Python-GSSAPI provides both low-level and high level wrappers around
the GSSAPI C libraries. While it focuses on the Kerberos mechanism,
it should also be useable with other GSSAPI mechanisms.
Python-GSSAPI is composed of two parts: a low-level C-style API which
thinly wraps the underlying RFC 2744 methods, and a high-level,
Pythonic API (which is itself a wrapper around the low-level API).
Examples may be found in the examples directory.
The low-level API lives in gssapi.raw. The methods contained therein
are designed to match closely with the original GSSAPI C methods. All
relevant methods and classes may be imported directly from gssapi.raw.
Extension methods will only be imported if they are present.
The high-level API lives directly under gssapi. The classes contained
in each file are designed to provide a more Pythonic, Object-Oriented
view of GSSAPI. The exceptions from the low-level API, plus several
additional exceptions, live in gssapi.exceptions. The rest of the
classes may be imported directly from gssapi. Only classes are
exported by gssapi - all functions are methods of classes in the
high-level API.
2.033 2016/07/15
- support for session ticket reuse over multiple contexts and processes
(if supported by Net::SSLeay)
- small optimizations, like saving various Net::SSLeay constants into variables
and access variables instead of calling the constant sub all the time
- make t/dhe.t work with openssl 1.1.0
2.032 2016/07/12
- Set session id context only on the server side. Even if the documentation for
SSL_CTX_set_session_id_context makes clear that this function is server side
only it actually affects hndling of session reuse on the client side too and
can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session in
different context" at the client.
2.031 2016/07/08
- fix for bug in session handling introduced in 2.031, RT#115975
Thanks to paul[AT]city-fan[DOT]org for reporting
2.030 2016/07/08
- Utils::CERT_create - don't add given extensions again if they were already
added. Firefox croaks with sec_error_extension_value_invalid if (specific?)
extensions are given twice.
- assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
with the reverse order as in the PKCS12 file, because that's what it does.
- support for creating ECC keys in Utils once supported by Net::SSLeay
- remove internal sub session_cache and access cache directly (faster)
Patches have been applied upstream.
Release notes:
* fixed crashing bugs handling errors and handle scope in the SFTPClient class
* added the SftpPoller user module
* force socket disconnect in case of a timeout error when trying to
close a file descriptor
* socket performance instrumentation supported in the SFTPClient class
* user modules moved to top-level qore module directory from
version-specific module directory since they are valid for multiple
versions of qore
* fixed a bug where a crash would result when attempting a connection and
libssh2 would not return any user authentication methods
* implemented an automatic disconnection when timeouts occur to avoid
dead connections
* fixed crashing bugs in the SFTPClient class handling disconnect events
when an sftp handle was open; the handle must be closed before the
socket connection is closed or a crash will result
* implemented the SFTPClient::retrieveFile() and SFTPClient::transferFile()
methods
* ported the SFTPClient class tests to QUnit and added tests for the
new methods
* ported test/sftp-poller.q to QUnit
* fixed a bug in socket handling related to asyncronous socket event polling
and select(2) and lack of socket descriptor bounds checking
(issue 714)
* requires Qore 0.8.12+ to build (uses the new QoreValue API)
- PERL5_MODULE_TYPE= Module::Build::Tiny
- Following package added on BUILD_DEPENDS for make test
p5-Moo>=1.001:../../devel/p5-Moo
(upstream)
- Updated security/p5-Data-SimplePassword to 0.11
-----------------------------------------------
0.10 Tue Dec 3 07:10:44 UTC 2013
* switched to Moo.
0.08 Tue Jun 25 03:03:11 UTC 2013
* added is_available_provider() method.
* added new type 'alpha' to rndpassword.
* improved some tests to reduce test time.
* added zsh completion sample file. (see extra/)
* switched to Minilla.
installation:
* Log the zone before triggering the "part->soamin" assert.
We've seen this fire with older versions, but it's a while
since I saw it happen. This is to provide more debugging info
should it fire.
* If an .ixfr journal file is detected as "corrupted", rename it
to <zone>.ixfr-bad instead of unlinking it, which would leave
no trace of OpenDNSSEC's own wrongdoing.
* If the signer is exposed, avoid a potential DoS vector with a
crafted message.
Bump PKGREVISION.
Noteworthy changes in version 1.7.2 (2016-07-14) [C21/A1/R2]
------------------------------------------------
* Bug fixes:
- Fix setting of the ECC cofactor if parameters are specified.
- Fix memory leak in the ECC code.
- Remove debug message about unsupported getrandom syscall.
- Fix build problems related to AVX use.
- Fix bus errors on ARM for Poly1305, ChaCha20, AES, and SHA-512.
* Internal changes:
- Improved fatal error message for wrong use of gcry_md_read.
- Disallow symmetric encryption/decryption if key is not set.
Noteworthy changes in version 2.1.14 (2016-07-14)
-------------------------------------------------
* gpg: Removed options --print-dane-records and --print-pka-records.
