Changes since 0.4:
- SSL options updated --- based on OpenSSL 1.0.0d.
- Activate SSL_MODE_RELEASE_BUFFERS by default if it is available.
(thanks Prosody project)
OAuth is an authorization protocol built on top of HTTP which allows
applications to securely access data without having to store usernames
and passwords.
= Version 1.2.8 released 2013-06-19
Features
* Parsing of PKCS#8 encrypted private key files
* PKCS#12 PBE and derivation functions
* Centralized module option values in config.h to allow user-defined
settings without editing header files by using POLARSSL_CONFIG_OPTIONS
Changes
* HAVEGE random generator disabled by default
* Internally split up x509parse_key() into a (PEM) handler function
and specific DER parser functions for the PKCS#1 and unencrypted
PKCS#8 private key formats
* Added mechanism to provide alternative implementations for all
symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
config.h)
* PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
old PBKDF2 module
Bugfix
* Secure renegotiation extension should only be sent in case client
supports secure renegotiation
* Fixed offset for cert_type list in ssl_parse_certificate_request()
* Fixed const correctness issues that have no impact on the ABI
* x509parse_crt() now better handles PEM error situations
* ssl_parse_certificate() now calls x509parse_crt_der() directly
instead of the x509parse_crt() wrapper that can also parse PEM
certificates
* x509parse_crtpath() is now reentrant and uses more portable stat()
* Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
* Fixed values for 2-key Triple DES in cipher layer
* ssl_write_certificate_request() can handle empty ca_chain
Security
* A possible DoS during the SSL Handshake, due to faulty parsing of
PEM-encoded certificates has been fixed (found by Jack Lloyd)
= Version 1.2.7 released 2013-04-13
Features
* Ability to specify allowed ciphersuites based on the protocol version.
Changes
* Default Blowfish keysize is now 128-bits
* Test suites made smaller to accommodate Raspberry Pi
Bugfix
* Fix for MPI assembly for ARM
* GCM adapted to support sizes > 2^29
= Version 1.2.6 released 2013-03-11
Bugfix
* Fixed memory leak in ssl_free() and ssl_reset() for active session
* Corrected GCM counter incrementation to use only 32-bits instead of
128-bits (found by Yawning Angel)
* Fixes for 64-bit compilation with MS Visual Studio
* Fixed net_bind() for specified IP addresses on little endian systems
* Fixed assembly code for ARM (Thumb and regular) for some compilers
Changes
* Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
PKCS#1 v2.1 functions
* Added support for custom labels when using rsa_rsaes_oaep_encrypt()
or rsa_rsaes_oaep_decrypt()
* Re-added handling for SSLv2 Client Hello when the define
POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
* The SSL session cache module (ssl_cache) now also retains peer_cert
information (not the entire chain)
Security
* Removed further timing differences during SSL message decryption in
ssl_decrypt_buf()
* Removed timing differences due to bad padding from
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
operations
= Version 1.2.5 released 2013-02-02
Changes
* Allow enabling of dummy error_strerror() to support some use-cases
* Debug messages about padding errors during SSL message decryption are
disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
* Sending of security-relevant alert messages that do not break
interoperability can be switched on/off with the flag
POLARSSL_SSL_ALL_ALERT_MESSAGES
Security
* Removed timing differences during SSL message decryption in
ssl_decrypt_buf() due to badly formatted padding
= Version 1.2.4 released 2013-01-25
Changes
* Added ssl_handshake_step() to allow single stepping the handshake process
Bugfix
* Memory leak when using RSA_PKCS_V21 operations fixed
* Handle future version properly in ssl_write_certificate_request()
* Correctly handle CertificateRequest message in client for <= TLS 1.1
without DN list
= Version 1.2.3 released 2012-11-26
Bugfix
* Server not always sending correct CertificateRequest message
= Version 1.2.2 released 2012-11-24
Changes
* Added p_hw_data to ssl_context for context specific hardware acceleration
data
* During verify trust-CA is only checked for expiration and CRL presence
Bugfixes
* Fixed client authentication compatibility
* Fixed dependency on POLARSSL_SHA4_C in SSL modules
= Version 1.2.1 released 2012-11-20
Changes
* Depth that the certificate verify callback receives is now numbered
bottom-up (Peer cert depth is 0)
Bugfixes
* Fixes for MSVC6
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
Pégourié-Gonnard)
* Fixed possible segfault in mpi_shift_r() (found by Manuel
Pégourié-Gonnard)
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
Changes since 1.7.0
=====================================
* Fixes for CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156
* Reduced entity expansion limits when parsing
Changes since 1.6.1
=====================================
* [SANTUARIO-314] - AES-GCM support
* [SANTUARIO-315] - XML Encryption 1.1 OAEP enhancements
Changes since 1.6.0
=====================================
* [SANTUARIO-268] - TXFMXPathFilter->evaluateExpr crashes on Windows
* [SANTUARIO-270] - DSIGObject::load method crashes for ds:Object without Id attribute
* [SANTUARIO-271] - Bug when signing files with big RSA keys
* [SANTUARIO-272] - Memory bug inside XENCCipherImpl::deSerialise
* [SANTUARIO-274] - Function cleanURIEscapes always throws XSECException, when any escape sequence occurs
* [SANTUARIO-275] - Function isHexDigit doesn't recognize invalid escape sequences.
* [SANTUARIO-276] - Percent-encoded multibyte (UTF-8) sequences unrecognized
* [SANTUARIO-280] - RSA-OAEP handler only allows SHA-1 digests
Changes since 1.5.1
=====================================
* Fix for bug#43964, wrong namespace in encryption DigestMethod (SC)
* Fix for bug#48676, RetrievalMethod handler (SC)
* Fix for bug#45867, support for >1 CRL per KeyInfo (SC)
* Fix for bug#49148, buffer initialization issue (SC)
* Fix for bug#49255, vector index bug (SC)
* Fix for bug#49257, stylesheet append bug (SC)
* Fix for bug#49260, header guard in XPath transform header (SC)
* Fix for bug#49264, string release crash (SC)
* Fix for bug#44983, improper c14n of XSLT (SC)
* Fix for bug#49289, setters for Reference Type/Id (SC)
* Fix for bug#49371, skip comments in X509Certificate elements (SC)
* Fix for bug#49459, more header guards (SC)
* Fix for bug#49660, NSS verification of RSA broken (SC)
* Expose algorithm URI on Signature and Reference objects (SC)
* White/blacklisting of otherwise registered algorithms (SC)
* Add selected XML Signature 1.1 KeyInfo extensions (SC)
* Add elliptic curve keys and signatures via ECDSA (SC)
* Support debugging of Reference/SignedInfo data (SC)
* Clean up tests for SHA2 algorithms in OpenSSL (SC)
* Updated autoconf script, added NSS support, removed pre-automake material (SC)
* Add methods for Reference removal to DSIGSignature/DSIGSignedInfo classes (SC)
Changes between 1.5 and 1.5.1
=====================================
* Fix for bug#47353 in c14n of default namespaces (SC)
* Fix Sparc compilation bug (SC)
* Fix for CVE-2009-0217 (SC)
Changes between version 1.4 and 1.5
=====================================
* Make SHA-1 the implicit default DigestMethod for RSA-OAEP
key transport, allowing for interop until broken impls are fixed (SC)
* Fix memory leak in OpenSSL RSA/DSA key cloning (SC)
* Expose KeyInfo extensions via DOM (SC)
* Fix c14n to omit standard xmlns:xml declarations (SC)
* Add partial support for Inclusive C14N 1.1 with regard to xml:id but not xml:base (SC)
* Finish port to Xerces 3.0 (SC)
* 64-bit API changes (SC)
* Add VC9 build files (SC)
Changes between version 1.3.1 and 1.4
=====================================
* Fix exclusive c14n namespace bug (rev. 526939) (BL)
* Add const specifiers and methods to various classes (SC)
* Add better extraction of openssl build settings using pkg-config (SC)
* Fix XSECnew macro to stop catching arbitrary errors and report
crypto exceptions instead of turning them into allocation errors (SC)
* Add various missing files to dist target (SC)
Changes between version 1.3 and 1.3.1
=====================================
* Refactor NIX build to use automake and libtool
* Initial support for API changes in Xerces 3.0
* Fix bug in autconf that would stop proper detection of Xerces
ability to set Id attributes
* Fix bug 40085 - incorrect OIDs on non SHA1 based RSA signatures.
* Update support for non SHA1 based RSA signatures
* Remove redundant code from SignedInfo that was preventing the
library from loading signatures it did not have an algorithm hard
wired for
* Fix bug in envelope transform when input nodeset is a document
fragment rather than the entire document and the canonicalisation
uses a namespace that was not defined directly in the fragment
* Fix bug in DSIGXPathFilterExpr where m_loaded was not initialised
potentially causing an exception when an XPath expression was loaded
reported by Ralf "Sabo" Saborowski.
Changes between version 1.2.1 and 1.3
=====================================
* Performance improvements in canonicalisation
* Implemented algorithm handlers for the digital signature classes,
to provide algorithm extensibility
* Update signature classes to pass in requested algorithms as URIs
rather than enums. Enum based methods are now deprecated.
* Fix memory leaks in OpenSSL wrapping code
* Provide ability for calling application to define whether
references are interlocking.
* Provide some stability if the Apache keystore is corrupted under Windows.
* Initial import of beta NSS crypto support
* Complete implementation of XKMS message set
* Methods to allow loading of encrypted data without doing decrypt
and to process a decrypt/encrypt operation without replacing the
original nodes
* Provide MS VC++ 2005 project files
* Fix bug when encrypting small input docs
* Implement checks for broken OpenSSL support under Solaris 10
* Add --with-xalan, --with-openssl, --with-xerces and
--enable-warnerror flags in configure
* Configure now detects if Xalan is installed rather than having
XALANCROOT being a pointer to the compile directory
- Reorder hashing in DSIGReference.cpp as per suggestion by Peter Gubis
- Update microsoft project files to reflect new version as per Scott Cantor
- Replace setAttribute with setAttributeNS calls
- Add methods to OpenSSL classes to extract OpenSSL objects
- Fix handling of libcrypto on Solaris platform
- Fix bug in Canoncicalisation courtesy of Scott Cantor
Changes between version 1.2 and 1.2.1
=====================================
* Fixed library versions in Windows builds (were being generated as 1.1)
* Added "No Xalan" builds for xklient under Windows VC6.0
* Added "No Xalan" builds for all projects in VC 7.0
Changes between version 1.1 and 1.2
===================================
* Started a changelog :>
* Remove MFC dependency and clean up memory debugging
* Remove dynamic_casts and RTTI requirement
* Implemented XKMS Message generation and processing
* Implemented command line XKMS tool for generating and dumping XKMS messages
* Support for DESTDIR as provided by ville.skytta@iki.fi in Bugzilla 28520
* Update to Apache licence 2.0.
* Add support for SHA224/256/384/512 (requires OpenSSL 0.9.8 Beta)
* Patch for Mac OS X compile - provided by Scott Cantor - cantor.2@osu.edu - See Bugzilla #34920
* Updates to compile against Xalan 1.9
* Backport to compile with Xerces 2.1
* Fix bug with NULL pointer when validating or signing empty reference lists - fix as suggested by Jesse Pelton <jsp@PKC.com> on 23 March 2005 on security-dev@xml
* Provided support for nominating namespace based Id attributes
* Change to allow apps to calculate and obtain signed info hash - from Eckehard.Hermann@softwareag.com - see email of 2 March 2005 on security-dev@xml
* Patch for long RSA keys provided by Michael Braunoeder - michael@mib.priv.at to security-dev@xml on 16 Nov 2005
* Memory leak in OpenSSLCryptoBase64 reported by Jesse Pelton fixed.
