- Do not log the time every second on "old" PC/SC without support of
\\?PnP?\Notification like on Mac OS X.
- 79 new ATRS
- minor fixes
1.4.20 - 16 June 2012, Ludovic ROUSSEAU
- Makefile: Add arguments to CFLAGS instead of overwritting them
- 3 new ATRs
1.4.19
- ATR_analysis: use XDG_CACHE_HOME env variable
The smartcard_list.txt file is now searched in ~/.cache/ by default
- 115 new ATRs
1.4.18
- gscriptor: Display hex dumps in lines of 16 bytes instead of 17
- gscriptor: Display bytes of value 0x20 as ' ' instead of '.'
- scriptor: Display lines of 16 bytes instead of 24
- 223 new ATRs
- pcsc_scan: Correctly detect reader Plug and Play support
1.4.17
- 153 new ATRs
- Allow to build with pcsc-lite >= 1.6.2
1.4.16
- 153 new ATR
- pcsc_scan.c: check for PnP support at run time instead of using a
#define
- ATR_analysis: use curl instead of wget on Darwin
- gscriptor: ReaderConfig(): escape metacharacters []() in
the reader name when using reader name as a pattern matching
1.4.5:
- Add support of Alcor Micro AU9540, Ubisys 13.56MHz RFID (CCID),
BIFIT USB-Token iBank2key, BIFIT iBank2Key, Gemalto Ezio Shield
PinPad reader, Gemalto SA .NET Dual, Precise Sense MC reader (with
fingerprint), SDS DOMINO-Key TWIN Pro
- Add support of bPPDUSupport and FEATURE_CCID_ESC_COMMAND
- SCARD_ATTR_VENDOR_NAME and SCARD_ATTR_VENDOR_IFD_VERSION are not
the vendor name and version of the driver but of the IFD:
InterFace Device i.e. the smart card reader. We then return the
USB iManufacturer string as SCARD_ATTR_VENDOR_NAME and USB
bcdDevice as SCARD_ATTR_VENDOR_IFD_VERSION
- reduce binary size bu removing unused features from simclist
- Fix some warnings reported bu Coverity
1.4.4:
- Add support of Gemalto Ezio Shield, Gemalto Ezio CB+, Gemalto Ezio
Shield Secure Channel, Gemalto Ezio Shield PinPad and Gemalto Ezio
Generic
- Activate USB automatic power suspend. The Linux kernel should
power off the reader automatically if it is not used (pcscd is not
running).
- Add support of TLV Properties wLcdMaxCharacters and wLcdMaxLines.
They just duplicate wLcdLayout
- some minor bugs removed
1.4.3:
- Add support of Neowave Weneo, Vasco DIGIPASS 920, SCM SCL011,
Feitian ePass2003 readers
- use :libudev: instead of :libhal: naming scheme.
- Do not install RSA_SecurID_getpasswd and Kobil_mIDentity_switch
and the associated documentation.
- the Secure Pin Entry of the HP USB Smart Card Keyboard is bogus so
disable it
- some minor bugs removed
1.4.2:
- Add support of Feitian SCR310 reader (also known as 301v2), ACS
APG8201 PINhandy 1, Oberthur ID-ONE TOKEN SLIM v2, new Neowave
Weneo token, Vasco DIGIPASS KEY 860, Vasco DIGIPASS KEY 200,
Xiring Leo v2, Xiring MyLeo, Aktiv Rutoken lite readers
- Add back support of "bogus" Oz776, REINER SCT and BLUDRIVE II
- Ease detection of OpenCT by pcsc-lite
- disable use of interrupt card events for multi slots readers (the
algorithm is bogus and can't be used)
- fix minor problems detected by the clang tool
- some minor bugs removed
1.4.1:
- Add support of Gemalto Smart Guardian (SG CCID), ReinerSCT
cyberJack RFID basis, Akasa AK-CR-03, BZH uKeyCI800-K18, Free
Software Initiative of Japan Gnuk token readers
- Remove O2 Micro Oz776 and Blutronics Bludrive II CCID since they
are no more supported since version 1.4.0
- SecurePINVerify() & SecurePINModify(): Accept big and little
endian byte orders for multibytes fields. The application
should not use HOST_TO_CCID_16() and HOST_TO_CCID_32() any more
and just use the normal byte order of the architecture.
