-----------------------------------
- Improved SEQUENCE/SET/CHOICE decoding performance by maintaining a single shared
NamedType object for all instances of SEQUENCE/SET object.
- Improved INTEGER encoding/decoding by switching to Python's built-in
integer serialization functions.
- Improved BitString performance by rebasing it onto Python int type and leveraging
fast Integer serialization functions.
- BitString type usability improved in many ways: for example bitshifting and
numeric operation on BitString is now possible.
- Minor ObjectIdentifier type performance optimization.
- ASN.1 character types refactored to keep unicode contents internally
(rather than serialized octet stream) and duck-type it directly.
- ASN.1 OctetString initialized from a Python object performs bytes()
on it when running on Python 3 (used to do str() which is probably
less logical).
- Missing support for NoValue.__sizeof__ added.
- Added checks to make sure SEQUENCE/SET components being assigned
match the prototypes.
- Setter methods for constructed types consistently accept matchTags
and matchConstraints flags to control the strictness of inner
components compatibility verification. Previously, these checks
were tied to verifyConstraints flag, now they are all independent.
- General documentation improvements here and there.
- Fix to __reversed__() magic to make it returning an iterator.
- Test suite simplified and unified.
- The __all__ variable added to most of the Python modules.
- The "test" directory renamed into "tests" not to collide with
the "test" module.
--------------------------------------
2.09 2016.10.26
- Fix creation of keys in ecdsa, ed25519 key classes
- Update eg/pssh-keygen to create ecdsa, ed25519 keys
- Handle hostkeys-00@openssh.com global requests
- Add support for 'CheckHostIP' and 'UpdateHostKeys' config options
- Refactor handling of '+' syntax in options
- Key fingerprints now output sha256-base64 by default.
(md5 can be specified with FingerprintHash config option)
- Add id_ed25519, id_ecdsa to default identity files
- Documentation updates in Perl.pm to reflect new functionality in 2.XX
2.08 2016.10.14
- Use sha512 instead of md5 in Net::SSH::Perl::Cipher->new_from_key_str()
to provide ChachaPoly with enough key material
Tests in t/05-cipher.t should now pass on all platforms [ CPAN bug #114077 ]
- Add AES128_CBC to cipher tests
- Info on using features not enabled by default added to README
2.07 2016.10.13
- Fix blowfish compilation on SunOS [CPAN bug #116323]
- Fix bug in Packet [CPAN bug #118335]
- Add support for '+' syntax in MACs option
- Remove hmac-sha1 from default MACs. It can re-enabled
by passing the option: 'MACs +hmac-sha1'
2.06 2016.10.04
- Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups
from OpenSSH 7.3 (draft-ietf-curdle-ssh-kex-sha2-03)
- Kex defaults now updated to draft-ietf-curdle-ssh-kex-sha2-03
recommendations (diffie-hellman-group-exchange-sha1 removed)
It can re-enabled by passing the option:
'KexAlgorithms +diffie-hellman-group-exchange-sha1'
2.05 2016.10.03
- Add support for '+' syntax in Ciphers, KexAlgorithms, HostKeyAlgorithms
options as in OpenSSH
2.04 2016.05.11
- Add ECDSA key support
- Improve extract_public() in Key.pm inspired by
https://github.com/renormalist/Net-SSH-Perl/pull/12
but implement comment with backwards compat with RSA/DSA datafellows
- Fix XS from being loaded more than once (warnings from Net::SFTP)
2.03 2016.05.06
- Fixes so that "make test" passes
2.02 2016.05.04
- Use CryptX to further reduce module depedencies
This eliminates the need for:
Math::Pari
Crypt::DH
Crypt::RSA
Crypt::DSA
Crypt::DES
Crypt::Blowfish
MIME::Base64
- Add support for rsa-sha2-512,rsa-sha2-256 signing with RSA keys
- Implement HashKnownHosts, KexAlgorithms, MACs config directives
- Add XS code for Chacha20, BSD Blowfish, Ed25519 routines
- Properly handle and create known_hosts entries when port is specified
- Remove obsolete ciphers, MACs, Kex from default list to duplicate
upcoming OpenSSH behavior
- Bug fixes
2.01 2016.02.19
- Use CryptX to reduce module depedencies
This eliminates the need for:
BSD::arc4random
Digest::MD5
Digest::SHA
Digest::HMAC_MD5
Crypt::OpenSSL::AES
2.00 2015.12.07
- Add Chacha20-Poly1305 cipher support for best security
(Requires Crypt::OpenSSH::ChachaPoly, see README)
- Add AES Cipher support in CTR mode (CBC mode supported in Ed25519
keys only)
- Add Group Exchange (RFC4523) Diffie-Hellman Key Exchange
- Add Curve25519 (curve25519-sha256@libssh.org) Key Exchange support
(Requires Crypt::Curve25519)
- Add hmac-sha2-256,hmac-sha2-512 MAC support
- Add hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
Encrypt-then-MAC (ETM) MAC support
- Use BSD::arc4random for encrypted packet padding
- Add support for Ed25519 ssh/host keys (Requires Crypt::Ed25519)
Encrypted Ed25519 key support requires Crypt::OpenBSD::Blowfish
(See README for info)
- Default ciphers order is now chacha,aes,3des,blowfish,arcfour
- Default KEX order is now Curve25519, DHGEXSHA256, DHGEXSHA1, DH14, DH1
- Default MAC order is now hmac-sha2-512-etm@openssh.com,
hmac-sha2-256-etm@openssh.com, sha2-512, sha2-256, sha1, md5
- SSH Keys can now be in DOS format (no need to remove CR/LF)
- SOCKS proxy support via sub class Net::SSH:Perl::Proxy
- Now does not abort due to OpenSSH 6.8+ server
SSH2_MSG_GLOBAL_REQUEST messages for host key rotation
(pkgsrc changes)
- Adjust DEPENDS base upon above note (p5-CryptX related)
0.13.0 - 2017-04-06
Added
- --debug-challenges pauses Certbot after setting up challenges for
debugging.