* Move to internal Base64 decoder in a number of methods to handle non-wrapping data
* Resize buffer in OpenSSLCryptoKeyRSA for larger RSA keys - as submitted by Vadim Ismailov <worndown@gmail.com> 3 December 2005
* Remove redundant m_keyType class variable from OpenSSLCryptoKeyRSA as reported by Jesse Pelton (jsp@pkc.com) on security-dev@xml
* Don't throw an exception when an RSA decrypt fails during sig validation - this is a failed validate, not an error
* Shutdown OpenSSL properly - as suggested by Jesse Pelton <jsp@PKC.com> in e-mail to security-dev@xml on 9 March 2005
* Changed scope of WinCapiCryptoKey::importKey() from private to public. It returns key now, instead of void.
* Fix problem in Windows CAPI where XSEC doesn't work if user doesn't have admin rights.
* Bug fix in Windows CAPI code for some W2K machines - reported by Andrzej Matejko 4/5/2004
* Fix build on non WINCAPI systems, as reported by Milan Tomic on 22/4/2004
* New constructor added to WinCapiX509
* Fixed Bug in encode() XSCryptCryptoBase64.
* Fix bug in XPathFilter transform when checking if an attribute is in the input node set.
* Fix bug in in UTF transcoder for counting of transcoded characters (count characters not bytes) reported by Milan Tomic
* Move function definitions in the Windows BinInput stream class to static to avoid conflicts with Xerces. As suggested by Jesse Pelton <jsp@PKC.com> on 2 Feb 2005 in security-dev@xml
* Added complete KeyInfo handling for XENCEncryptedType
* Fix to stop re-use of derived key encrypting key when decrypting multiple elements in a document
* Fix to ignore encryption exceptions during a private key decrypt
* Add code to detect ASN.1 encoded DSA signatures and validate accordingly
Changes since previous version:
SI6 Networks' IPv6 Toolkit v1.4.1
* frag6: Fixed bug that prevented Ethernet header from being filled
A bug in the code caused Ethernet frames to go on te wire without any of
their header fields completed.
* All: Use of library to avoid code replication
An "libipv6" library was created, such that common functions do not need
to be replicated for each tool. ni6, ns6, rs6, and tcp6 now employ such
library.
pkgsrc changes:
* address6 and its man page are no longer installed
* extend the Makefile changes to include the correct linkage for rs6 and tcp6
i.e. include the libipv6 object mentioned above
1.11 - Sat Jul 28 16:09:37 2012
* Clarify the license as LGPL v3 (29 June 2007) (RT 78629)
1.10 - Wed Jul 11 19:25:12 2012
* Add MirBSD support. It's the same options as Sun stuff.
1.953 2013/7/22
- fixes to IO::Socket::SSL::Utils, thanks to rurban[AT]x-ray[DOT]at,
RT#87052
1.952 2013/7/11
- fix t/acceptSSL-timeout.t on Win32, RT#86862
1.951 2013/7/3
- better document builtin defaults for key,cert,CA and how they are depreceated
- use Net::SSLeay::SSL_CTX_set_default_verify_paths to use openssl's builtin
defaults for CA unless CA path/file was given (or IO::Socket::SSL builtins
used)
1.950 2013/7/3
- MAJOR BEHAVIOR CHANGE:
ssl_verify_mode now defaults to verify_peer for client.
Until now it used verify_none, but loudly complained since 1.79 about it.
It will not complain any longer, but the connection might probably fail.
Please don't simply disable ssl verification, but instead set SSL_ca_file
etc so that verification succeeds!
- MAJOR BEHAVIOR CHANGE:
it will now complain if the builtin defaults of certs/my-ca.pem or ca/
for CA and certs/{server,client}-{key,cert}.pem for cert and key are used,
e.g. no certificates are specified explicitly.
In the future these insecure (relative path!) defaults will be removed
and the CA replaced with the system defaults.
v1.94 2013.06.01
- Makefile.PL reported wrong version of openssl, if Net::SSLeay was not
installed instead of reporting missing dependency to Net::SSLeay.
v1.93 2013.05.31
- need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
years ago. Remove code to work around older releases.
- changed AUTHOR in Makefile.PL from array back to string, because the
array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739)
v1.92 2013.05.30
- Intercept: use sha1-fingerprint of original cert for id into cache unless
otherwise given
- Fix pod error in IO::Socket::SSL::Utils RT#85733
v1.91 2013.05.30
- added IO::Socket::SSL::Utils for easier manipulation of certificates and keys
- moved SSL interception into IO::Socket::SSL::Intercept and simplified it
using IO::Socket::SSL::Utils
- enhance meta information in Makefile.PL
v1.90 2013.05.27
- RT#85290, support more digest, especially SHA-2.
Thanks to ujvari[AT]microsec[DOT]hu
- added support for easy SSL interception (man in the middle) based
on ideas found in mojo-mitm proxy (which was written by Karel Miko)
- make 1.46 the minimal required version for Net::SSLeay, because it
introduced lots of useful functions.
v1.89 2013.05.14
- if IO::Socket::IP is used it should be at least version 0.20, otherwise
we get problems with HTTP::Daemon::SSL and maybe others (RT#81932)
- Spelling corrections, thanks to dsteinbrunner
v1.88 2013.05.02
- consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key*
and SSL_cert* - some apps like Net::LDAP use it that way.
Thanks to alexander[AT]kuehn[AT]nagilum[DOT]de for reporting the problem.
v1.87 2013.04.24
- RT#84829 - complain if given SSL_(key|cert|ca)_(file|path) do not exist or
if they are not readable. Thanks to perl[AT]minty[DOT]org
- fix use of SSL_key|SSL_file objects instead of files, broken with 1.83
1.55 2013-06-08
Added support for TLSV1_1 and TLSV1_2 methods with SSL_CTX_tlsv1_1_new(),
SSL_CTX_tlsv1_2_new(), TLSv1_1_method() and TLSv1_2_method(), where
available in the underlying openssl.
Added CRL support functions X509_CRL_get_ext(), X509_CRL_get_ext_by_NID(),
X509_CRL_get_ext_count(). Patch from Franck Youssef.
Fixed a problem which could cause content with a value of '0' to not be
correctly encoded by do_httpx3 and friends. Reported by Victor Efimov via
RT.
Added support for SSL_get_tlsa_record_byname() required for DANE support in
openssl-1.0.2 and later. SSL_get_tlsa_record_byname() was added to
OpenSSL with the financial assistance of .SE.
Testing with openssl-1.0.2-stable-SNAP-20130521.
Added X509_NAME_new and X509_NAME_hash, patched by Franck Youssef.
Noteworthy changes in version 2.0.21 (2013-08-19)
-------------------------------------------------
* gpg-agent: By default the users are now asked via the Pinentry
whether they trust an X.509 root key. To prohibit interactive
marking of such keys, the new option --no-allow-mark-trusted may
be used.
* gpg-agent: The command KEYINFO has options to add info from
sshcontrol.
* The included ssh agent does now support ECDSA keys.
* The new option --enable-putty-support allows gpg-agent to act on
Windows as a Pageant replacement with full smartcard support.
* Support installation as portable application under Windows.
code was added to fix the compiler uninitialised warning (thanks!),
but the distfile name didn't change since it was packaged originally,
so do the DIST_SUBDIR dance, and bump package version to nb1
Pkgsrc changes:
+ quieten warnings from gcc 4.5.3 about uninitialised variables
Distribution changes:
SI6 Networks' IPv6 Toolkit v1.4 release
* frag6: Fixed the flooding option
Fixed the fragment size used when employing the flooding option. It was
prevously sending fragment sizes that where not a multiple of eight, and
hence these fragments were dropped.
* scan6: Added support for 64-bit encoding of IPv4 addresses
Option "--tgt-ipv4" was augmented to support both encodings (32 bit
and 64 bit) of embedded IPv4 addresses.
* tcp6: Fixed response to Neighbor Solicitations
tcp6 was not responding to incomming Neighbor Solicitations. Hence, when
packets were sent from spoofed addresses, tcp6 would never receive the
response packets, because the NSs sent by the local router or target node
would never be responded.
* tcp6: Added support for TCP Window-based attacks
tcp6 can now close the window after sending an app-layer command, and
also "modulate" the TCP window to circumvent trivial mitigations for these
attacks ("--window-mode" and "--win-modulate" options).
* tcp6: Support for multiple connection-establishment types
tcp6 can now cause e.g. TCP simultaneous opens (see the "--open-mode"
option).
* tcp6: Support for multiple connection-termination types
tcp6 can now perform multiple connection-termination types (see the
"--close-mode" option).
* tcp6: Support for sending application layer requests
tcp6 can now send application-layer requests with the "--data" option.
* Many improvements to the manual pages.
Fixed the troff encoding of many manual pages. Added ipv6toolkit(7), that
describes a general description of the toolkit.
* All: Fixed bug in link-layer destination address selection
Tools now try to find a local router or perform Neighbor Discovery only
when necessary (i.e., underlying link-layer is *not* loopback or tunnel,
destination address is *not* link-local, and a link-layer destination
address has *not* been specified).
* All: Fixed bug in option handling
Incorrect data type was used for the return value of getopt_long(), thus
leading to problems in some architectures.
* All: Fixed a number of issues with pcap_next_ex()
The timeout parameter of pcap_next_ex() is now based on the platform (the
previous constant value had different semantics in different platforms).
Additionally, handle the case where pcap_next_ex() returns no packets.
* All: General improvements and clean-up
The development process now includes building the toolkit with the clang
compiler (in addition to gcc), which has lead to the identification of a
number of issues.
* All: Improved support for building the toolkit.
The toolkit now contains one makefile for pmake, and another for GNU make.
Added support for the DESTDIR variable. Appropriate paths are selected
based on the value of a number of variables. Configuration file is
dynamically generated, with the right path to the oui.txt file.
Pkgsrc changes:
* Get rid of ruby dependencies, since the validator is no longer
included in OpenDNSSEC
* Adapt PLIST to changes in installed files
* Add a patch so that the database migration scripts are installed
as part of the package
Upstream notable changes:
* SUPPORT-58: Extend ods-signer sign <zone> with -serial <nr> so
that the user can specify the SOA serial to use in the signed
zone [OPENDNSSEC-401].
* OPENDNSSEC-91: Make the keytype flag required when rolling keys
Bugfixes:
* SUPPORT-60: Fix datecounter in case inbound serial is higher
than outbound serial [OPENDNSSEC-420].
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on
SOA Minimum change.
* OPENDNSSEC-421: Signer Engine: Fix assertion error in case
NSEC3 hash algorithm in signconf is not SHA1.
* OPENDNSSEC-421: ods-kaspcheck: Check whether NSEC3 hash algorithm
in kasp is valid.
* Bugfix: The time when inbound serial is acquired was reset
invalidly, could cause OpenDNSSEC wanting AXFR responses while
requesting IXFR (thanks Stuart Lau).
* Bugfix: Fix malform in Outbound IXFR/TCP subsequent packet
(thanks Stuart Lau).
* OPENDNSSEC-398: The ods-ksmutil key rollover command does not
work correctly when rolling all keys using the -policy option
This fixes a buffer overflow which was patched in pkgsrc (CVE-2013-4852),
two other buffer overflows (CVE-2013-4206, CVE-2013-4207), and
it clears private keys after use now (CVE-2013-4208).
Other than that, there are mostly bug fixes from 0.62 and a few
small features.
libcurvecpr is a library implementation of Dan Bernstein's CurveCP
libcurvecpr is a low-level, networking-independent implementation of
Daniel J. Bernstein's CurveCP.
libcurvecpr is based on a system of callbacks that must be implemented
by library users. Like the reference CurveCP implementation, the
client, server, and message-handling portions of libcurvecpr are
entirely independent of each other.
This means that while it's slightly more effort to build software
based on libcurvecpr than other packages, it provides complete freedom
to use any underlying mechanism for handling network traffic you want
- whether it's an IPC connection to another program, standard
poll(2)-type functionality, or libev.