- Need pcsc-lite 1.6.5 for TAG_IFD_POLLING_THREAD_WITH_TIMEOUT
- Add --enable-embedded (default is no) to build libccid for an
embedded system. This will activate the NO_LOG option to disable
logging and limit RAM and disk consumption.
- Remove --enable-udev option since it is not used anymore with
libhal. The udev rules file is now used to change the access
rights of the device and not send a hotplug signal to pcscd.
See http://ludovicrousseau.blogspot.com/2010/09/pcscd-auto-start.html
- some minor bugs removed
1.4.0:
- add support of Kingtrust Multi-Reader, Dectel CI692, Todos CX00,
C3PO LTC36, ACS AET65, Broadcom 5880, Tianyu Smart Card Reader,
Gemalto Hybrid Smartcard Reader
- Add support of the SCM SDI 010 again. At least the contact
interface can be used.
- Use libusb-1.0 instead of libusb-0.1
- add support of TAG_IFD_STOP_POLLING_THREAD and use of the
asynchronous libusb API to be able to stop a transfer.
- Request pcsc-lite 1.6.2 minimum (instead of 1.6.0) to have
TAG_IFD_STOP_POLLING_THREAD defined
- The O2MICRO OZ776 patch (for OZ776, OZ776_7772, REINER_SCT and
BLUDRIVEII_CCID) is no more supported with libusb-1.0
- correctly get the IFSC from the ATR (ATR parsing was not always
correct)
- some minor bugs removed
1.7.4:
- Fix a stupid bug from the previous version. T=1 cards were not
working.
1.7.3:
- COPYING: Add my name as copyright holder
- hotplug libudev: support libudev >= 171
- hotplug libusb: Fix a memory leak
- pcscd: exit immediately in case of SIGTERM
Closes Debian bug #620305 "pcscd slows down shutdown/restart"
- Send logs to stdout instead of stderr
It is now possible to use tee(1) to redirect logs in a file without
first redirecting stderr to stdout
- Add command line option -T, --color: force use of colored logs
The idea is to have colored logs even if they are redirected to a file
or a pipe.
- Define g_rgSCardT?Pci as const structures to be more Windows like
I do not expect a regression or compilation problem in WinSCard API
users but how knows...
- log at level PCSC_LOG_DEBUG instead of PCSC_LOG_ERROR to avoid filling
the system log file
- Remove the deprecated define FEATURE_MCT_READERDIRECT (replaced by
FEATURE_MCT_READER_DIRECT)
- better Hurd support
- some other minor improvements and bug corrections
1.7.2:
- fix a crash if a specific driver fails to work and no class driver is
available
1.7.1
- use libudev only on Linux and libusb elsewhere. The configuration now
works by default on GNU/kFreeBSD systems
- Try to use a (CCID) class driver if a specific driver fails to use the
reader.
- fix a potential crash
1.7.0:
- use libudev instead of (the deprecated) libhal
1.6.7:
- better Mac OS X support
- Fix Alioth bug [#312960] SCardDisconnect when other context has transaction
- add support of multi-interfaces readers with libusb and not just libhal
- add a API tracing feature in the client side (#define DO_TRACE)
- allow the use of tracing and profiling features from different
application threads
- fix a problem with a multi-slots reader
- fix minor problems detected by the clang tool
- some other minor improvements and bug corrections
1.6.6:
- SCardGetStatusChange(): fix a bug on 64-bits systems
- Fix another bug because of a regression in internal list manager
1.6.5:
- Power on the card _only_ if an application requests a connection.
You can disable the feature using DISABLE_ON_DEMAND_POWER_ON in
src/pcscd.h.in
If DISABLE_AUTO_POWER_ON is defined then do not automatically power on
the card. The card will be powered on on the first SCardConnect()
See http://ludovicrousseau.blogspot.com/2010/10/card-auto-power-on-and-off.html
- SCardReconnect(): return SCARD_E_NO_SMARTCARD when card is removed and
SCARD_W_UNRESPONSIVE_CARD when card is unresponsive instead of
SCARD_E_PROTO_MISMATCH
- Install pcscd as sgid pcscd instead of suid root
See http://ludovicrousseau.blogspot.com/2010/09/pcscd-auto-start.html
- SCardSetTimeout() is no more provided. This function is not provided
by Microsoft and is deprecated since 2004 in pcsc-lite.