- The Nginx parser can handle all valid directives in configuration
files.
- Nginx ciphersuites changed to Mozilla Intermediate.
- certbot-auto --no-bootstrap won't install OS dependencies.
Fixed
- --register-unsafely-without-email respects --quiet.
- Hyphenated renewalparams are now saved in renewal config files.
- --dry-run no longer persists keys and csrs.
- No longer hangs when trying to start Nginx in Arch Linux.
- Apache rewrite rules no longer double-encode characters.
0.12.0 - 2017-03-02
Added
- Allow non-camelcase Apache VirtualHost names
- Allow more log messages to be silenced
Fixed
- Fix a regression around using --cert-name when getting new
certificates
----------------------------------
2015-11-19 author <author@debian>
* README: Release 1.4.14
* PCSC.xs: Update copyright date
* PCSC.xs: _StringifyError(): cast Error in a (DWORD)
On Mac OS X El Capitan (at least) the value is extended to 64 bits and
is then wrong.
We get 0xFFFFFFFF80100068 instead of 0x80100068 and all the error codes
are all converted to the default error: "Unknown (reader specific ?) error..."
---------------------------------------------
changes from 0.07 to 0.08
=========================
* updated Makefile.PL to reflect changes in default @INC handling v5.25+.
* fleshed README with documentation
* added README.md for GitHub
* updated to 'Nil' license
---------------------------------------------
0.26 2015-12-08 Mike McCauley
- pass CFLAGS and CPPFLAGS explicitly in the subdirectory to get all
hardening flags, Patch from Florian Schlichting.
2.0.2 (2017-03-19)
------------------
* Dropped support for Python 2.6, 3.2 & 3.3.
* (FIX) `OpenIDConnector` will no longer raise an AttributeError when calling `openid_authorization_validator()` twice.
1.81
Patch from Alexander Bluhm to enable RSA_get_key_parameters with
LibreSSL. Again.
Fixed memory leak in X509_get_subjectAltNames. Reported and patched by Jim Westfall.
Added . to lib path in Makefile.PL to accommodate people who are using a perl with -Ddefault_inc_excludes_dot.
Fixed build failure if engine support not present. Patch from Paul Green.
Improvements to get_my_thread_id to work around possibility of ERRSV not being defined eg on OpenWRT.
BearSSL is an implementation of the SSL/TLS protocol (RFC 5246)
written in C. It aims at offering the following features:
* Be correct and secure. In particular, insecure protocol versions
and choices of algorithms are not supported, by design;
cryptographic algorithm implementations are constant-time by
default.
* Be small, both in RAM and code footprint. For instance, a minimal
server implementation may fit in about 20 kilobytes of compiled
code and 25 kilobytes of RAM.
* Be highly portable. BearSSL targets not only "big" operating
systems like Linux and Windows, but also small embedded systems
and even special contexts like bootstrap code.
* Be feature-rich and extensible. SSL/TLS has many defined cipher
suites and extensions; BearSSL should implement most of them,
and allow extra algorithm implementations to be added afterwards,
possibly from third parties.
bearssl is considered alpha-quality software, which means that it
runs but it probably has bugs, some of which being certainly
exploitable vulnerabilities.
A library was removed; recursive bump will follow soon.
Noteworthy changes in version 1.8.0 (2016-11-16)
------------------------------------------------
* The module of the Python bindings has been renamed to 'gpg'.