-----------------
Duncan Ferguson <duncan_ferguson@user.sf.net> - v4.01_05
- New option (-m, --unique-servers) to remove repeated servers when openeing terminals (Thanks to Oliver Meissner)
- Drop MYMETA.yml and .json files from the distribution
- Do not set default user name to prevent overriding ssh configuration
2013-02-26 Duncan Ferguson <duncan_ferguson@user.sf.net> - v4.01_04
- Fixed 'ccon' not calling the correct command (Sf bug 3605002)
- Fixed clusters not being defined correctly within the .clusterssh/config file (Sf bug 3605675)
2013-02-15 Duncan Ferguson <duncan_ferguson@user.sf.net> - v4.01_03
* Correct documentation for references to $HOME/.clusterssh/config
* Re-add user back into the configurartion file
* Add in missing newline for some error messages
* Allow the path to rsh/ssh/telnet to be defined in the configuration file
* Move .csshrc to .csshrc.DISABLED since it should no longer be used
* Error emitted when adding a host via the "Hosts" drop-down (Debian bug ID #578208)
* Pastes uses a strange keyboard layout (Debian bug ID #364565)
* Cope with being invoked by 'clusterssh' (Debian bug ID #644368)
* Fix migration of .csshrc when not working as expected (Debian bug ID #673507)
* Remove doc references to 'always_tile' as renamed 'window_tiling' (Debian bug ID #697371)
* Updated manpage whatis entries (patch by Tony Mancill)
* Fix watch line expression to catch 4.x series tarballs (Debian patch LP ID #1076897)
* Allow tests to pass successfully when run as root
* Fix cssh starting if xterm is not installed (Sf bug 3494988)
* Set WM_CLASS on windows to 'cssh' (Sf bug 3187736)
2012-12-09 Duncan Ferguson <duncan_ferguson@user.sf.net> - v4.01_02
* Fix logic when using 'autoclose' on the command line or config file
* Fix $HOME/.clusterssh/clusters being read in
* Fix 'ctel', 'crsh' and 'ccon'so they work as expected
pkgsrc changes:
---------------
FETCH_USING= curl, as PyPi moved to https.
Upstream changes:
-----------------
v1.11.0 (26th Jul 2013)
-----------------------
* #98: On Windows, when interacting with the PuTTY PAgeant, Paramiko now
creates the shared memory map with explicit Security Attributes of the user,
which is the same technique employed by the canonical PuTTY library to avoid
permissions issues when Paramiko is running under a different UAC context
than the PuTTY Ageant process. Thanks to Jason R. Coombs for the patch.
* #100: Remove use of PyWin32 in `win_pageant` module. Module was already
dependent on ctypes for constructing appropriate structures and had ctypes
implementations of all functionality. Thanks to Jason R. Coombs for the
patch.
* #87: Ensure updates to `known_hosts` files account for any updates to said
files after Paramiko initially read them. (Includes related fix to guard
against duplicate entries during subsequent `known_hosts` loads.) Thanks to
`@sunweaver` for the contribution.
v1.10.2 (26th Jul 2013)
-----------------------
* #153, #67: Warn on parse failure when reading known_hosts file. Thanks to
`@glasserc` for patch.
* #146: Indentation fixes for readability. Thanks to Abhinav Upadhyay for catch
& patch.
Passlib is a password hashing library for Python 2 & 3, which
provides cross-platform implementations of over 30 password hashing
algorithms, as well as a framework for managing existing password
hashes. It's designed to be useful for a wide range of tasks, from
verifying a hash found in /etc/shadow, to providing full-strength
password hashing for multi-user application.
** libgnutls: Fixes in parsing of priority strings. Patch by Stefan Buehler.
** libgnutls: Solve issue with received TLS packets that exceed 2^14.
(this fixes a bug that was accidentally introduced in 3.2.2)
** libgnutls: Removed gnulib modules under LGPLv3 that could possibly be
used by the library.
** libgnutls: Fixes in gnutls_record_send_range().
** API and ABI modifications:
gnutls_priority_kx_list: Added
gnutls_priority_mac_list: Added
gnutls_priority_cipher_list: Added
PACK (Password Analysis and Cracking Toolkit) is a collection of
utilities developed to aid in analysis of password lists and
enhancing cracking of passwords using smart rule generation. It
can be used to reverse word mangling rules, generate source words
and optimize password masks for the Hashcat family of tools.
NOTE: The toolkit itself is not able to crack passwords, but instead
designed to make operation of password crackers more efficient.
Changelog:
Changes from 2.22 to 2.23:
New Features:
New password quality estimation algorithm.
Added toolbar buttons: 'Open URL(s)', 'Copy URL(s) to Clipboard' and 'Perform Auto-Type'.
Added 'Generate Password' command in the context menu of the KeePass system tray icon.
Added 'Copy history' option in the entry duplication dialog (enabled by default).
Added 'Duplicate Group' context menu command.
In the MRU list, currently opened files now have an '[Opened]' suffix and are blue.
When a dialog is displayed, (double) clicking the KeePass system tray icon now activates the dialog.
Added {T-REPLACE-RX:...} placeholder, which replaces text using a regular expression.
Added {VKEY-NX X} and {VKEY-EX X} special key codes.
Added 'Perform auto-type with selected entry' trigger action.
Added 'Import into active database' trigger action.
Mozilla Bookmarks HTML import: added support for groups, bookmark descriptions and icons.
Mozilla Bookmarks JSON import: bookmark descriptions are now imported into the note fields of entries.
RoboForm import: added support for the new file format.
Added support for importing Network Password Manager 4.0 CSV files.
Enhanced SafeWallet XML importer to additionally support importing web entries and groups from very old export file versions (for newer versions this was already supported).
Added database repair mode warning.
Added option to accept invalid SSL certificates (turned off by default).
Added user activity notification event for plugins.
File transactions for FTP URLs are now always disabled when running under .NET 4.0 in order to workaround .NET bug 621450.
Added workaround for Mono list view item selection bug.
Added workaround for Mono bug 649266; minimizing to tray now removes the task bar item and restoring does not result in a broken window anymore.
Added workaround for Mono bug 5795; text and selections in password boxes are now drawn properly (a monospace font can only be used on Windows due to the bug).
Added workaround for Mono bug 12525; dialog banners are now drawn correctly again.
Added workaround for Mono form loading bug.
KPScript: added 'Import' command.
KPScript: the 'ListEntries' command now also outputs date/time fields of entries.
Improvements / Changes:
When the option for remembering the last used database is enabled, KeePass now remembers the last active database (instead of the last opened or saved database).
The 'Add Group' command and the F2 key in the groups tree view now open the group editing dialog; in-place tree node label editing is disabled.
Custom string and plugin-provided columns in the 'Configure Columns' dialog are sorted alphabetically now.
Improved behavior when closing inactive databases.
Improved support for trigger actions during database closing.
The 'Special' GUI character set now includes '|' and '~'.
The 'High ANSI' character set now consists of the range [U+0080, U+00FF] except control and non-printable characters.
The options dialog is now listed in the task bar when it is opened while KeePass is minimized to the system tray.
A remembered user account usage state can now be preset even when the user account option is disabled using key prompt configuration flags.
Improved initial input focus in key creation/prompt dialogs when key creation/prompt configuration flags are specified.
During synchronization, the status dialog is now closed after all files have been saved.
Improved behavior of the global KeePass activation hot key when a dialog is displayed.
Changed auto-type command icon.
Shortened product name in main window title.
Improved data URI validation.
Custom clipboard data is now encoded as data URI (with a vendor-specific MIME type).
Improved configuration loading performance.
Enhanced IO connection problem diagnostics.
Improved single instance checking on Unix-like systems.
KeePassLibC DLLs and ShInstUtil are now explicitly marked as DEP- and ASLR-compatible (like the executable file).
Various UI improvements.
Various code optimizations.
Minor other improvements.
Bugfixes:
The suffixes to the 'Inherit setting from parent' options on the 'Behavior' tab of the group editing dialog now correctly show the inherited settings of the current group's parent.
When locked, the main window's title doesn't show the full path of the database anymore when the option 'Show full path in title bar (instead of file name only)' is turned off.
The status bar is now updated correctly after sorting by a column.
Changes from 2.21 to 2.22:
New Features:
When the option for remembering key sources is enabled, KeePass now also remembers whether the user account is required.
Added 'View' -> 'Grouping in Entry List' menu.
Added 'Close active database' trigger action.
Added '-ioiscomplete' command line option, which tells KeePass that the path and file system credentials are complete (the 'Open URL' dialog will not be displayed then).
Added support for importing SafeWallet XML files (3.0.4 and 3.0.5).
Added support for importing TurboPasswords 5.0.1 CSV files.
LastPass CSV importer: added support for group trees.
Alle meine Passworte XML importer: added support for custom fields and group names with special characters.
Password Safe XML importer: added support for the e-mail field.
Added 'Help' button in the generic CSV importer dialog.
Added workaround for .NET bug 642188; top visible list view items are now remembered in details view with groups enabled.
Added workaround for Mono form title bar text update bug (which e.g. caused bug 801414).
Improvements / Changes:
After closing a character picking dialog, KeePass now explicitly activates the previous window.
Improved behavior when cancelling the icon picker dialog.
Main window activation redirection now works with all KeePass dialogs automatically.
The window state of the current database is now remembered before opening another database.
Previous parameters are now discarded when switching between different trigger event/condition/action types.
Unified separators in group paths.
The UI state is now updated after adding an entry and clicking an entry reference link in the entry view.
The '-entry-url-open' command line option now searches for matching entries in all open databases.
Improved database context determination when opening an URL.
Added support for special values in date/time fields imported from KeePass 1.x.
Improved HTML entity decoding (support for more entities and CDATA sections, improved performance, ...).
RoboForm HTML importer: URLs are converted to lower-case now and support for a special order rotation of attributes has been added.
Removed Password Gorilla CSV importer; users should use the generic CSV importer (which can import more data than the old specialized CSV importer).
Improved file discoveries.
Improved test form entry auto-type window definition.
In the MSI package, the version is now included in the product name.
Native key transformation library: replaced Boost threads by Windows API threads (because Boost threads can result in crashes on restricted Windows 7 x64 systems).
Various UI improvements.
Various code optimizations.
Minor other improvements.
Bugfixes:
(None).
Upstream changes:
1.09 - Tue 23 Jul '13
made SvUPGRADE a statement
corrected VERSION statement
fixed _idea.c for Strawberry
(No upstream changelog for 1.10)
Noteworthy changes in version 1.5.3 (2013-07-25)
------------------------------------------------
* Mitigate the Yarom/Falkner flush+reload side-channel attack on
RSA secret keys. See <http://eprint.iacr.org/2013/448>.
Noteworthy changes in version 1.4.14 (2013-07-25)
-------------------------------------------------
* Mitigate the Yarom/Falkner flush+reload side-channel attack on
RSA secret keys. See <http://eprint.iacr.org/2013/448>.
* Fixed IDEA for big-endian CPUs
* Improved the diagnostics for failed keyserver lockups.
* Minor bug and portability fixes.
* Version 3.2.2 (released 2013-07-14)
** libgnutls: Several optimizations in the related to packet processing
subsystems.
** libgnutls: DTLS replay detection can now be disabled (to be used
in certain transport layers like SCTP).
** libgnutls: Fixes in SRTP extension generation when MKI is being
used.
** libgnutls: Added ability to set hooks before or after sending or receiving
any handshake message with gnutls_handshake_set_hook_function().
** API and ABI modifications:
GNUTLS_NO_REPLAY_PROTECTION: Added
gnutls_certificate_set_trust_list: Added
gnutls_cipher_get_tag_size: Added
gnutls_record_overhead_size: Added
gnutls_est_record_overhead_size: Added
gnutls_handshake_set_hook_function: Added
gnutls_handshake_description_get_name: Added
gnutls_digest_list: Added
gnutls_digest_get_id: Added
gnutls_digest_get_name: Added
are replaced with .include "../../devel/readline/buildlink3.mk", and
USE_GNU_READLINE are removed,
* .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE
are replaced with .include "../../mk/readline.buildlink3.mk".
Bytes::Random::Secure provides two interfaces for obtaining crypto-quality
random bytes. The simple interface is built around plain functions. For greater
control over the Random Number Generator's seeding, there is an Object Oriented
interface that provides much more flexibility.