- SCardCancelTransaction() is no more provided. This function is not
provided by Microsoft and is deprecated since 2005 in pcsc-lite.
- Parsing the CCID Info.plist (159 readers supported) was, on a i386
machine, done in 264306 #s and is now done 5547 #s => gain x47 or 4600%
See http://ludovicrousseau.blogspot.com/2010/08/ram-and-cpu-improvements-in-pcsc-lite.html
- It is now possible to configure the local socket name to use using the
environment variable PCSCLITE_CSOCK_NAME
See http://ludovicrousseau.blogspot.com/2010/11/pcsc-client-and-server-on-two-different.html
- Wait until all connected readers have a chance to power up a possibly
inserted card before accepting clients.
- restrict pcscd features when not run by root (so using suid): APDU
logging or setting parameters are disabled for example
- fix compilation problem on kfreebsd-* systems
- PCSC/reader.h: HOST_TO_CCID_16() and HOST_TO_CCID_32() are now
identity functions
Since libccid 1.4.1 (revision 5252) the byte order is no more important
- If you want to use IFDHCreateChannel() instead of
IFDHCreateChannelByName() then do not use any DEVICENAME line in the
configuration file. IFDHCreateChannel() will then be called with the
CHANNELID parameter.
- the CHANNELID parameter can also be a decimal number.
- Remove the support of IFDHandler v1 API. I don't know any driver using
this API.
See http://ludovicrousseau.blogspot.com/2010/10/ifdhandler-version-1-support-removed.html
- avoids a buffer overflow with badly formed ATR
- some other minor improvements and bug corrections
1.6.4:
- Do not use sysconfdir as configuration directory but
"${sysconfdir}/reader.conf.d" instead.
Use --enable-confdir=DIR if you want to set a specific value without
the "reader.conf.d" appended.
1.6.3:
- "/reader.conf.d" is only appended to sysconfdir if no value of
sysconfdir is provided
- Define LPSCARD_READERSTATE since this is used in the MSDN prototype.
Use LPSCARD_READERSTATE in winscard.h instead of (SCARD_READERSTATE *)
to mimic the MSDN API.
- fix a pcscd crash when the application uses a PCSC handle after a
fork. The crash was with openvpn.
- some other minor improvements and bug corrections
1.6.2:
- implement a "Forced suicide" mechanism.
After 3 Ctrl-C without much reaction from pcscd (in fact the drivers)
we force the suicide. Sometimes libusb is blocked in a kind of
dead-lock and kill -9 was the only option.
- Add support of TAG_IFD_STOP_POLLING_THREAD to request the stop of the
driver polling function.
- Avoid a division by 0. Closes [#312555] "simclist bug in pcsc-lite"
- if pcscd is stared by libpcsclite then close all file handles except
stdin, stdout and stderr so that pcscd does not confiscate ressources
allocated by the application
- in case of auto exit create a new session so that Ctrl-C on the
application will not also quit pcscd
- src/hotplug_libusb.c: port from libusb-0.1 to libusb-1.0
- default configuration is now $sysconfdir/reader.conf.d
- fix crash with empty config dir
- src/PCSC/winscard.h: Remove definitions of SCARD_READERSTATE_A
PSCARD_READERSTATE_A and LPSCARD_READERSTATE_A types
- some other minor improvements and bug corrections
1.6.1:
- SCardControl(): do not check for card events since we are talking to
the reader not the card. A smart card removal should not make
SCardControl() fail with SCARD_W_REMOVED_CARD
- pcscd do not timeout any more after 2 minutes of inactivity. If the
other side of the socket dies we will get an error from the kernel.
The problem was that if a client does nothing during
PCSCLITE_READ_TIMEOUT (120 seconds by default) then pcscd considers it
as a dead client and closes the connection. I guess this problem was
present since the first version of pcsc-lite but nobody complained
before.