The new export options "export-pka" and "export-dane" can instead
be used with the export command.
* gpg: New options --import-filter and --export-filter.
* gpg: New import options "import-show" and "import-export".
* gpg: New option --no-keyring.
* gpg: New command --quick-revuid.
* gpg: New options -f/--recipient-file and -F/--hidden-recipient-file
to directly specify encryption keys.
* gpg: New option --mimemode to indicate that the content is a MIME
part. Does only enable --textmode right now.
* gpg: New option --rfc4880bis to allow experiments with proposed
changes to the current OpenPGP specs.
* gpg: Fix regression in the "fetch" sub-command of --card-edit.
* gpg: Fix regression since 2.1 in option --try-all-secrets.
* gpgv: Change default options for extra security.
* gpgsm: No more root certificates are installed by default.
* agent: "updatestartuptty" does now affect more environment
variables.
* scd: The option --homedir does now work with scdaemon.
* scd: Support some more GEMPlus card readers.
* gpgtar: Fix handling of '-' as file name.
* gpgtar: New commands --create and --extract.
* gpgconf: Tweak for --list-dirs to better support shell scripts.
* tools: Add programs gpg-wks-client and gpg-wks-server to implement
a Web Key Service. The configure option --enable-wks-tools is
required to build them; they should be considered Beta software.
* tests: Complete rework of the openpgp part of the test suite. The
test scripts have been changed from Bourne shell scripts to Scheme
programs. A customized scheme interpreter (gpgscm) is included.
This change was triggered by the need to run the test suite on
non-Unix platforms.
* The rendering of the man pages has been improved.
Add TEST_TARGET.
Noteworthy changes in version 2.4.3 (2016-07-14) [C7/A7/R3]
------------------------------------------------
* Allow socket redirection with assuan_socket_connect.
* Speedup spawning programs on Linux
* Fix minor memory leaks
* Portability fixes for Solaris and AIX.
Noteworthy changes in version 1.24 (2016-07-14) [C19/A19/R1)
-----------------------------------------------
* Fixes a bug in es_fclose_snatch when used used after es_fseek.
* Fixes building without thread support.
* New configure option --disable-tests.
unusual build errors shown by old gcc versions (works fine for
gcc-5.2.1 on ubuntu and gcc-5.3.0 on NetBSD 7.99.32)
+ use ULL suffix on unsigned 64bit constants, not UL
+ don't typedef the public structs twice - second time just define it
without the typedef
Fixes PR pkg/51327
+ 20160705 introduced a bug whereby a key subid would match and verify
fine, but, if formatted, would not display the correct subkey
information. Fix to show the correct information in this case.
External API changes
====================
+ add a pgpv_cursor_close() function to free resources associated with
a cursor
Better memory management
========================
+ restructure the way dynamic arrays are used, to avoid memory
corruption issues and memory leaks - keep all dynamic arrays in the global
data structure, and use indices in the other data structures to index them.
Means lack of data localisation, but avoids stale pointers, and leaks.
+ make signer field of signature a uint8_t array, rather than a pointer
+ use our own version of strdup(3) - don't depend on it being
available in standard library
+ keep track of whether litdata filenames and userid were allocated or not,
and free memory in pgpv_close() if it was allocated
+ free up allocated resources which were allocated in pgpv_close()
+ get rid of redundant PGPV_ARRAY definition in libverify.c, brought in when
the definitions moved from verify.h
+ fix obuf_add_mem() to use a const void *, as any struct can be
dumped using it
+ remove redundant NO_SUBKEYS definition - unused
+ add an (unused as yet) ARRAY_FREE() macro
+ make the pgpv_t and pgpv_cursor_t structures opaque
+ add new accessor functions for fields in the pgpv_cursor_t struct
+ add new creation functions for the pgpv_t and pgpv_cursor_t structs
2.3.6 - Security fix
* Correct a problem that prevents the DSA signing algorithm from
running in constant time even if the flag BN_FLG_CONSTTIME is set.
This issue was reported by Cesar Pereida (Aalto University), Billy
Brumley (Tampere University of Technology), and Yuval Yarom (The
University of Adelaide and NICTA). The fix was developed by Cesar
Pereida. See OpenBSD 5.9 errata 11, June 6, 2016
2.3.5 - Reliability fix
* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.
2.3.4 - Security Update
* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
From OpenSSL.