Crypt::Random::Seed is a simple mechanism to get strong randomness. The main
purpose of this module is to provide a simple way to generate a seed for a
PRNG such as Math::Random::ISAAC, for use in cryptographic key generation,
or as the seed for an upstream module such as Bytes::Random::Secure. Flags
for requiring non-blocking sources are allowed, as well as a very simple method
for plugging in a source.
Crypt::Random::TESHA2 generate random numbers using entropy gathered from
timer/scheduler jitter. This can be used to generate non-pseudorandom data
to seed a PRNG (e.g. srand/rand, Math::Random::MT, etc.) or CSPRNG (e.g. AES-CTR
or Math::Random::ISAAC). You may use it directly or as part of a random source
module that first checks for O/S randomness sources.
* Version 0.4.2
- All NaCl constants are now also exposed as functions.
- The Android and iOS cross-compilation script have been improved.
- libsodium can now be cross-compiled to Windows from Linux.
- libsodium can now be compiled with emscripten.
- New convenience function (prototyped in utils.h): sodium_bin2hex().
Version 0.22
~~~~~~~~~~~~
- Added support for `TimedJSONWebSignatureSerializer`.
- made it possible to override the signature verification function
to allow implementing asymmetrical algorithms.
* Version 3.2.1 (released 2013-06-01)
** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain
openssl versions.
** libgnutls: Fixes in interrupted function resumption. Report
and patch by Tim Kosse.
** libgnutls: Corrected issue when receiving client hello verify requests
in DTLS.
** libgnutls: Fixes in DTLS record overhead size calculations.
** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported
by Mann Ern Kang.
** API and ABI modifications:
gnutls_session_set_id: Added
* Version 3.2.0 (released 2013-05-10)
** libgnutls: Use nettle's elliptic curve implementation.
** libgnutls: Added Salsa20 cipher
** libgnutls: Added UMAC-96 and UMAC-128
** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96.
As they are not standardized they are defined using private ciphersuite
numbers.
** libgnutls: Added support for DTLS 1.2.
** libgnutls: Added support for the Application Layer Protocol Negotiation
(ALPN) extension.
** libgnutls: Removed support for the RSA-EXPORT ciphersuites.
** libgnutls: Avoid linking to librt (that also avoids unnecessary
linking to pthreads if p11-kit isn't used).
** API and ABI modifications:
gnutls_cipher_get_iv_size: Added
gnutls_hmac_set_nonce: Added
gnutls_mac_get_nonce_size: Added
* Version 3.1.10 (released 2013-03-22)
** certtool: When generating PKCS #12 files use by default the
ARCFOUR (RC4) cipher to be compatible with devices that don't
support AES with PKCS #12.
** libgnutls: Load CA certificates in android 4.x systems.
** libgnutls: Optimized CA certificate loading.
** libgnutls: Private keys are overwritten on deinitialization.
** libgnutls: PKCS #11 slots are scanned only when needed, not
on initialization. This speeds up gnutls initialization when smart
cards are present.
** libgnutls: Corrected issue in the (deprecated) external key
signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen.
** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by
Joke de Buhr.
** libgnutls-dane: Updated DANE verification options.
** configure: Trust store file must be explicitly set or unset when
cross compiling.
** API and ABI modifications:
gnutls_x509_crt_get_issuer_dn2: Added
gnutls_x509_crt_get_dn2: Added
gnutls_x509_crl_get_issuer_dn2: Added
gnutls_x509_crq_get_dn2: Added
gnutls_x509_trust_list_remove_trust_mem: Added
gnutls_x509_trust_list_remove_trust_file: Added
gnutls_x509_trust_list_remove_cas: Added
gnutls_session_get_desc: Added
gnutls_privkey_sign_raw_data: Added
gnutls_privkey_status: Added
* Version 3.1.9 (released 2013-02-27)
** certtool: Option --to-p12 will now ask for a password to generate
a PKCS #12 file from an encrypted key file. Reported by Yan Fiz.
** libgnutls: Corrected issue in gnutls_pubkey_verify_data().
** libgnutls: Corrected parsing issue in XMPP within a subject
alternative name. Reported by James Cloos.
** libgnutls: gnutls_pkcs11_reinit() will reinitialize all PKCS #11
modules, and not only the ones loaded via p11-kit.
** libgnutls: Added function to check whether the private key is
still available (inserted).
** libgnutls: Try to detect fork even during nonce generation.
** API and ABI modifications:
gnutls_handshake_set_random: Added
gnutls_transport_set_int2: Added
gnutls_transport_get_int2: Added
gnutls_transport_get_int: Added
gnutls_record_cork: Exported
gnutls_record_uncork: Exported
gnutls_pkcs11_privkey_status: Added
* Version 3.1.8 (released 2013-02-10)
** libgnutls: Fixed issue in gnutls_x509_privkey_import2() which didn't return
GNUTLS_E_DECRYPTION_FAILED in all cases, and affect certtool operation
with encrypted keys. Reported by Yan Fiz.
** libgnutls: The minimum DH bits accepted by priorities NORMAL and
PERFORMANCE was set to previous defaults 727 bits. Reported by Diego
Elio Petteno.
** libgnutls: Corrected issue which prevented gnutls_pubkey_verify_hash()
to operate with long keys. Reported by Erik A Jensen.
** API and ABI modifications:
No changes since last version.
* Version 3.1.7 (released 2013-02-04)
** certtool: Added option "dn" which allows to directly set the DN
in a template from an RFC4514 string.
** danetool: Added options: --dlv and --insecure. Suggested by Paul Wouters.
** libgnutls-xssl: Added a new library to simplify GnuTLS usage.
** libgnutls-dane: Added function to specify a DLV file.
** libgnutls: Heartbeat code was made optional.
** libgnutls: Fixes in server side of DTLS-0.9.
** libgnutls: DN variable 'T' was expanded to 'title'.
** libgnutls: Fixes in record padding parsing to prevent a timing attack.
Issue reported by Kenny Paterson and Nadhem Alfardan.
** libgnutls: Added functions to directly set the DN in a certificate
or request from an RFC4514 string.
** libgnutls: Optimizations in the random generator. The re-seeding of
it is now explicitly done on every session deinit.
** libgnutls: Simplified the DTLS sliding window implementation.
** libgnutls: The minimum DH bits accepted by a client are now set
by the specified priority string. The current values correspond to the
previous defaults (727 bits), except for the SECURE128 and SECURE192
strings which increase the minimum to 1248 and 1776 respectively.
** libgnutls: Added the gnutls_record_cork() and uncork API to enable
buffering in sending application data.
** libgnutls: Removed default random padding, and added a length-hiding interface
instead. Both the server and the client must support this extension. Whether
length-hiding can be used on a given session can be checked using
gnutls_record_can_use_length_hiding(). Contributed by Alfredo Pironti.
** libgnutls: Added the experimental %NEW_PADDING priority string. It enables
a new padding mechanism in TLS allowing arbitrary padding in TLS records
in all ciphersuites, which makes length-hiding more efficient and solves
the issues with timing attacks on CBC ciphersuites.
** libgnutls: Corrected gnutls_cipher_decrypt2() when used with AEAD
ciphers (i.e., AES-GCM). Reported by William McGovern.
** API and ABI modifications:
gnutls_db_check_entry_time: Added
gnutls_record_set_timeout: Added
gnutls_record_get_random_padding_status: Added
gnutls_x509_crt_set_dn: Added
gnutls_x509_crt_set_issuer_dn: Added
gnutls_x509_crq_set_dn: Added
gnutls_range_split: Added
gnutls_record_send_range: Added
gnutls_record_set_max_empty_records: Added
gnutls_record_can_use_length_hiding: Added
gnutls_rnd_refresh: Added
xssl_deinit: Added
xssl_flush: Added
xssl_read: Added
xssl_getdelim: Added
xssl_write: Added
xssl_printf: Added
xssl_sinit: Added
xssl_client_init: Added
xssl_server_init: Added
xssl_get_session: Added
xssl_get_verify_status: Added
xssl_cred_init: Added
xssl_cred_deinit: Added
dane_state_set_dlv_file: Added
GNUTLS_SEC_PARAM_EXPORT: Added
GNUTLS_SEC_PARAM_VERY_WEAK: Added
* Version 3.1.6 (released 2013-01-02)
** libgnutls: Fixed record padding parsing issue. Reported by Kenny
Patterson and Nadhem Alfardan.
** libgnutls: Several updates in the ASN.1 string handling subsystem.
** libgnutls: gnutls_x509_crt_get_policy() allows for a list of zero
policy qualifiers.
** libgnutls: Ignore heartbeat messages when received out-of-order,
instead of issuing an error.
** libgnutls: Stricter RSA PKCS #1 1.5 encoding and decoding. Reported
by Kikuchi Masashi.
** libgnutls: TPM support is disabled by default because GPL programs
cannot link with it. Use --with-tpm to enable it.
** libgnutls-guile: Fixed parallel compilation issue.
** gnutls-cli: It will try to connect to all possible returned addresses
before failing.
** API and ABI modifications:
No changes since last version.
* Version 3.1.5 (released 2012-11-24)
** libgnutls: Added functions to parse the certificates policies
extension.
** libgnutls: Handle BMPString (UCS-2) encoding in the Distinguished
Name by translating it to UTF-8 (works on windows or systems with iconv).
** libgnutls: Added PKCS #11 key generation function that returns the
public key on generation.
** libgnutls: Corrected bug in priority string parsing, that mostly
affected combined levels. Patch by Tim Kosse.
** certtool: The --pubkey-info option can be combined with the
--load-privkey or --load-request to print the corresponding public keys.
** certtool: It is able to set certificate policies via a template.
** certtool: Added --hex-numbers option which prints big numbers in
an easier to parse format.
** p11tool: After key generation, outputs the public key (useful in
tokens that do not store the public key).
** danetool: It is being built even without libgnutls-dane (the
--check functionality is disabled though).
** API and ABI modifications:
gnutls_pkcs11_privkey_generate2: Added
gnutls_x509_crt_get_policy: Added
gnutls_x509_crt_set_policy: Added
gnutls_x509_policy_release: Added
gnutls_pubkey_import_x509_crq: Added
gnutls_pubkey_print: Added
GNUTLS_CRT_PRINT_FULL_NUMBERS: Added
* Version 3.1.4 (released 2012-11-10)
** libgnutls: gnutls_certificate_verify_peers2() will set flags depending on
the available revocation data validity.
** libgnutls: Added gnutls_certificate_verification_status_print(),
a function to print the verification status code in human readable text.
** libgnutls: Added priority string %VERIFY_DISABLE_CRL_CHECKS.
** libgnutls: Simplified certificate verification by adding
gnutls_certificate_verify_peers3().
** libgnutls: Added support for extension to establish keys for SRTP.
Contributed by Martin Storsjo.
** libgnutls: The X.509 verification functions check the key
usage bits and pathlen constraints and on failure output
GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE.
** libgnutls: gnutls_x509_crl_verify() includes the time checks.
** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default.
** libgnutls: Always tolerate key usage violation errors from the side
of the peer, but also notify via an audit message.
** gnutls-cli: Added --local-dns option.
** danetool: Corrected bug that prevented loading PEM files.
** danetool: Added --check option to allow querying and verifying
a site's DANE data.
** libgnutls-dane: Added pkg-config file for the library.
** API and ABI modifications:
gnutls_session_get_id2: Added
gnutls_sign_is_secure: Added
gnutls_certificate_verify_peers3: Added
gnutls_ocsp_status_request_is_checked: Added
gnutls_certificate_verification_status_print: Added
gnutls_srtp_set_profile: Added
gnutls_srtp_set_profile_direct: Added
gnutls_srtp_get_selected_profile: Added
gnutls_srtp_get_profile_name: Added
gnutls_srtp_get_profile_id: Added
gnutls_srtp_get_keys: Added
gnutls_srtp_get_mki: Added
gnutls_srtp_set_mki: Added
gnutls_srtp_profile_t: Added
dane_cert_type_name: Added
dane_match_type_name: Added
dane_cert_usage_name: Added
dane_verification_status_print: Added
GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: Added
GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: Added
GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE: Added
GNUTLS_CERT_UNEXPECTED_OWNER: Added
GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Added
* Version 3.1.3 (released 2012-10-12)
** libgnutls: Added support for the OCSP Certificate Status
extension.