- pcscd: do not return before most of the initialisation are done
correctly. The idea is that pcscd can return an error code if the
daemon fails to start correctly (hald not started for example).
Before the patch pcscd became a daemon, then returned 0 (success) and
then continued with the initialisation. If the initialisation failed
it was too late to return an error code. The /etc/init.d/pcscd script
was not aware of the failure.
Closes https://bugzilla.redhat.com/show_bug.cgi?id=580321
"/usr/sbin/pcscd exit codes broken"
- src/hotplug_libusb.c: Add a synchronisation so that if pcscd is auto
started the initial reader list is available before the server takes
commands from clients.
Before the change early calls of SCardListReaders() returned an empty
list of readers even if a reader was connected.
- SCardConnect() & SCardReconnect(): do not reset the cardProtocol in
SCARD_SHARE_DIRECT case since the card have _not_ been reseted. A new
PPS negociation would fail.
- Do not install files in /etc any more. Serial drivers are rare now.
- Avoids a crash if a client sends a unknown command.
- some other minor improvements and bug corrections
1.6.0:
- redesign the client/server communication:
* no more shared memory used (allow pcscd and libpcsclite1.so to be on
different computer and talk over a network)
* no more difference between short and extended APDU
* no more use of a /var/run/pcscd/pcscd.events/ directory. events are
sent through the socket
* simpler command format between client and server
The side effect is that you are not able to mix an old pcscd with a
new libpcsclite1.so or the reverse. SCardEstablishContext() will fail
unless you update both sides of the communication.
- Use lists instead of fixed size arrays to store handles.
It is now possible to have:
- 200 simultaneous PC/SC clients instead of 16
- 200 SCardConnect per client instead of 16
- 200 clients per reader instead of 16
The default value of 200 can be changed by giving an argument to pcscd
--max-thread --max-card-handle-per-thread --max-card-handle-per-reader
- Make SCardReconnect(), SCardStatus() and SCardTransmit() block instead
of returning SCARD_E_SHARING_VIOLATION immediately. These functions
will then behave like on Windows.
This can happen if these functions are called when the reader is
locked by a PCSC transaction
(SCardBeginTransaction/SCardEndTransaction).
You can define the environment variable PCSCLITE_NO_BLOCKING to use
the old behavior.
http://archives.neohapsis.com/archives/dev/muscle/2010-q1/0041.html
- SCardEstablishContext(): try to start the pcscd daemon if not already
running.
. pcscd will suicide itself after 60 seconds of inactivity if it is
started using --auto-exit. This is the default behavior when pcscd is
started by libpcsclite
. Set PCSCLITE_PCSCD_ARGS with the argument you want to pass to pcscd in
autostart Only one argument is passed. The space character is not a
separator. example: export PCSCLITE_PCSCD_ARGS=-dfa
- SCardListReaders(): can use SCARD_AUTOALLOCATE
- SCardGetAttrib(): return SCARD_E_INSUFFICIENT_BUFFER if the driver
returns IFD_ERROR_INSUFFICIENT_BUFFER
. add support of SCARD_ATTR_DEVICE_FRIENDLY_NAME as it is better
implemented in pcscd (it knows the friendly name)
- SCardGetStatusChange(): Calling with cReaders == 0 will now just
return SCARD_S_SUCCESS
. Use the special reader name "\\?PnP?\Notification" to wait for a
reader event notification
- SCardTransmit(): do not limit the minimum size of an APDU to 4 bytes.
