"), strtimestamp(
+				    add_days_to_timestamp(pkc->timestamp,
+							  pkc->valid_days)));
+	 trustlevel = TRUST_EXPIRED;
+    }
+    else {
 	rc = do_check( pkc->local_id, &rec, &trustlevel );
 	if( rc ) {
 	    log_error("check_trust: do_check failed: %s\n", g10_errstr(rc));
 	    return rc;
 	}
+    }
 
 
   leave:

po/de.po

@@ -45,6 +45,16 @@ msgstr ""
 "BENUTZEN SIE DIE DURCH DIESES PROGRAMM ERZEUGTEN DATEN NICHT!\n"
 "\n"
 
+
+#: g10/g10.c:214
+msgid ""
+"Syntax: gpgm [options] [files]\n"
+"GNUPG maintenance utility\n"
+msgstr ""
+"Syntax: gpgm [options] [files]\n"
+"GNUPG Wartungs Hilfsmittel\n"
+
+
 #: g10/g10.c:72
 msgid ""
 "Syntax: gpg [options] [files]\n"
@@ -55,18 +65,44 @@ msgstr ""
 "Signieren, prüfen, verschlüsseln, entschlüsseln\n"
 "Die voreingestellte Operation ist abhängig von den Eingabedaten\n"
 
+
 #: g10/g10.c:77
 msgid "Please report bugs to <gnupg-bugs@isil.d.shuttle.de>.\n"
 msgstr "Berichte über Wanzen bitte an <gnupg-bugs@isil.d.shuttle.de>.\n"
 
-#: g10/g10.c:116
+#: g10/g10.c:207
-msgid "Usage: g10 [options] "
+msgid "Usage: gpgm [options] [files] (-h for help)"
-msgstr "Aufruf: g10 [Opeionen] "
+msgstr "Aufruf: gpgm [Optionen] [Dateien] (-h für Hilfe)"
+
+#: g10/g10.c:209
+msgid "Usage: gpg [options] [files] (-h for help)"
+msgstr "Aufruf: gpg [Optionen] [Dateien] (-h für Hilfe)"
+
 
 #: g10/g10.c:152
 msgid "conflicting commands\n"
 msgstr "Widersprechende Kommandos\n"
 
+
+#: g10/g10.c:57
+msgid ""
+"\\vCommands:\n"
+" "
+msgstr ""
+"\\vKommandos:\n"
+" "
+
+#: g10/g10.c:92
+msgid ""
+"\\v\n"
+"Options:\n"
+" "
+msgstr ""
+"\\v\n"
+"Optionen:\n"
+" "
+
+
 #: g10/g10.c:164
 msgid "create ascii armored output"
 msgstr "Ausgabe mit ASCII Armor versehen"
@@ -80,7 +116,7 @@ msgid "set compress level (0 disables)"
 msgstr "Kompressionspegel sethen (aussschalten mit 0)"
 
 #: g10/g10.c:167
-msgid "don't make any changes"
+msgid "do not make any changes"
 msgstr "Keine wirklichen Änderungen durchführen"
 
 #: g10/g10.c:168
@@ -107,25 +143,25 @@ msgstr "\"Nein\" als Standard Antwort annehmen"
 msgid "generate a new key pair"
 msgstr "Ein neues Schlüsselpaar erzeugen"
 
-#: g10/g10.c:174
+#: g10/g10.c:76
-msgid "add key to the public keyring"
+msgid "remove key from the public keyring"
-msgstr ""
+msgstr "Schlüssel entfernen"
 
-#: g10/g10.c:175
+#: g10/g10.c:79
-msgid "remove key from public keyring"
+msgid "generate a revocation certificate"
-msgstr "Key entfernen"
+msgstr "Ein \"Revocation\" Zertifikat erzeugen"
 
 #: g10/g10.c:176
 msgid "make a signature on a key in the keyring"
-msgstr "key signieren"
+msgstr "Schlüssel signieren"
 
 #: g10/g10.c:177
 msgid "store only"
-msgstr ""
+msgstr "nur speichern"
 
 #: g10/g10.c:178
 msgid "check signatures on a key in the keyring"
-msgstr "  "
+msgstr "Schlüssel Signaturen prüfen"
 
 #: g10/g10.c:179
 msgid "add this keyring to the list of keyrings"
@@ -133,149 +169,264 @@ msgstr ""
 