* New interface to query current software versions.
* New feature to use gpg's --{show,override}session-key options.
* New interface to set the sender of a mail.
* qt: Added Distinguished Name parser from libkleo
* The --homedir option is now used with recent gpgconf versions.
* On 64 bit Windows systems gpgconf is now properly located.
* The internal locking functions have been replaced by libgpg-error
locking functions.
* Interface changes relative to the 1.7.1 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_set_sender NEW.
gpgme_get_sender NEW.
gpgme_op_query_swdb NEW.
gpgme_op_query_swdb_result NEW.
gpgme_query_swdb_result_t NEW.
gpgme_get_ctx_flag NEW.
gpgme_decrypt_result_t EXTENDED: New field session_key.
qt: DN NEW.
qt: DN::Attribute NEW.
qt: Job::context(Job*) NEW.
cpp: EngineInfo::Version::Version(const char*) NEW.
cpp: EngineInfo::Version::Version() NEW.
cpp: SwdbResult NEW.
cpp: Context::setSender(const char*) NEW.
cpp: Context::getSender() NEW.
[c=C28/A17/R0 cpp=C9/A3/R0 qt=C8/A1/R0]
Noteworthy changes in version 1.7.1 (2016-10-18)
------------------------------------------------
* Fixed problems with the new language bindings.
* New helper function gpgme_addrspec_from_uid.
* Use option --exit-on-status-write-error with newer gpg versions.
* qt: Missed API from the Qt Binding inclusion has
been added again.
* qt: abstractimportjob.h is now installed to that
ImportJobs can be used again.
* qt: Fixed spelling error in API (startReceive).
* Interface changes relative to the 1.7.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_addrspec_from_uid NEW.
qt: WksPublishJob::startRecieve RENAMED to ::startReceive.
qt: MultiDeleteJob NEW.
qt: AbstractImportJob NEW.
qt: SpecialJob NEW.
cpp: Signature::key(bool, bool) NEW.
cpp: UserID::addrSpecFromString(const char*) NEW.
cpp: UserID::addrSpec() NEW.
[c=C27/A16/R0 cpp=C8/A2/R0 qt=C7/A0/R0]
Noteworthy changes in version 1.7.0 (2016-09-21)
------------------------------------------------
* New language bindings for Python 2 and 3.
* New language Bindings for C++ and the Qt-Framework API.
* New functions gpgme_op_createkey and gpgme_op_createsubkey to make
key creation easier (requires GnuPG 2.1).
* New functions gpgme_op_adduid and gpgme_op_revuid to make user id
management easier (requires GnuPG 2.1).
* New function gpgme_op_keysign to make key signing easier (requires
GnuPG 2.1).
* New function gpgme_op_interact to replace the now deprecated
functions gpgme_op_edit and gpgme_op_card_edit.
* New function gpgme_pubkey_algo_string to convert a public key
algorithm into a GnuPG 2.1 style string.
* Support for GnuPG 2.1's TOFU trust model.
* Notation flags are now correctly set on verify.
* New global flag "require-gnupg" to set a minimal gnupg version.
* More supported items in gpgme_get_dirinfo.
* New function gpgme_data_set_flag and flag "size-hint".
* New function gpgme_set_ctx_flag and flags "full-status" and
"raw-description".
* Improved gpgme_data_identify to distinguish more file types.
* New flag GPGME_ENCRYPT_SYMMETRIC for gpgme_op_encrypt to allow
mixed public key and symmetric encryption.
* New field KEYGRIP in gpgme_subkey_t. New fields FPR in gpgme_key_t.
* New flag GPGME_DATA_ENCODING_MIME to declare that the encrypted or
signed data is a valid MIME part. This is to support future GnuPG
versions.
* Interface changes relative to the 1.6.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_pubkey_algo_string NEW.
GPGME_PK_EDDSA NEW.
gpgme_set_ctx_flag NEW.
gpgme_data_set_flag NEW.
gpgme_op_createkey NEW.
gpgme_op_createkey_start NEW.
gpgme_op_createsubkey NEW.
gpgme_op_createsubkey_start NEW.
gpgme_op_adduid_start NEW.
gpgme_op_adduid NEW.
gpgme_op_revuid_start NEW.
gpgme_op_revuid NEW.
gpgme_op_keysign_start NEW.
gpgme_op_keysign NEW.
gpgme_op_tofu_policy_start NEW.
gpgme_op_tofu_policy NEW.
gpgme_op_interact_start NEW.
gpgme_op_interact NEW.
gpgme_interact_cb_t NEW.
gpgme_op_edit_start DEPRECATED.
gpgme_op_edit DEPRECATED.
gpgme_op_card_edit_start DEPRECATED.
gpgme_op_card_edit DEPRECATED.
gpgme_edit_cb_t DEPRECATED.
gpgme_status_code_t DEPRECATED.
gpgme_genkey_result_t EXTENDED: New fields pubkey and seckey.
gpgme_signature_t EXTENDED: New field key.
gpgme_key_t EXTENDED: New field fpr.
gpgme_subkey_t EXTENDED: New field keygrip.
gpgme_user_id_t EXTENDED: New field tofu.
gpgme_tofu_policy_t NEW.
gpgme_tofu_info_t NEW.