** libgnutls: gnutls_certificate_verify_peers2() will use the OCSP
certificate status extension in verification.
** libgnutls: Bug fixes in gnutls_x509_privkey_import_openssl().
** libgnutls: Increased maximum password length in the PKCS #12
functions.
** libgnutls: Fixed the receipt of session tickets during session resumption.
Reported by danblack at http://savannah.gnu.org/support/?108146
** libgnutls: Added functions to export structures in an allocated buffer.
** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP
response corresponds to the given certificate.
** libgnutls: In client side gnutls_init() enables the session ticket and
OCSP certificate status request extensions by default. The flag
GNUTLS_NO_EXTENSIONS can be used to prevent that.
** libgnutls: Several updates in the OpenPGP code. The generating code
is fully RFC6091 compliant and RFC5081 support is only supported in client
mode.
** libgnutls-dane: Added. It is a library to provide DANE with DNSSEC
certificate verification.
** gnutls-cli: Added --dane option to enable DANE certificate verification.
** danetool: Added tool to generate DANE TLSA Resource Records (RR).
** API and ABI modifications:
gnutls_certificate_get_peers_subkey_id: Added
gnutls_certificate_set_ocsp_status_request_function: Added
gnutls_certificate_set_ocsp_status_request_file: Added
gnutls_ocsp_status_request_enable_client: Added
gnutls_ocsp_status_request_get: Added
gnutls_ocsp_resp_check_crt: Added
gnutls_dh_params_export2_pkcs3: Added
gnutls_pubkey_export2: Added
gnutls_x509_crt_export2: Added
gnutls_x509_dn_export2: Added
gnutls_x509_crl_export2: Added
gnutls_pkcs7_export2: Added
gnutls_x509_privkey_export2: Added
gnutls_x509_privkey_export2_pkcs8: Added
gnutls_x509_crq_export2: Added
gnutls_openpgp_crt_export2: Added
gnutls_openpgp_privkey_export2: Added
gnutls_pkcs11_obj_export2: Added
gnutls_pkcs12_export2: Added
gnutls_pubkey_import_openpgp_raw: Added
gnutls_pubkey_import_x509_raw: Added
dane_state_init: Added
dane_state_deinit: Added
dane_query_tlsa: Added
dane_query_status: Added
dane_query_entries: Added
dane_query_data: Added
dane_query_deinit: Added
dane_verify_session_crt: Added
dane_verify_crt: Added
dane_strerror: Added
* Version 3.1.2 (released 2012-09-26)
** libgnutls: Fixed bug in gnutls_x509_trust_list_add_system_trust()
and gnutls_x509_trust_list_add_trust_mem() that prevented the loading
of certificates in the windows platform.
** libgnutls: Corrected bug in OpenPGP subpacket encoding.
** libgnutls: Added support for DTLS/TLS heartbeats by Olga Smolenchuk.
(the work was done during Google Summer of Code).
** libgnutls: Added X.509 certificate verification flag
GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. This flag allows the verification
of unsorted certificate chains and is enabled by default for
TLS certificate verification (if gnutls_certificate_set_verify_flags()
does not override it).
** libgnutls: Prints warning on certificates that contain keys of
an insecure level. If the %COMPAT priority flag is not specified
the TLS connection fails.
** libgnutls: Correctly restore gnutls_record_recv() in DTLS mode
if interrupted during the retrasmition of handshake data.
** libgnutls: Better mingw32 support (patch by LRN).
** libgnutls: The %COMPAT keyword, if specified, will tolerate
key usage violation errors (they are far too common to ignore).
** libgnutls: Added GNUTLS_STATELESS_COMPRESSION flag to gnutls_init(),
which provides a tool to counter compression-related attacks where
parts of the data are controlled by the attacker _and_ are placed in
separate records (use with care - do not use compression if not sure).
** libgnutls: Depends on libtasn1 2.14 or later.
** certtool: Prints the number of bits of the public key algorithm
parameter in a private key.
** API and ABI modifications:
gnutls_x509_privkey_get_pk_algorithm2: Added
gnutls_heartbeat_ping: Added
gnutls_heartbeat_pong: Added
gnutls_heartbeat_allowed: Added
gnutls_heartbeat_enable: Added
gnutls_heartbeat_set_timeouts: Added
gnutls_heartbeat_get_timeout: Added
GNUTLS_SEC_PARAM_WEAK: Added
GNUTLS_SEC_PARAM_INSECURE: Added
* Version 3.1.1 (released 2012-09-02)
** gnutls-serv: Listens on IPv6. Patch by Bernhard R. Link.
** certtool: Changes in password handling of certtool.
Ask password when required and only if the '--password' option is not
given. If the '--password' option is given during key generation then
assume the PKCS #8 file format, instead of ignoring the password.
** tpmtool: No longer asks for key password in registered keys.
** libgnutls: Elliptic curve code was optimized by Ilya Tumaykin.
wmNAF is now used for point multiplication and other optimizations.
(the major part of the work was done during Google Summer of Code).
** libgnutls: The default pull_timeout_function only uses select
instead of a combination of select() and recv() to prevent issues
when used in stream sockets in some systems.
** libgnutls: Be tolerant in ECDSA signature violations (e.g. using
SHA256 with a SECP384 curve instead of SHA-384), to interoperate with
openssl.
** libgnutls: Fixed DSA and ECDSA signature generation in smart
cards. Thanks to Andreas Schwier from cardcontact.de for providing
me with ECDSA capable smart cards.
** API and ABI modifications:
gnutls_sign_algorithm_get: Added
gnutls_sign_get_hash_algorithm: Added
gnutls_sign_get_pk_algorithm: Added
* Version 3.1.0 (released 2012-08-15)
** libgnutls: Added direct support for TPM as a cryptographic module
in gnutls/tpm.h. TPM keys can be used in functions accepting files
using URLs of the following types:
tpmkey:file=/path/to/file
tpmkey:uuid=7f468c16-cb7f-11e1-824d-b3a4f4b20343;storage=user
** libgnutls: Priority string level keywords can be combined.
For example the string "SECURE256:+SUITEB128" is now allowed.
** libgnutls: requires libnettle 2.5.
** libgnutls: Use the PKCS #1 1.5 encoding provided by nettle (2.5)
for encryption and signatures.
** libgnutls: Added GNUTLS_CERT_SIGNATURE_FAILURE to differentiate between
generic errors and signature verification errors in the verification
functions.
** libgnutls: Added gnutls_pkcs12_simple_parse() as a helper function
to simplify parsing in most PKCS #12 use cases.
** libgnutls: gnutls_certificate_set_x509_simple_pkcs12_file() adds
the whole certificate chain (if any) to the credentials structure, instead
of only the end-user certificate.
** libgnutls: Key import functions such as gnutls_pkcs12_simple_parse()
and gnutls_x509_privkey_import_pkcs8(), return consistently
GNUTLS_E_DECRYPTION_FAILED if the input structure is encrypted but no
password was provided.
** libgnutls: Added gnutls_handshake_set_timeout() a function that
allows to set the maximum time spent in a handshake.
** libgnutlsxx: Added session::set_transport_vec_push_function. Patch
by Alexandre Bique.
** tpmtool: Added. It is a tool to generate private keys in the
TPM.
** gnutls-cli: --benchmark-tls was split to --benchmark-tls-kx
and --benchmark-tls-ciphers
** certtool: generated PKCS #12 structures may hold more than one
private key. Patch by Lucas Fisher.
** certtool: Added option --null-password to generate/decrypt keys
that use a NULL password (in schemas that distinguish between NULL
an empty passwords).
** minitasn1: Upgraded to libtasn1 version 2.13.
** API and ABI modifications:
GNUTLS_CERT_SIGNATURE_FAILURE: Added
GNUTLS_CAMELLIA_192_CBC: Added
GNUTLS_PKCS_NULL_PASSWORD: Added
gnutls_url_is_supported: Added
gnutls_pkcs11_obj_list_import_url2: Added
gnutls_pkcs11_obj_set_pin_function: Added
gnutls_pkcs11_privkey_set_pin_function: Added
gnutls_pkcs11_get_pin_function: Added
gnutls_privkey_import_tpm_raw: Added
gnutls_privkey_import_tpm_url: Added
gnutls_privkey_import_pkcs11_url: Added
gnutls_privkey_import_openpgp_raw: Added
gnutls_privkey_import_x509_raw: Added
gnutls_privkey_import_ext2: Added
gnutls_privkey_import_url: Added
gnutls_privkey_set_pin_function: Added
gnutls_tpm_privkey_generate: Added
gnutls_tpm_key_list_deinit: Added
gnutls_tpm_key_list_get_url: Added
gnutls_tpm_get_registered: Added
gnutls_tpm_privkey_delete: Added
gnutls_pubkey_import_tpm_raw: Added
gnutls_pubkey_import_tpm_url: Added
gnutls_pubkey_import_url: Added
gnutls_pubkey_verify_hash2: Added
gnutls_pubkey_set_pin_function: Added
gnutls_x509_privkey_import2: Added
gnutls_x509_privkey_import_openssl: Added
gnutls_x509_crt_set_pin_function: Added
gnutls_load_file: Added
gnutls_pkcs12_simple_parse: Added
gnutls_certificate_set_x509_system_trust: Added
gnutls_certificate_set_pin_function: Added
gnutls_x509_trust_list_add_system_trust: Added
gnutls_x509_trust_list_add_trust_file: Added
gnutls_x509_trust_list_add_trust_mem: Added
gnutls_pk_to_sign: Added
gnutls_handshake_set_timeout: Added
gnutls_pubkey_verify_hash: Deprecated (use gnutls_pubkey_verify_hash2)
gnutls_pubkey_verify_data: Deprecated (use gnutls_pubkey_verify_data2)
* Noteworthy changes in release 3.1 (released 2012-11-24) [stable]
- Completed rename of types:
ASN1_ARRAY_TYPE -> asn1_static_node (was asn1_static_node_t)
- Added new types: VisibleString, NumericString, IA5String, TeletexString,
PrintableString, UniversalString, BMPString, UTF8String. When re-defined
a warning is being print instead of failing.
- Parser outputs more detailed syntax error messages.
- Added asn1_decode_simple_der() and asn1_encode_simple_der().
- Added asn1_read_value_type() to return value and type.
- Introduced ASN1_ETYPE_UTC_TIME and ASN1_ETYPE_GENERALIZED_TIME
* Noteworthy changes in release 3.0 (2012-10-28) [stable]
- Added tool in tests/ to benchmark X.509 structure decoding.
- Added asn1_read_node_value() to obtain a node's value.
- Optimizations in internal tree allocation.
- Optimizations in tree search.
- libtasn1.h no longer exports internal structures.
- Types were renamed for consistency:
ASN1_DATA_NODE -> asn1_data_node_st
ASN1_ARRAY_TYPE -> asn1_static_node
ASN1_TYPE -> asn1_node
ASN1_TYPE_EMPTY -> NULL
static_struct_asn -> asn1_static_node_st
node_asn_struct -> asn1_node_st
node_asn -> asn1_node_st
(the old types are still available as definitions)
1.110720 into security/p5-Dancer-Plugin-Auth-RBAC.
Dancer::Plugin::Auth::RBAC is an authentication framework and role-based
access control system. As a role-based access control system
Dancer::Plugin::Auth::RBAC can be complex but will give you the most
flexibilty over all other access control philosophies.
The Dancer::Plugin::Auth::RBAC plugin provides your application with the
ability to easily authenticate and restrict access to specific users and
groups by providing a tried and tested RBAC (role-based access control)
system. Dancer::Plugin::Auth::RBAC provides this level of sophistication
with minimal configuration.
security/p5-Crypt-URandom.