non ISO 7816-4 compliant cards (like Mifare DESFIRE) may use shorter
commands
- SCardStatus(): returns SCARD_E_SHARING_VIOLATION if the reader is
already used More conform to Windows
- PCSC/reader.h: update sruct PIN_PROPERTIES_STRUCTURE to be conform
with Revision 2.02.06, April 2009 of PCSCv2 part 10 Fields
wLcdMaxCharacters and wLcdMaxLines have been removed
. rename FEATURE_MCT_READERDIRECT in FEATURE_MCT_READER_DIRECT to be
conform with ch. 2.3 of PCSC v2 part 10
. add FEATURE_GET_TLV_PROPERTIES and FEATURE_CCID_ESC_COMMAND from
PC/SC part 10 v2.02.07 March 2010
. Add PCSCv2_PART10_PROPERTY_* defines
- SCardControl() return SCARD_E_UNSUPPORTED_FEATURE if the driver
returned IFD_ERROR_NOT_SUPPORTED or IFD_NOT_SUPPORTED This is used to
separate an unsupported value of ControlCode from a general error
- Use the standard --sysconfdir=DIR ($prefix/etc by default) instead of
--enable-confdir=DIR for defining the directory containing reader.conf
- remove SCF support (PC/SC over Smart Card Framework). I never used
this feature and SCF is now dead and replaced by JSR 268
(javax.smartcardio)
- Better handling of PCSCLITE_STATIC_DRIVER as can be used on platforms
using #Clinux (without dynamic loader). This is used to statically
link the reader driver to pcscd. Since the link is static you must
define the IFDHandler API version at compilation time. Either define
IFDHANDLERv1, IFDHANDLERv2 or IFDHANDLERv3
- Use dynamic instead of static allocation for the driver library
filename. The filename is no more limited to 100 characters.
Closes: [#312332] MAX_LIBNAME too short?
- force the return codes SCARD_* to be long since the SCard* functions
return a LONG type
- Add the ability to parse all the configuration files of a directory
instead of just one configuration file. update-reader.conf is then now
obsolete.
- Add --enable-embedded (default is no) to build pcsc-lite for an
embedded system. This will activate the NO_LOG option to disable
logging and limit RAM and disk consumption.
- If NO_LOG is defined then no log are displayed. The idea is to limit
the binaries size on disk and RAM consumption at execution time.
With NO_LOG defined we gain 26% (17 kB) for the .text segment of pcscd
and 15% (4 kB) for the .text segment of libpcsclite.so (for i386)
- Define a minimal pcsc_stringify_error() if NO_LOG is defined. Only the
error code in hex is displayed in this case.
Gain: 2kB of .text (10%) for libpcsclite
- Add --disable-serial and --disable-usb options
--disable-serial removes support of /etc/reader.conf gain: 8.0kB of
.text (12%) and 160 bytes of .bss (4%) for pcscd
--disable-usb removes support of USB hotplug gain: 9.7kB of .text
(14%) and 960 bytes of .bss (23%) for pcscd
If you use both options (and use a static driver configuration) gain:
17.7kB of .text (26%) and 1152 bytes of .bss (28%) for pcscd
- Better support of Android
- some other minor improvements and bug corrections
PolarSSL is an SSL library written in ANSI C. PolarSSL makes it easy for
developers to include cryptographic and SSL/TLS capabilities in their
(embedded) products with as little hassle as possible. It is designed to be
readable, documented, tested, loosely coupled and portable.
This package includes headers/libs only, not the demo programs.
PolarSSL is GPLv2, but offers exceptions to be distributed with other works
licensed as Apache, BSD, CC0, EUPL, LGPL, ISC, WTFPL, X11, zlib/libpng.
Bugfixes:
* SUPPORT-42: ./configure fails on FreeBSD (or if ldns is not installed in a
directory in the default search path of the complier).
* OpenDNSSEC does not compile against ldns 1.6.16 on platforms that rely on
the OpenDNSSEC implementation of strlcpy/cat
New in 0.6.20; 2010-02-16; Andreas Jellinghaus
* Modify Rutoken S binary interfaces by Aktiv Co.
* Makefiles fixed in doc/ directory
New in 0.6.19; 2010-01-07; Andreas Jellinghaus
* update on udev rules. Please now use udev instead of hal,
as distributions are deprecating hal in favor for udev.
* Thanks to Daniel Kahn Gillmor for testing on debian.
libsecret is a library for storing and retrieving passwords and
other secrets. It communicates with the "Secret Service" using
DBus. gnome-keyring and ksecretservice are both implementations of
a Secret Service.
Thanks to manu@ for testing and resolving pcsc-lite ptthread leakage
problems.
Note that pcsc-lite and openct should be an options group.
Disable some obsolete CONFIGURE_ARGS.
Work around assumption that either getopt_long_only is present or
allgetopt functions must be provided.