GPGME_STATUS_KEY_CONSIDERED NEW.
GPGME_STATUS_TOFU_USER NEW.
GPGME_STATUS_TOFU_STATS NEW.
GPGME_STATUS_TOFU_STATS_LONG NEW.
GPGME_STATUS_NOTATION_FLAGS NEW.
GPGME_KEYLIST_MODE_WITH_TOFU NEW.
GPGME_DATA_TYPE_PGP_ENCRYPTED NEW.
GPGME_DATA_TYPE_PGP_SIGNATURE NEW.
GPGME_DATA_ENCODING_MIME NEW.
GPGME_ENCRYPT_SYMMETRIC NEW.
GPGME_CREATE_SIGN NEW.
GPGME_CREATE_ENCR NEW.
GPGME_CREATE_CERT NEW.
GPGME_CREATE_AUTH NEW.
GPGME_CREATE_NOPASSWD NEW.
GPGME_CREATE_SELFSIGNED NEW.
GPGME_CREATE_NOSTORE NEW.
GPGME_CREATE_WANTPUB NEW.
GPGME_CREATE_WANTSEC NEW.
GPGME_CREATE_FORCE NEW.
GPGME_KEYSIGN_LOCAL NEW.
GPGME_KEYSIGN_LFSEP NEW.
GPGME_INTERACT_CARD NEW.
- coveralls:convert_file is not 4 arg function
- Resolve vars.config relative to SCRIPT
- Comment debug line
- Fix a couple typos in the README's macOS/OS X section
- Small typo fix on readme
- Deprecate hash functions in favor of crypto:hash/2
- Fix certificate decoding to OTP format
SECURITY:
* Common name not being validated when `exclude_cn_from_sans` option used in
`pki` backend
DEPRECATIONS/CHANGES:
* List Operations Always Use Trailing Slash
* PKI Defaults to Unleased Certificates
FEATURES:
* Replication (Enterprise)
* Response Wrapping & Replication in the Vault Enterprise UI
* Expanded Access Control Policies
* SSH Backend As Certificate Authority
IMPROVEMENTS:
* api/request: Passing username and password information in API request
* audit: Logging the token's use count with authentication response and
logging the remaining uses of the client token with request
* auth/approle: Support for restricting the number of uses on the tokens
issued
* auth/aws-ec2: AWS EC2 auth backend now supports constraints for VPC ID,
Subnet ID and Region
* auth/ldap: Use the value of the `LOGNAME` or `USER` env vars for the
username if not explicitly set on the command line when authenticating
* audit: Support adding a configurable prefix (such as `@cee`) before each
line
* core: Canonicalize list operations to use a trailing slash
* core: Add option to disable caching on a per-mount level
* core: Add ability to require valid client certs in listener config
* physical/dynamodb: Implement a session timeout to avoid having to use
recovery mode in the case of an unclean shutdown, which makes HA much safer
* secret/pki: O (Organization) values can now be set to role-defined values
for issued/signed certificates
* secret/pki: Certificates issued/signed from PKI backend do not generate
leases by default
* secret/pki: When using DER format, still return the private key type
* secret/pki: Add an intermediate to the CA chain even if it lacks an
authority key ID
* secret/pki: Add role option to use CSR SANs
* secret/ssh: SSH backend as CA to sign user and host certificates
* secret/ssh: Support reading of SSH CA public key from `config/ca` endpoint
and also return it when CA key pair is generated
BUG FIXES:
* audit: When auditing headers use case-insensitive comparisons
* auth/aws-ec2: Return role period in seconds and not nanoseconds
* auth/okta: Fix panic if user had no local groups and/or policies set
* command/server: Fix parsing of redirect address when port is not mentioned
* physical/postgresql: Fix listing returning incorrect results if there were
multiple levels of children
Full changelog:
https://github.com/hashicorp/vault/blob/v0.7.0/CHANGELOG.md
PuTTY 0.68, released today, supports elliptic-curve cryptography for host
keys, user authentication keys, and key exchange. Also, for the first time,
it comes in a 64-bit Windows version.
This update may create a build issue for non-BSD due to ancient functions
being different on BSD and SYSV. there's always macros if this fails.