This Module is intended to provide an interface to the strongest available
source of non-blocking randomness on the current platform. Platforms
currently supported are anything supporting /dev/urandom and versions of
Windows greater than or equal to Windows 2000.
The GuardTime Client SDK for C is intended for software developers who
want to integrate GuardTime Keyless Signature Service (KSS) into their
C and C++ based applications.
See http://www.guardtime.com/ for more information.
Noteworthy changes in version 0.8.3 (2013-04-26)
------------------------------------------------
* Build fixes for newer mingw32 toolchains.
* Add SETTIMEOUT command for the gtk+-2 pinentry.
Noteworthy changes in version 1.12 (2013-06-24)
-----------------------------------------------
* Add support for 64 bit Windows (use ./autogen.sh --build-w64).
* Fixed parsing and installing of the Windows .def file.
* Interface changes relative to the 1.11 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_NO_CRYPT_CTX NEW.
GPG_ERR_WRONG_CRYPT_CTX NEW.
GPG_ERR_BAD_CRYPT_CTX NEW.
GPG_ERR_CRYPT_CTX_CONFLICT NEW.
GPG_ERR_BROKEN_PUBKEY NEW.
GPG_ERR_BROKEN_SECKEY NEW.
Changes:
0.07 2012.06.06
- Made Math::BigInt::* dependency dynamic to avoid Math::BigInt falling
back to BigInt backends that are too slow for practical use.
=== 2.6.7 / 11 Apr 2013
* Decreased default packet size to 32768 as described in RFC 4253 [Olipro]
* Added max_pkt_size and max_win_size options to Net::SSH.start [Olipro]
* Added import/export of ycfg-json format.
Invoke with -fjson to -s or -i
Add exported functions ykp_export_config() and ykp_import_config()
* Fixup output of flags when using ykp_write_config()
* Add binary builds for mac.
* Minor cleanups noticed during debian packaging.
Version 1.12.0 (released 2013-03-14)
* Recognize firmwares 2.4 and 3.1.
* Add support for setting the new extflag LED_INV
When set the behaviour of the led on the YubiKey is inversed.
(Moved HOMEPAGE and MASTER_SITES to the new GitHub project URLs)
* Add ykclient_global_init and ykclient_global_done.
* Add ykclient_version.h header file with versioning information.
New symbols are YKCLIENT_VERSION_STRING, YKCLIENT_VERSION_NUMBER,
YKCLIENT_VERSION_MAJOR, YKCLIENT_VERSION_MINOR,
YKCLIENT_VERSION_PATCH. New function ykclient_check_version.
* Modified API to use 'ykclient_rc' enum as return type instead of 'int'.
* Enum also moved to separate new header file ykclient_errors.h.
This should be backwards compatible. It makes the return type
clearer.
* Improve curl multi usage.
* ykclient: Cleanup command line tool a bit to make it more useful.
Added --help, --version and --debug. Defaults to silent output. Exit
codes are documented and more useful. Added manpage.
(Moved HOMEPAGE and MASTER_SITES to the new GitHub project pages)
Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443]
Improve interoperability with some Windows native PKINIT clients.
- New Features
- dnssec-nodes - Many new features, including validation tree
graphing, on-the-wire traffic display, pcap dump
file display, increased data logging and
display, improved simultaneous updating, etc.
- Libval: - Added initial support for the TLSA rrtype
- Added support for ECDSA
- Implemented checking for AI_ADDRCONFIG in getaddrinfo
- Memory optimizations to improve speed-up
- dnssec-check - increased stability across all platforms.
- All Around: - Many bug fixes and other minor improvements
1.13
- New Features
- rollerd: - Added support for the signzone command. Allow
zones to be signed while in the midst of a
rollover wait.
- Added autosigning of modified zone files. Zone
files are considered modified when their "last
modification" timestamp is more recent than that
of the associated signed zone file. This
functionality includes adding the -autosign option
and config field.
- Added additional commands (via rollctl) to allow
greater control over zone rollover actions.
- Added -zsargs option to allow global options to
be passed to zonesigner.
- realms: - Added the realms feature to manage multiple
simultaneous rollover environments. Several
commands and modules (e.g., dtrealms, realms.pm,
buildrealms) were added for the realms feature.
- zonesigner: - Added the -threshold option to specify a signing
threshold.
- Better handling of serial numbers in zone files.
- keymod: - New tool that can be used to modify key
generation parameters in a keyrec file.
- dnssec-check - significant rewrite since the 1.12 release, though
individual updates have been available already.
- Asynchronous support for non-interrupting GUI support
- Letter grades assigned to each resolver
- Various user-interface improvements
- libval: - Bug fixes
- Renamed all validator command-line apps to have
a dt- prefix in order to avoid conflicts with
pre-existing executables in certain platforms.
- dnsval python module
- Add python wrapper module for the validator
library. Code contributed by Bob Novas.
- trustman: - Added an option for use by monitoring systems.
- nagios - Added the dt_donuts plugin for running trustman on
remote machines.
- Added the dt_trustman plugin for monitoring trust
anchors.
- firefox - updated nspr and firefox patches to work with
mozilla-central and nspr-4.9
- webmin: - Added the ability to perform DNSSEC
operations on DNSSEC-Tools managed signed
zones using the Webmin front-end.
- ssh: - Update the patch for enabling local DNSSEC
validation to work with OpenSSH 6.0p1.
Support for KX, DLV, DHCID, NAPTR records.
Support for X25, ISDN, RT, PX records.
Support for MB, MG, MR, MINFO, AFSDB records.
NSEC chain validation fix.
Do not allow LP point to itself.
Miscellaneous performance improvements.
Miscellaneous portability fixes.
Miscellaneous bug fixes.
* OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for
a key is changed in a policy (as this rollover is not handled cleanly)
* OPENDNSSEC-91: Make the keytype flag required when rolling keys
* OPENDNSSEC-403: Signer Engine: new command 'ods-signer locks' that shows
locking information (for debugging purposes).
Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA
Minimum change.
* OPENDNSSEC-396: Use TTLs from kasp when generating DNSKEY and DS records for
output.
* OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly
when rolling all keys using the --policy option
* SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
2013-Jun-09 - v2.0 - Removed the unused Clone module after a report
that Clone is no longer in core Perl as of v5.18.0. Added the stats
and pwck commands. Added clipboard commands (xw/xu/xp/xx). Fixed
some long-standing tab completion bugs. Warn if multiple groups or
entries are titled the same within a group, except for /Backup
entries.
2013-Jun-10 - v2.1 - Fixed several more tab completion bugs, and
they were serious enough to warrant a quick release.
It's Dangerous
... so better sign this
Various helpers to pass data to untrusted environments and to get it back
safe and sound.
This repository provides a module that is a port of the django signing
module. It's not directly copied but some changes were applied to
make it work better on its own.
* Update buildlink3.mk.
Changelog:
5.6.0 - added AuthenticatedSymmetricCipher interface class and Filter wrappers
- added CCM, GCM (with SSE2 assembly), EAX, CMAC, XSalsa20, and SEED
- added support for variable length IVs
- added OIDs for Brainpool elliptic curve parameters
- improved AES and SHA-256 speed on x86 and x64
- changed BlockTransformation interface to no longer assume data alignment
- fixed incorrect VMAC computation on message lengths
that are >64 mod 128 (x86 assembly version is not affected)
- fixed compiler error in vmac.cpp on x86 with GCC -fPIC
- fixed run-time validation error on x86-64 with GCC 4.3.2 -O2
- fixed HashFilter bug when putMessage=true
- fixed AES-CTR data alignment bug that causes incorrect encryption on ARM
- removed WORD64_AVAILABLE; compiler support for 64-bit int is now required
- ported to GCC 4.3, C++Builder 2009, Sun CC 5.10, Intel C++ Compiler 11
5.6.1 - added support for AES-NI and CLMUL instruction sets in AES and GMAC/GCM
- removed WAKE-CFB
- fixed several bugs in the SHA-256 x86/x64 assembly code:
* incorrect hash on non-SSE2 x86 machines on non-aligned input
* incorrect hash on x86 machines when input crosses 0x80000000
* incorrect hash on x64 when compiled with GCC with optimizations enabled
- fixed bugs in AES x86 and x64 assembly causing crashes in some MSVC build configurations
- switched to a public domain implementation of MARS
- ported to MSVC 2010, GCC 4.5.1, Sun Studio 12u1, C++Builder 2010, Intel C++ Compiler 11.1
- renamed the MSVC DLL project to "cryptopp" for compatibility with MSVC 2010
5.6.2 - changed license to Boost Software License 1.0
- added SHA-3 (Keccak)
- updated DSA to FIPS 186-3 (see DSA2 class)
- fixed Blowfish minimum keylength to be 4 bytes (32 bits)
- fixed Salsa validation failure when compiling with GCC 4.6
- fixed infinite recursion when on x64, assembly disabled, and no AESNI
- ported to MSVC 2012, GCC 4.7, Clang 3.2, Solaris Studio 12.3, Intel C++ Compiler 13.0
* Update HOMEPAGE and MASTER_SITES.
* Convert custom do-install taget to patch to Makefile.in.
Changelog:
version 0.97
* Case insensitivity when responding to S/KEY challenges. RFC1760 does
not mention case sensitivity, but I've received a report of a server
implementation that is case sensitive. OTP behavior is unchanged.
The ssdeep project page describes it as a library for "...computing context
triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match
inputs that have homologies. Such inputs have sequences of identical bytes in
the same order, although bytes in between these sequences may be different in
both content and length".
ssdeep is a program for computing context triggered piecewise hashes (CTPH).
Also called fuzzy hashes, CTPH can match inputs that have homologies. Such
inputs have sequences of identical bytes in the same order, although bytes in
between these sequences may be different in both content and length.
to address issues with NetBSD-6(and earlier)'s fontconfig not being
new enough for pango.
While doing that, also bump freetype2 dependency to current pkgsrc
version.
Suggested by tron in PR 47882
Paperkey extracts secret bytes from GnuPG key and prints them. To
reconstruct, you re-enter those bytes (whether by hand or via OCR)
and paperkey can use them to transform your existing public key
into a secret key.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
Noteworthy changes in version 2.0.20 (2013-05-10)
-------------------------------------------------
* Decryption using smartcards keys > 3072 bit does now work.
* New meta option ignore-invalid-option to allow using the same
option file by other GnuPG versions.
* gpg: The hash algorithm is now printed for sig records in key listings.
* gpg: Skip invalid keyblock packets during import to avoid a DoS.
* gpg: Correctly handle ports from DNS SRV records.
* keyserver: Improve use of SRV records
* gpg-agent: Avoid tty corruption when killing pinentry.
* scdaemon: Improve detection of card insertion and removal.
* scdaemon: Rename option --disable-keypad to --disable-pinpad.
* scdaemon: Better support for CCID readers. Now, the internal CCID
driver supports readers without the auto configuration feature.
* scdaemon: Add pinpad input for PC/SC, if your reader has pinpad and
it supports variable length PIN input, and you specify
--enable-pinpad-varlen option.
* scdaemon: New option --enable-pinpad-varlen.
* scdaemon: Install into libexecdir to avoid accidental execution
from the command line.
* Support building using w64-mingw32.
* Assorted bug fixes.
This is a bugfix release.
Bug fixes:
* Fixed a bug in the new ECC code. The ecc_j_to_a function
called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping
input and output arguments, which is not supported.
* The assembly files for SHA1, SHA256 and AES depend on ARMv6
instructions, breaking nettle-2.7 for pre-v6 ARM processors.
The configure script now enables those assembly files only
when building for ARMv6 or later.
* Use a more portable C expression for rotations. The
previous version used the following "standard" expression
for 32-bit rotation:
(x << n) | (x >> (32 - n))
But this gives undefined behavior (according to the C
specification) for n = 0. The rotate expression is replaced
by the more portable:
(x << n) | (x >> ((-n)&31))
This change affects only CAST128, which uses non-constant
rotation counts. Unfortunately, the new expression is poorly
optimized by released versions of gcc, making CAST128 a bit
slower. This is being fixed by the gcc hackers, see
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157.