 #: g10/g10.c:180
 msgid "make a signature"
-msgstr ""
+msgstr "Eine Signatur erzeugen"
+
+#: g10/g10.c:61
+msgid "make a clear text signature"
+msgstr "Eine Klartext Signatur erzeugen"
 
 #: g10/g10.c:181
 msgid "use canonical text mode"
-msgstr ""
+msgstr "Text Modus benutzen"
 
 #: g10/g10.c:182
 msgid "make a detached signature"
-msgstr ""
+msgstr "Eine abgetrennte Signatur erzeugen"
 
 #: g10/g10.c:183
 msgid "encrypt data"
-msgstr ""
+msgstr "Daten verschlüsseln"
+
+#: g10/g10.c:64
+msgid "encryption only with symmetric cipher"
+msgstr "Daten nur symmetrisch verschlüsseln"
 
 #: g10/g10.c:184
 msgid "decrypt data (default)"
-msgstr ""
+msgstr "Daten enschlüsseln"
+
+
+#: g10/g10.c:67
+msgid "verify a signature"
+msgstr "Signatur prüfen"
 
 #: g10/g10.c:185
 msgid "use this user-id to sign or decrypt"
-msgstr ""
+msgstr "Mit dieser User-ID signieren"
 
 #: g10/g10.c:186
 msgid "use this user-id for encryption"
-msgstr ""
+msgstr "Verschlüsseln für diese User-ID"
 
 #: g10/g10.c:187
 msgid "list keys"
-msgstr ""
+msgstr "Liste der Schlüssel"
+
+
+#: g10/g10.c:70
+msgid "list keys and signatures"
+msgstr "Liste der Schlüssel und deren Signaturen"
+
+#: g10/g10.c:71
+msgid "check key signatures"
+msgstr "Signaturen der Schlüssel prüfen"
+
+#: g10/g10.c:72
+msgid "list keys and fingerprints"
+msgstr "Liste der Schlüssel und deren \"Fingerprints\""
 
 #: g10/g10.c:188
 msgid "set debugging flags"
-msgstr ""
+msgstr "Debug-Flags einschalten"
 
 #: g10/g10.c:189
 msgid "enable full debugging"
-msgstr ""
+msgstr "Alle Debug-Flags einschalten"
-
-#: g10/g10.c:193
-msgid "show the fingerprints"
-msgstr ""
 
 #: g10/g10.c:194
 msgid "print all message digests"
-msgstr ""
+msgstr "Message-Digests für die Eingabedaten ausgeben"
 
 #: g10/g10.c:195
 msgid "add this secret keyring to the list"
-msgstr ""
+msgstr "Den geheimen Schlüsselring mitbenutzen"
 
 #: g10/g10.c:196
 msgid "read options from file"
-msgstr ""
+msgstr "Optionen aus der Datei lesen"
 
 #: g10/g10.c:199
 msgid "list only the sequence of packets"
-msgstr ""
+msgstr "Lediglich die Struktur der Daten Packete anzeigen"
 
 #: g10/g10.c:202
 msgid "edit a key signature"
-msgstr ""
+msgstr "Editieren de Schlüssel Signaturen"
 
 #: g10/g10.c:203
 msgid "change the passphrase of your secret keyring"
-msgstr ""
+msgstr "Die \"Passphrase\" des geheimen Schlüssels ändern"
 
 #: g10/g10.c:205
 msgid "select default cipher algorithm"
-msgstr ""
+msgstr "Den Cipher Algorithmus auswählen"
 
 #: g10/g10.c:206
 msgid "select default puplic key algorithm"
-msgstr ""
+msgstr "Den Public-Key Algorithmus auswählen"
 
 #: g10/g10.c:207
 msgid "select default message digest algorithm"
-msgstr ""
+msgstr "Den Message-Digest Algorithmus auswählen"
 
-#: g10/g10.c:208
-msgid "put public keys into the trustdb"
-msgstr ""
 
 #: g10/g10.c:212
 msgid "do not write comment packets"
-msgstr ""
+msgstr "Keine Kommentarpackete schreiben"
 
 #: g10/g10.c:213
 msgid "(default is 1)"
-msgstr ""
+msgstr "(voreingestellt ist 1)"
 
 #: g10/g10.c:214
 msgid "(default is 3)"
-msgstr ""
+msgstr "(voreingestellt ist 3)"
+
+#: g10/g10.c:81
+msgid "export keys"
+msgstr "Schlüssel exportieren"
+
+#: g10/g10.c:82
+msgid "import/merge keys"
+msgstr "Schlüssel importieren/kombinieren"
+
+#: g10/g10.c:85
+msgid "De-Armor a file or stdin"
+msgstr "\"De-Armor\" einer Datei oder stdin"
+
+#: g10/g10.c:86
+msgid "En-Armor a file or stdin"
+msgstr "\"En-Armor\" einer Datei oder stdin"
 