* Minor build fixes
2.3.3 - OpenBSD 5.9 release branch tagged
* Reworked build scripts to better sync with OpenNTPD-portable
* Fixed broken manpage links
* Fixed an nginx compatibility issue by adding an 'install_sw' make alias
* Fixed HP-UX builds
* Changed the default configuration directory to c:\LibreSSL\ssl on Windows
binary builds
* cert.pem has been reorganized and synced with Mozilla's certificate store
2.3.2 - Compatibility and Reliability fixes
* Changed format of LIBRESSL_VERSION_NUMBER to match that of
OPENSSL_VERSION_NUMBER, see:
https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
* Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
construction introduced in RFC 7539, which is different than that
already used in TLS with EVP_aead_chacha20_poly1305()
* Avoid a potential undefined C99+ behavior due to shift overflow in
AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>
* More man pages converted from pod to mdoc format
* Added COMODO RSA Certification Authority and QuoVadis
root certificates to cert.pem
* Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
certificate from cert.pem
* Added support for building nc(1) on Solaris
* Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev
* Improved console handling with openssl(1) on Windows
* Ensure the network stack is enabled on Windows when running
tls_init()
* Fixed incorrect TLS certificate loading by nc(1)
* Added support for Solaris 11.3's getentropy(2) system call
* Enabled support for using NetBSD 7.0's arc4random(3) implementation
* Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect
* Fixes from OpenSSL 1.0.1q
- CVE-2015-3194 - NULL pointer dereference in client side certificate
validation.
- CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL
* The following OpenSSL CVEs did not apply to LibreSSL
- CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
squaring procedure.
- CVE-2015-3196 - Double free race condition of the identify hint
data.
See https://marc.info/?l=openbsd-announce&m=144925068504102
2.3.1 - ASN.1 and time handling cleanups
* ASN.1 cleanups and RFC5280 compliance fixes.
* Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
now checks if the host OS supports 64-bit time_t.
* Fixed a leak in SSL_new in the error path.
* Support always extracting the peer cipher and version with libtls.
* Added ability to check certificate validity times with libtls,
tls_peer_cert_notbefore and tls_peer_cert_notafter.
* Changed tls_connect_servername to use the first address that resolves with
getaddrinfo().
* Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
initial commit in 2004).
* Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
by Qualys Security.
* Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.
* Reject too small bits value in BN_generate_prime_ex(), so that it does
not risk becoming negative in probable_prime_dh_safe(), reported by
Franck Denis.
* Enable nc(1) builds on more platforms.
2.3.0 - SSLv3 removed, libtls API changes, portability improvements
* SSLv3 is now permanently removed from the tree.
* The libtls API is changed from the 2.2.x series.
The read/write functions work correctly with external event
libraries. See the tls_init man page for examples of using libtls
correctly in asynchronous mode.
Client-side verification is now supported, with the client supplying
the certificate to the server.
Also, when using tls_connect_fds, tls_connect_socket or
tls_accept_fds, libtls no longer implicitly closes the passed in
sockets. The caller is responsible for closing them in this case.
* When loading a DSA key from an raw (without DH parameters) ASN.1
serialization, perform some consistency checks on its `p' and `q'
values, and return an error if the checks failed.
Thanks for Georgi Guninski (guninski at guninski dot com) for
mentioning the possibility of a weak (non prime) q value and
providing a test case.
See
https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
for a longer discussion.
* Fixed a bug in ECDH_compute_key that can lead to silent truncation
of the result key without error. A coding error could cause software
to use much shorter keys than intended.
* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
longer supported.
* The engine command and parameters are removed from the openssl(1).
Previous releases removed dynamic and builtin engine support
already.
* SHA-0 is removed, which was withdrawn shortly after publication 20
years ago.
* Added Certplus CA root certificate to the default cert.pem file.
* New interface OPENSSL_cpu_caps is provided that does not allow
software to inadvertently modify cpu capability flags.
OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
* The out_len argument of AEAD changed from ssize_t to size_t.
* Deduplicated DTLS code, sharing bugfixes and improvements with
TLS.
* Converted 'nc' to use libtls for client and server operations; it is
included in the libressl-portable distribution as an example of how
to use the library.
+ Perform digest on correctly dash-escaped text, per RFC 4880.
Problem pointed out by Dimitri John Ledkov, fixed in a different way
(in case the last line is itself dash-escaped).
+ add test case
+ remove use of asprintf and vasprintf from libverify. Inspired
by work from Dimitri John Ledkov. Should allow building on Linux
without superfluous definitions.
+ also free the BIGNUM struct in PGPV_BN_clear() - from Dimitri
John Ledkov
2.029 2016/07/26
- fix del_session method in case a single item was in the cache
- use SSL_session_key as the real key for the cache and not some derivate of it,
so that it works to remove the entry using the same key
2.028 2016/07/26
- add del_session method to session cache
* Noteworthy changes in release 4.8 (released 2016-04-11) [stable]
- Fixes to avoid reliance on C undefined behavior.
- Fixes to avoid an infinite recursion when decoding without
the ASN1_DECODE_FLAG_STRICT_DER flag. Reported by Pascal Cuoq.
- Combined all the BER octet string decoding functions to a single
one based on asn1_decode_simple_ber().
* Noteworthy changes in release 4.7 (released 2015-09-14) [stable]
- Fixed regression introduced in the decoding of multi-byte tags
fix.
* Noteworthy changes in release 4.6 (released 2015-09-05) [stable]
- Allow decoding OCTET STRINGs with multi-byte tags.
- API and ABI changes since last version:
asn1_get_object_id_der: New function