The following problems have been reported, but are *not* fixed
in this release:
* ARM assembly files use instruction syntax which is not
supported by all assemblers. Workaround: Use a current
version of GNU as, or configure with --disable-assembler.
* Configuring with --disable-static doesn't work on windows.
The libraries are intended to be binary compatible with
nettle-2.2 and later. The shared library names are
libnettle.so.4.7 and libhogweed.so.2.5, with sonames still
libnettle.so.4 and libhogweed.so.2.
Sshpass is a tool for non-interactively performing password authentication with
SSH's so called "interactive keyboard password authentication". Most users
should use SSH's more secure public key authentication instead.
into the Packages Collection.
HElib is a software library that implements homomorphic encryption
(HE). Currently available is an implementation of the
Brakerski-Gentry-Vaikuntanathan (BGV) scheme, along with many
optimizations to make homomorphic evaluation run faster, focusing
mostly on effective use of the Smart-Vercauteren ciphertext packing
techniques and the Gentry-Halevi-Smart optimizations.
Revision 0.1.7
--------------
- License updated to vanilla BSD 2-Clause to ease package use
(http://opensource.org/licenses/BSD-2-Clause).
- Test suite made discoverable by unittest/unittest2 discovery feature.
- Fix to decoder working on indefinite length substrate -- end-of-octets
marker is now detected by both tag and value. Otherwise zero values may
interfere with end-of-octets marker.
- Fix to decoder to fail in cases where tagFormat indicates inappropriate
format for the type (e.g. BOOLEAN is always PRIMITIVE, SET is always
CONSTRUCTED and OCTET STRING is either of the two)
- Fix to REAL type encoder to force primitive encoding form encoding.
- Fix to CHOICE decoder to handle explicitly tagged, indefinite length
mode encoding
- Fix to REAL type decoder to handle negative REAL values correctly. Test
case added.
Revision 0.1.6
--------------
- The compact (valueless) way of encoding zero INTEGERs introduced in
0.1.5 seems to fail miserably as the world is filled with broken
BER decoders. So we had to back off the *encoder* for a while.
There's still the IntegerEncoder.supportCompactZero flag which
enables compact encoding form whenever it evaluates to True.
- Report package version on debugging code initialization.
Revision 0.1.5
--------------
- Documentation updated and split into chapters to better match
web-site contents.
- Make prettyPrint() working for non-initialized pyasn1 data objects. It
used to throw an exception.
- Fix to encoder to produce empty-payload INTEGER values for zeros
- Fix to decoder to support empty-payload INTEGER and REAL values
- Fix to unit test suites imports to be able to run each from
their current directory
Revision 0.1.4
--------------
- Built-in codec debugging facility added
- Added some more checks to ObjectIdentifier BER encoder catching
posible 2^8 overflow condition by two leading sub-OIDs
- Implementations overriding the AbstractDecoder.valueDecoder method
changed to return the rest of substrate behind the item being processed
rather than the unprocessed substrate within the item (which is usually
empty).
- Decoder's recursiveFlag feature generalized as a user callback function
which is passed an uninitialized object recovered from substrate and
its uninterpreted payload.
- Catch inappropriate substrate type passed to decoder.
- Expose tagMap/typeMap/Decoder objects at DER decoder to uniform API.
- Obsolete __init__.MajorVersionId replaced with __init__.__version__
which is now in-sync with distutils.
- Package classifiers updated.
- The __init__.py's made non-empty (rumors are that they may be optimized
out by package managers).
- Bail out gracefully whenever Python version is older than 2.4.
- Fix to Real codec exponent encoding (should be in 2's complement form),
some more test cases added.
- Fix in Boolean truth testing built-in methods
- Fix to substrate underrun error handling at ObjectIdentifier BER decoder
- Fix to BER Boolean decoder that allows other pre-computed
values besides 0 and 1
- Fix to leading 0x80 octet handling in DER/CER/DER ObjectIdentifier decoder.
See http://www.cosic.esat.kuleuven.be/publications/article-1432.pdf
Revision 0.1.3
--------------
- Include class name into asn1 value constraint violation exception.
- Fix to OctetString.prettyOut() method that looses leading zero when
building hex string.
Revision 0.1.2
--------------
- Fix to __long__() to actually return longs on py2k
- Fix to OctetString.__str__() workings of a non-initialized object.
- Fix to quote initializer of OctetString.__repr__()
- Minor fix towards ObjectIdentifier.prettyIn() reliability
- ObjectIdentifier.__str__() is aliased to prettyPrint()
- Exlicit repr() calls replaced with '%r'
Revision 0.1.1
--------------
- Hex/bin string initializer to OctetString object reworked
(in a backward-incompatible manner)
- Fixed float() infinity compatibility issue (affects 2.5 and earlier)
- Fixed a bug/typo at Boolean CER encoder.
- Major overhawl for Python 2.4 -- 3.2 compatibility:
+ get rid of old-style types
+ drop string module usage
+ switch to rich comparation
+ drop explicit long integer type use
+ map()/filter() replaced with list comprehension
+ apply() replaced with */**args
+ switched to use 'key' sort() callback function
+ support both __nonzero__() and __bool__() methods
+ modified not to use py3k-incompatible exception syntax
+ getslice() operator fully replaced with getitem()
+ dictionary operations made 2K/3K compatible
+ base type for encoding substrate and OctetString-based types
is now 'bytes' when running py3k and 'str' otherwise
+ OctetString and derivatives now unicode compliant.
+ OctetString now supports two python-neutral getters: asOcts() & asInts()
+ print OctetString content in hex whenever it is not printable otherwise
+ in test suite, implicit relative import replaced with the absolute one
+ in test suite, string constants replaced with numerics
Revision 0.0.13
---------------
- Fix to base10 normalization function that loops on univ.Real(0)
Revision 0.0.13b
----------------
- ASN.1 Real type is now supported properly.
- Objects of Constructed types now support __setitem__()
- Set/Sequence objects can now be addressed by their field names (string index)
and position (integer index).
- Typo fix to ber.SetDecoder code that prevented guided decoding operation.
- Fix to explicitly tagged items decoding support.
- Fix to OctetString.prettyPrint() to better handle non-printable content.
- Fix to repr() workings of Choice objects.
Revision 0.0.13a
----------------
- Major codec re-design.
- Documentation significantly improved.
- ASN.1 Any type is now supported.
- All example ASN.1 modules moved to separate pyasn1-modules package.
- Fix to initial sub-OID overflow condition detection an encoder.
- BitString initialization value verification improved.
- The Set/Sequence.getNameByPosition() method implemented.
- Fix to proper behaviour of PermittedAlphabetConstraint object.
- Fix to improper Boolean substrate handling at CER/DER decoders.
- Changes towards performance improvement:
+ all dict.has_key() & dict.get() invocations replaced with modern syntax
(this breaks compatibility with Python 2.1 and older).
+ tag and tagset caches introduced to decoder
+ decoder code improved to prevent unnecessary pyasn1 objects creation
+ allow disabling components verification when setting components to
structured types, this is used by decoder whilst running in guided mode.
+ BER decoder for integer values now looks up a small set of pre-computed
substrate values to save on decoding.
+ a few pre-computed values configured to ObjectIdentifier BER encoder.
+ ChoiceDecoder split-off SequenceOf one to save on unnecessary checks.
+ replace slow hasattr()/getattr() calls with isinstance() introspection.
+ track the number of initialized components of Constructed types to save
on default/optional components initialization.
+ added a shortcut ObjectIdentifier.asTuple() to be used instead of
__getitem__() in hotspots.
+ use Tag.asTuple() and pure integers at tag encoder.
+ introduce and use in decoder the baseTagSet attribute of the built-in
ASN.1 types.
Revision 0.0.12a
----------------
- The individual tag/length/value processing methods of
encoder.AbstractItemEncoder renamed (leading underscore stripped)
to promote overloading in cases where partial substrate processing
is required.
- The ocsp.py, ldap.py example scripts added.
- Fix to univ.ObjectIdentifier input value handler to disallow negative
sub-IDs.
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.
Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.
cf1a0c411bvs
This is a bugfix release. The krb5-1.10 release series is in maintenance, and for new deployments, installers should prefer the krb5-1.11 release series or later.
* Fix KDC null pointer dereference in TGS-REQ handling [CVE-2013-1416]
* Incremental propagation could erroneously act as if a slave's database were current after the slave received a full dump that failed to load.
=========================
This release introduces a number of new features:
Features:
* ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
SSH protocol 2. The new cipher is available as aes128-gcm@openssh.com
and aes256-gcm@openssh.com. It uses an identical packet format to the
AES-GCM mode specified in RFC 5647, but uses simpler and different
selection rules during key exchange.
* ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
for SSH protocol 2. These modes alter the packet format and compute
the MAC over the packet length and encrypted packet rather than over
the plaintext data. These modes are considered more secure and are
used by default when available.
* ssh(1)/sshd(8): Added support for the UMAC-128 MAC as
"umac-128@openssh.com" and "umac-128-etm@openssh.com". The latter
being an encrypt-then-mac mode.
* sshd(8): Added support for multiple required authentication in SSH
protocol 2 via an AuthenticationMethods option. This option lists
one or more comma-separated lists of authentication method names.
Successful completion of all the methods in any list is required for
authentication to complete. This allows, for example, requiring a
user having to authenticate via public key or GSSAPI before they
are offered password authentication.
* sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
(KRLs), a compact binary format to represent lists of revoked keys
and certificates that take as little as one bit per certificate when
revoking by serial number. KRLs may be generated using ssh-keygen(1)
and are loaded into sshd(8) via the existing RevokedKeys sshd_config
option.
* ssh(1): IdentitiesOnly now applies to keys obtained from a
PKCS11Provider. This allows control of which keys are offered from
tokens using IdentityFile.
* sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local"
and "remote" in addition to its previous "yes"/"no" keywords to allow
the server to specify whether just local or remote TCP forwarding is
enabled.
* sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
support fetching authorized_keys from a command in addition to (or
instead of) from the filesystem. The command is run under an account
specified by an AuthorizedKeysCommandUser sshd_config(5) option.
* sftp-server(8): Now supports a -d option to allow the starting
directory to be something other than the user's home directory.
* ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11
tokens using "ssh-keygen -lD pkcs11_provider".
* ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
now immediately sends its SSH protocol banner to the server without
waiting to receive the server's banner, saving time when connecting.
* ssh(1): Added ~v and ~V escape sequences to raise and lower the
logging level respectively.
* ssh(1): Made the escape command help (~?) context sensitive so that
only commands that will work in the current session are shown.
* ssh-keygen(1): When deleting host lines from known_hosts using
"ssh-keygen -R host", ssh-keygen(1) now prints details of which lines
were removed.
Bugfixes:
* ssh(1): Force a clean shutdown of ControlMaster client sessions when
the ~. escape sequence is used. This means that ~. should now work in
mux clients even if the server is no longer responding.
* ssh(1): Correctly detect errors during local TCP forward setup in
multiplexed clients. bz#2055
* ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with
adding keys with respect to certificates. It now tries to delete the
corresponding certificate and respects the -k option to allow deleting
of the key only.
* sftp(1): Fix a number of parsing and command-editing bugs, including
bz#1956
* ssh(1): When muxmaster is run with -N, ensured that it shuts down
gracefully when a client sends it "-O stop" rather than hanging around.
bz#1985
* ssh-keygen(1): When screening moduli candidates, append to the file
rather than overwriting to allow resumption. bz#1957
* ssh(1): Record "Received disconnect" messages at ERROR rather than
INFO priority. bz#2057.
* ssh(1): Loudly warn if explicitly-provided private key is unreadable.
bz#1981
Portable OpenSSH:
* sshd(8): The Linux seccomp-filter sandbox is now supported on ARM
platforms where the kernel supports it.
* sshd(8): The seccomp-filter sandbox will not be enabled if the system
headers support it at compile time, regardless of whether it can be
enabled then. If the run-time system does not support seccomp-filter,
sshd will fall back to the rlimit pseudo-sandbox.