-#: g10/g10.c:215
-msgid "export all or the given keys"
-msgstr ""
 
 #: g10/g10.c:282
 msgid "note: no default option file '%s'\n"
-msgstr ""
+msgstr "Notiz: Keine voreingestellte Optionen Datei '%s' vorhanden\n"
 
 #: g10/g10.c:285
 msgid "option file '%s': %s\n"
-msgstr ""
+msgstr "Opionen Datei '%s': %s\n"
 
 #: g10/g10.c:290
 msgid "reading options from '%s'\n"
-msgstr ""
+msgstr "Optionen werden von '%s' gelesen\n"
 
 #: g10/g10.c:382
 msgid "selected cipher algorithm is invalid\n"
-msgstr ""
+msgstr "Der ausgewählte Cipher Algorithmus ist ungültig\n"
 
 #: g10/g10.c:386
 msgid "selected pubkey algorithm is invalid\n"
-msgstr ""
+msgstr "Der ausgewählte Public-Key Algorithmus ist ungültig\n"
 
 #: g10/g10.c:390
 msgid "selected digest algorithm is invalid\n"
-msgstr ""
+msgstr "Der ausgewählte Message-Digest Algorithmus ist ungültig\n"
 
 #: g10/g10.c:394
 msgid "completes-needed must be greater than 0\n"
-msgstr ""
+msgstr "completes-needed müßen größer als 0 sein\n"
 
 #: g10/g10.c:398
 msgid "marginals-needed must be greater than 1\n"
-msgstr ""
+msgstr "marginals-needed müßen größer als 1 sein\n"
 
 #: g10/g10.c:462
 msgid "failed to initialize the TrustDB: %s\n"
-msgstr ""
+msgstr "Die Trust-DB kann nicht initialisiert werden: %s\n"
 
 #: g10/g10.c:554 g10/g10.c:571 g10/g10.c:660
 msgid "can't open '%s'\n"
+msgstr "Datei '%s' kann nicht geöffnet werden\n"
+
+
+#: g10/g10.c:113
+msgid "write status info to this fd"
+msgstr "Status Informationen auf diesen FD schreiben"
+
+#: g10/g10.c:124
+msgid ""
+"\\v\n"
+"Examples:\n"
+"\n"
+" -se -r Bob [file]          sign and encrypt for user Bob\n"
+" -sat [file]                make a clear text signature\n"
+" -sb  [file]                make a detached signature\n"
+" -k   [userid]              show keys\n"
+" -kc  [userid]              show fingerprint\n"
 msgstr ""
+"\\v\n"
+"Beispiele:\n"
+"\n"
+" -se -r Bob [file]          Signieren und verschlüsseln für Benutzer Bob\n"
+" -sat [file]                Eine Klartext Signatur erzeugen\n"
+" -sb  [file]                Eine abgetrennte Signatur erzeugen\n"
+" -k   [userid]              Die Schllüssel anzeigen\n"
+" -kc  [userid]              Die \"Fingerprints\" anzeigen\n"
+
+
+
+#: g10/g10.c:666
+msgid "--store [filename]"
+msgstr "--store [Dateiname]"
+
+#. encrypt the given file only with the symmetric cipher
+#: g10/g10.c:674
+msgid "--symmetric [filename]"
+msgstr "--symmetric [Dateiname]"
+
+#: g10/g10.c:682
+msgid "--encrypt [filename]"
+msgstr "--encrypt [Dateiname]"
+
+#: g10/g10.c:695
+msgid "--sign [filename]"
+msgstr "--sign [Dateiname]"
+
+#: g10/g10.c:708
+msgid "--sign --encrypt [filename]"
+msgstr "--sign --encrypt [Dateiname]"
+
+#. make a clearsig
+#: g10/g10.c:722
+msgid "--clearsign [filename]"
+msgstr "--clearsign [Dateiname]"
+
+#: g10/g10.c:734
+msgid "--decrypt [filename]"
+msgstr "--decrypt [Dateiname]"
+
+#: g10/g10.c:742
+msgid "--sign-key username"
+msgstr "--sign-key Benutzername"
+
+#: g10/g10.c:750
+msgid "--edit-sig username"
+msgstr "--edit-sig Benutzername"
+
+#: g10/g10.c:758
+msgid "--delete-secret-key username"
+msgstr "--delete-secret-key Benutzername"
+
+#: g10/g10.c:761
+msgid "--delete-key username"
+msgstr "--delete-key Benutzername"
+
+#. no arg: use default, 1 arg use this one
+#: g10/g10.c:769
+msgid "--change-passphrase [username]"
+msgstr "--change-passphrase [Benutzername]"
+
+
+
 