* ssh(1): Don't link in the Kerberos libraries. They aren't necessary
on the client, just on sshd(8). bz#2072
* Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI
library. bz#2073
* Fix compilation on systems with openssl-1.0.0-fips.
* Fix a number of errors in the RPM spec files.
Changes since OpenSSH 6.0
=========================
This is primarily a bugfix release.
Features:
* sshd(8): This release turns on pre-auth sandboxing sshd by default for
new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
* ssh-keygen(1): Add options to specify starting line number and number of
lines to process when screening moduli candidates, allowing processing
of different parts of a candidate moduli file in parallel
* sshd(8): The Match directive now supports matching on the local (listen)
address and port upon which the incoming connection was received via
LocalAddress and LocalPort clauses.
* sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv
and {Allow,Deny}{Users,Groups}
* Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
* ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
* sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as
an argument to refuse all port-forwarding requests.
* sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
* ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
* sshd(8): Add "VersionAddendum" to sshd_config to allow server operators
to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
* ssh(1)/sshd(8): Don't spin in accept() in situations of file
descriptor exhaustion. Instead back off for a while.
* ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as
they were removed from the specification. bz#2023,
* sshd(8): Handle long comments in config files better. bz#2025
* ssh(1): Delay setting tty_flag so RequestTTY options are correctly
picked up. bz#1995
* sshd(8): Fix handling of /etc/nologin incorrectly being applied to root
on platforms that use login_cap.
Portable OpenSSH:
* sshd(8): Allow sshd pre-auth sandboxing to fall-back to the rlimit
sandbox from the Linux SECCOMP filter sandbox when the latter is
not available in the kernel.
* ssh(1): Fix NULL dereference when built with LDNS and using DNSSEC to
retrieve a CNAME SSHFP record.
* Fix cross-compilation problems related to pkg-config. bz#1996
Changes since OpenSSH 5.9
=========================
This is primarily a bugfix release.
Features:
* ssh-keygen(1): Add optional checkpoints for moduli screening
* ssh-add(1): new -k option to load plain keys (skipping certificates)
* sshd(8): Add wildcard support to PermitOpen, allowing things like
"PermitOpen localhost:*". bz #1857
* ssh(1): support for cancelling local and remote port forwards via the
multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host"
to request the cancellation of the specified forwardings
* support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
* ssh(1): ensure that $DISPLAY contains only valid characters before
using it to extract xauth data so that it can't be used to play local
shell metacharacter games.
* ssh(1): unbreak remote portforwarding with dynamic allocated listen ports
* scp(1): uppress adding '--' to remote commandlines when the first
argument does not start with '-'. saves breakage on some
difficult-to-upgrade embedded/router platforms
* ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class,
but there is an "AF21" class
* ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during
rekeying
* ssh(1): skip attempting to create ~/.ssh when -F is passed
* sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943
* sshd(1): send tty break to pty master instead of (probably already
closed) slave side; bz#1859
* sftp(1): silence error spam for "ls */foo" in directory with files;
bz#1683
* Fixed a number of memory and file descriptor leaks
Portable OpenSSH:
* Add a new privilege separation sandbox implementation for Linux's
new seccomp sandbox, automatically enabled on platforms that support
it. (Note: privilege separation sandboxing is still experimental)
* Fix compilation problems on FreeBSD, where libutil contained openpty()
but not login().
* ssh-keygen(1): don't fail in -A on platforms that don't support ECC
* Add optional support for LDNS, a BSD licensed DNS resolver library
which supports DNSSEC
* Relax OpenSSL version check to allow running OpenSSH binaries on
systems with OpenSSL libraries with a newer "fix" or "patch" level
than the binaries were originally compiled on (previous check only
allowed movement within "patch" releases). bz#1991
* Fix builds using contributed Redhat spec file. bz#1992
Changes since OpenSSH 5.8
=========================
Features:
* Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
This intention is to prevent a compromised privsep child from being
used to attack other hosts (by opening sockets and proxying) or
probing local kernel attack surface.
Three concrete sandbox implementation are provided (selected at
configure time): systrace, seatbelt and rlimit.
The systrace sandbox uses systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option
(only OpenBSD has this mode at present).
The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a
strict (kSBXProfilePureComputation) policy that disables access to
filesystem and network resources.
The rlimit sandbox is a fallback choice for platforms that don't
support a better one; it uses setrlimit() to reset the hard-limit
of file descriptors and processes to zero, which should prevent
the privsep child from forking or opening new network connections.
Sandboxing of the privilege separated child process is currently
experimental but should become the default in a future release.
Native sandboxes for other platforms are welcome (e.g. Capsicum,
Linux pid/net namespaces, etc.)
* Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
and hmac-sha2-512-96, and are available by default in ssh(1) and
sshd(8)
* The pre-authentication sshd(8) privilege separation slave process
now logs via a socket shared with the master process, avoiding the
need to maintain /dev/log inside the chroot.
* ssh(1) now warns when a server refuses X11 forwarding
* sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace. The undocumented AuthorizedKeysFile2
option is deprecated (though the default for AuthorizedKeysFile
includes .ssh/authorized_keys2)
* sshd_config(5): similarly deprecate UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile and
GlobalKnownHostsFile accept multiple options and default to
include known_hosts2
* Retain key comments when loading v.2 keys. These will be visible
in "ssh-add -l" and other places. bz#439
* ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as
IPv4 ToS/DSCP). bz#1855
* ssh_config(5)'s ControlPath option now expands %L to the host
portion of the destination host name.
* ssh_config(5) "Host" options now support negated Host matching, e.g.
Host *.example.org !c.example.org
User mekmitasdigoat
Will match "a.example.org", "b.example.org", but not "c.example.org"
* ssh_config(5): a new RequestTTY option provides control over when a
TTY is requested for a connection, similar to the existing -t/-tt/-T
ssh(1) commandline options.
* sshd(8): allow GSSAPI authentication to detect when a server-side
failure causes authentication failure and don't count such failures
against MaxAuthTries; bz#1244
* ssh-keygen(1): Add -A option. For each of the key types (rsa1, rsa,
dsa and ecdsa) for which host keys do not exist, generate the host
keys with the default key file path, an empty passphrase, default
bits for the key type, and default comment. This is useful for
system initialisation scripts.
* ssh(1): Allow graceful shutdown of multiplexing: request that a mux
server removes its listener socket and refuse future multiplexing
requests but don't kill existing connections. This may be requested
using "ssh -O stop ..."
* ssh-add(1) now accepts keys piped from standard input. E.g.
"ssh-add - < /path/to/key"
* ssh-keysign(8) now signs hostbased authentication
challenges correctly using ECDSA keys; bz#1858
* sftp(1): document that sftp accepts square brackets to delimit
addresses (useful for IPv6); bz#1847a
* ssh(1): when using session multiplexing, the master process will
change its process title to reflect the control path in use and
when a ControlPersist-ed master is waiting to close; bz#1883 and
bz#1911
* Other minor bugs fixed: 1849 1861 1862 1869 1875 1878 1879 1892
1900 1905 1913
Portable OpenSSH Bugfixes:
* Fix a compilation error in the SELinux support code. bz#1851
* This release removes support for ssh-rand-helper. OpenSSH now
obtains its random numbers directly from OpenSSL or from
a PRNGd/EGD instance specified at configure time.
* sshd(8) now resets the SELinux process execution context before
executing passwd for password changes; bz#1891
* Since gcc >= 4.x ignores all -Wno-options options, test only the
corresponding -W-option when trying to determine whether it is
accepted; bz#1901
* Add ECDSA key generation to the Cygwin ssh-{host,user}-config
scripts.
* Updated .spec and init files for Linux; bz#1920
* Improved SELinux error messages in context change failures and
suppress error messages when attempting to change from the
"unconfined_t" type; bz#1924 bz#1919
* Fix build errors on platforms without dlopen(); bz#1929
Provided in pkg PR/47767 by csosstudy
Changes from previous version:
* Version 0.4.1
- sodium_version_*() functions were not exported in version 0.4. They
are now visible as intended.
- sodium_init() now calls randombytes_stir().
- optimized assembly version of salsa20 is now used on amd64.
- further cleanups and enhanced compatibility with non-C99 compilers.
* Version 0.4
- Most constants and operations are now available as actual functions
instead of macros, making it easier to use from other languages.
- New operation: crypto_generichash, featuring a variable key size, a
variable output size, and a streaming API. Currently implemented using
Blake2b.
- The package can be compiled in a separate directory.
- aes128ctr functions are exported.
- Optimized versions of curve25519 (curve25519_donna_c64), poly1305
(poly1305_53) and ed25519 (ed25519_ref10) are available. Optionally calling
sodium_init() once before using the library makes it pick the fastest
implementation.
- New convenience function: sodium_memzero() in order to securely
wipe a memory area.
- A whole bunch of cleanups and portability enhancements.
- On Windows, a .REF file is generated along with the shared library,
for use with Visual Studio. The installation path for these has become
$prefix/bin as expected by MingW.
pkgsrc change:
* install the NEWS file under share/ hierarchy
This release includes an implementation of elliptic curve
cryptography (ECC) and optimizations for the ARM architecture.
This work was done at the offices of South Pole AB, and
generously funded by the .SE Internet Fund.
Bug fixes:
* Fixed a bug in the buffer handling for incremental SHA3
hashing, with a possible buffer overflow. Patch by Edgar
E. Iglesias.
New features:
* Support for ECDSA signatures. Elliptic curve operations over
the following curves: secp192r1, secp224r1, secp256r1,
secp384r1 and secp521r1, including x86_64 and ARM assembly
for the most important primitives.
* Support for UMAC, including x86_64 and ARM assembly.
* Support for 12-round salsa20, "salsa20r12", as specified by
eSTREAM. Contributed by Nikos Mavrogiannopoulos.
Optimizations:
* ARM assembly code for several additional algorithms,
including AES, Salsa20, and the SHA family of hash
functions.
* x86_64 assembly for SHA256, SHA512, and SHA3. (SHA3 assembly
was included in the 2.6 release, but disabled due to poor
performance on some AMD processors. Hopefully, that
performance problem is fixed now).
The ARM code was tested and benchmarked on Cortex-A9. Some of
the functions use "neon" instructions. The configure script
decides if neon instructions can be used, and the command line
options --enable-arm-neon and --disable-arm-neon can be used
to override its choice. Feedback appreciated.
The libraries are intended to be binary compatible with
nettle-2.2 and later. The shared library names are
libnettle.so.4.6 and libhogweed.so.2.4, with sonames still
libnettle.so.4 and libhogweed.so.2.
This release uses native File::KeePass support for key files (if
the File::KeePass version is new enough), adds "version" and "ver"
commands, updates the documentation (as Ubuntu 12.10 now packages
all of kpcli's dependencies), adds a --histfile commandline option,
records modified times on edited records, and adds a -a option to
the show command.
Change from previous version:
+ don't assume that output of a "cat" command (where output is sent to
stdout if the signature is verified) is able to be written with stdio.
Originally packaged for wip by evaldo - thanks!
ent is a program which applies various tests to sequences of
bytes stored in files and reports the results of those tests.
The program is useful for those evaluating pseudorandom number
generators for encryption and statistical sampling
applications, compression algorithms, and other applications
where the information density of a file is of interest.
(Modified by me only to hold the distfile in a DIST_SUBDIR, since
the random.zip filename has the possibility to clash with other things)
An example of its usage:
% dd if=/dev/urandom bs=1k count=10 | ent
10+0 records in
10+0 records out
10240 bytes transferred in 0.001 secs (10240000 bytes/sec)
Entropy = 7.977398 bits per byte.
Optimum compression would reduce the size
of this 10240 byte file by 0 percent.
Chi square distribution for 10240 samples is 321.50, and randomly
would exceed this value 0.30 percent of the times.
Arithmetic mean value of data bytes is 128.5722 (127.5 = random).
Monte Carlo value for Pi is 3.195779601 (error 1.72 percent).
Serial correlation coefficient is -0.003620 (totally uncorrelated = 0.0).
%