 #: g10/pkclist.c:65
 msgid ""
 "No ownertrust defined for %lu:\n"
 "%4u%c/%08lX %s \""
 msgstr ""
+"Es ist kein \"Ownertrust\" für %lu definiert:\n"
+"%4u%c/%08lX %s \""
 
 #: g10/pkclist.c:72
 msgid ""
@@ -318,7 +469,7 @@ msgstr ""
 
 #: g10/pkclist.c:108
 msgid "You will see a list of signators etc. here\n"
-msgstr ""
+msgstr "Sie sollten hier eigentlich eine Liste der Signierer sehen.\n"
 
 #: g10/pkclist.c:132
 msgid ""
@@ -332,11 +483,11 @@ msgstr ""
 
 #: g10/keygen.c:109
 msgid "writing self signature\n"
-msgstr ""
+msgstr "Die Selbst-Signatur wird geschrieben\n"
 
 #: g10/keygen.c:299
 msgid "Key generation can only be used in interactive mode\n"
-msgstr ""
+msgstr "Die Schlüsselerzeugung kann nur im interaktiven Modus benutzt werden\n"
 
 #: g10/keygen.c:301
 msgid ""
@@ -344,22 +495,25 @@ msgid ""
 "   (1) ElGamal is the suggested one.\n"
 "   (2) DSA can only be used for signatures.\n"
 msgstr ""
+"Bitte wählen Sie den zu benutzenden Algorithmus aus:\n"
+"   (1) ElGamal wird empfohlen.\n"
+"   (2) DSA kann nur für Signaturen verwendet werden.\n"
 
 #: g10/keygen.c:305
 msgid "   (3) RSA cannot be used in the U.S.\n"
-msgstr ""
+msgstr "   (3) RSA darf in den USA nicht benutzt werden\n"
 
 #: g10/keygen.c:314
 msgid "Your selection? (1,2,3) "
-msgstr ""
+msgstr "Ihre Auswahl? (1,2,3) "
 
 #: g10/keygen.c:316
 msgid "Your selection? (1,2) "
-msgstr ""
+msgstr "Ihre Auswahl? (1,2) "
 
 #: g10/keygen.c:330
 msgid "Sorry; DSA is not yet supported.\n"
-msgstr ""
+msgstr "Pardon; DSA wird noch nicht unterstützt.\n"
 
 #: g10/keygen.c:343
 msgid ""
@@ -402,25 +556,25 @@ msgstr "Gut, aber bitte denken Sie auch daran, da
 
 #: g10/keygen.c:377
 msgid "Requested keysize is %u bits\n"
-msgstr ""
+msgstr "Die verlangte Schlüssellänge ist %u Bits\n"
 
 #: g10/keygen.c:380 g10/keygen.c:384
 msgid "rounded up to %u bits\n"
-msgstr ""
+msgstr "aufgerundet auf %u Bits\n"
 
 #: g10/keygen.c:391
 msgid ""
 "\n"
 "You need a User-ID to identify your key; the software constructs the user id\n"
 "from Real Name, Comment and Email Address in this form:\n"
-"    \"Heinrich Heine (Der Dichter) <heinrichh@uni-duesseldorf.de>\"\n"
+"    \"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>\"\n"
 "\n"
 msgstr ""
 "\n"
 "Sie benötigen einen User-ID um Ihren Schlüssel eindeutig zu machen; das\n"
 "Programm baut diese User-ID aus Ihrem echten Namen, einem Kommentar und\n"
 "Ihrer Email Adresse in dieser Form auf:\n"
-"    \"Heinrich Heine (Der Dichter) <heinrichh@uni-duesseldorf.de>\"\n"
+"    \"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>\"\n"
 "\n"
 
 
@@ -500,11 +654,11 @@ msgstr "\"passphrase\" nicht richtig wiederholt; noch einmal.\n"
 
 #: g10/keygen.c:531
 msgid "writing public certificate to '%s'\n"
-msgstr ""
+msgstr "schreiben des öffentlichen Schlüssels nach '%s'\n"
 
 #: g10/keygen.c:532
 msgid "writing secret certificate to '%s'\n"
-msgstr ""
+msgstr "schreiben des geheimen Schlüssels nach '%s'\n"
 
 #: g10/keygen.c:544
 msgid ""
@@ -523,4 +677,9 @@ msgstr "
 
 #: g10/keygen.c:622
 msgid "Key generation failed: %s\n"
-msgstr ""
+msgstr "Schlüssel-Erzeugung fehlgeschlagen: %s\n"
+
+
+
+
+

po/it.po

@@ -452,8 +452,8 @@ msgstr ""
 "\"\n"
 "\n"
 "Per favore decidi fino a quanto hai fiducia di questo utente perchè\n"
-firmi correttamente le chiavi di altri utenti (guardando il suo\n"
+"firmi correttamente le chiavi di altri utenti (guardando il suo\n"
-passaporto, controllando le impronte digitali da diverse fonti ...)?\n"
+"passaporto, controllando le impronte digitali da diverse fonti ...)?\n"
 "\n"
 " 1 = Non lo so\n"
 " 2 = NON mi fido\n"
@@ -474,8 +474,8 @@ msgid ""
 msgstr ""
 "È compito tuo assegnare qui un valore; questo valore non sarà mai esportato\n"
 "ad alcuna terza persona. Ci serve per implementare la ragnatela-di-fiducia;\n"
-"non ha nulla a che fare con la ragnatela-di-certificati (creata
+"non ha nulla a che fare con la ragnatela-di-certificati (creata"
-implicitamente).\n"
+"implicitamente).\n"
 
 #: g10/pkclist.c:108
 msgid "You will see a list of signators etc. here\n"
@@ -616,14 +616,14 @@ msgid ""
 "You need a User-ID to identify your key; the software constructs the user "
 "id\n"
 "from Real Name, Comment and Email Address in this form:\n"
-"    \"Heinrich Heine (Der Dichter) <heinrichh@uni-duesseldorf.de>\"\n"
+"    \"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>\"\n"
 "\n"
 msgstr ""
 "\n"
 "Ti serve un User ID per identificare la tua chiave; il software costruisce "
 "l'user id a partire da Nome e Cognome, Commento e Indirizzo di Email "
 "indicati in questo modulo:\n"
-"    \"Heinrich Heine (Der Dichter) <heinrichh@uni-duesseldorf.de>\"\n"
+"    \"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>\"\n"
 "\n"
 
 #: g10/keygen.c:409

tools/Makefile.am

@@ -1,6 +1,6 @@
 ## Process this file with automake to produce Makefile.in
 
-INCLUDES = -I$(top_srcdir)/include
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/intl -I../intl
 needed_libs = ../cipher/libcipher.a  ../util/libutil.a ../mpi/libmpi.a ../util/libutil.a
 
 noinst_PROGRAMS = mpicalc bftest clean-sat

tools/Makefile.in

@@ -92,7 +92,7 @@ VERSION = @VERSION@
 ZLIBS = @ZLIBS@
 l = @l@
 
-INCLUDES = -I$(top_srcdir)/include
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/intl -I../intl
 needed_libs = ../cipher/libcipher.a  ../util/libutil.a ../mpi/libmpi.a ../util/libutil.a
 
 noinst_PROGRAMS = mpicalc bftest clean-sat

util/Makefile.am

@@ -1,6 +1,6 @@
 ## Process this file with automake to produce Makefile.in
 
-INCLUDES = -I$(top_srcdir)/include
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/intl -I../intl
 
 noinst_LIBRARIES = libutil.a
 

util/Makefile.in

@@ -92,7 +92,7 @@ VERSION = @VERSION@
 ZLIBS = @ZLIBS@
 l = @l@
 
-INCLUDES = -I$(top_srcdir)/include
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/intl -I../intl
 
 noinst_LIBRARIES = libutil.a
 

util/miscutil.c

@@ -32,6 +32,24 @@ make_timestamp()
     return time(NULL);
 }
 
+u32
+add_days_to_timestamp( u32 stamp, u16 days )
+{
+    return stamp + days*86400L;
+}
+
+const char *
+strtimestamp( u32 stamp )
+{
+    static char buffer[11+5];
+    struct tm *tp;
+    time_t atime = stamp;
+
+    tp = gmtime( &atime );
+    sprintf(buffer,"%04d-%02d-%02d",
+		    1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday );
+    return buffer;
+}
 
 /****************
  * Print a string to FP, but filter all control characters out.