Finnish EID patches have been applied upstream (from whence they came,
perhaps).
From upstream NEWS:
Complete change history is available online:
http://www.opensc-project.org/opensc/timeline
New in 0.12.2; 2011-07-15
* Builds are now silent by default when OpenSC is built from source on Unix.
* Using --wait with command line tools works with 64bit Linux again.
* Greatly improved OpenPGP card support, including OpenPGP 2.0 cards
like the one found in German Privacy Foundation CryptoStick.
* Fixed support for FINeID cards issued after 01.03.2011 with 2048bit keys.
* #256: Fixed support for TCOS cards (broken since 0.12.0).
* Added support for IDKey-cards to TCOS3 driver.
* #361: Improved PC/SC driver to fetch the maximum PIN sizes from the open
source CCID driver. This fixes the issue for Linux/OSX with recent driver.
* WindowsInstaller now installs only static DLL-s (PKCS#11, minidriver) to
system folder.
* Fix FINeID cards for organizations.
* Several smaller bugs and compiler warnings fixed.
New in 0.12.1; 2011-05-17
* New card driver: IAS/ECC 1.0.1
* rutoken-tool has been deprecated and removed.
* eidenv and piv-tool utilities now have manual pages.
* pkcs11-tool now requires the use of --module parameter.
* All tools can now use an ATR as an argument to --reader, to skip to the
card with given ATR.
* opensc-tool -l with -v now shows information about the inserted cards.
* Creating files have an enforced upper size limit, 64K
* Support for multiple PKCS#15 applications with different AID-s.
PKCS#15 applications can be listed with pkcs15-tool --list-applications.
Binding to a specific AID with PKCS#15 tools can be done with --aid.
* Hex strings (like card ATR or APDU-s) can now be separated by space, in
addition to colons.
* Pinpad readers known to be bogus are now ignored by OpenSC. At the moment
only "HP USB Smart Card Keyboard" is disabled.
* Windows installer is now distributed as a statically built MSI, for both
x86 and x64.
* Numerous compiler warnings, unused code and internal bugs have been
eliminated.
New in 0.12.0; 2010-12-22
* OpenSC uses a single reader driver, specified at compile time.
* New card driver: Italian eID (CNS) by Emanuele Pucciarelli.
* New card driver: Portuguese eID by João Poupino.
* New card driver: westcos by François Leblanc.
* pkcs11-tool can use a slot based on ID, label or index in the slot list.
* PIN flags are updated from supported cards when C_GetTokenInfo is called.
* Support for CardOS 4.4 cards added.
* Fature to exclude readers from OpenSC PKCS#11 via "ignored_readers"
configuration file entry.
* #229: Support semi-automatic fixes to cards personalized with older and
broken OpenSC versions.
* Software keys removed from pkcs15-init and the PKCS#11 module. OpenSC
can either generate keys on card or import plaintext keys to the card, but
will never generate plaintext key material in software by itself.
All traces of a software token (PKCS#15 Section 7) shall be removed.
* Updates to PC/SC driver to build with pcsc-lite >= 1.6.2
* Build script for a binary Mac OS X installer for 10.5 and 10.6 systems.
Binary installer includes OpenSC.tokend for platform integration.
10.6 installer includes engine_pkcs11.
* Modify Rutoken S binary interfaces by Aktiv Co.
* Support GOST R 34.10-2001 and GOST R 34.11-94 by Aktiv Co.
* CardOS driver now emulates sign on rsa keys with sign+decrypt usage
with padding and decrypt(). This is compatible with old cards and
card initialized by Siemens software. Removed "--split-key" option,
as it is no longer needed.
* Improved debugging support: debug level 3 will show everything
except of ASN1 and card matching debugging (usualy not needed).
* Massive changes to libopensc. This library is now internal, only
used by opensc-pkcs11.so and command line tools. Header files are
no longer installed, library should not be used by other applications.
Please use generic PKCS#11 interface instead.
* #include file statements cleaned up: first include "config.h", then
system headers, then additional libraries, then headers in opensc
(but from other directories), then header files from same directory.
Fix path to reference headers, remove src/include/ directory.
* Various source code fixes and improvements.
* OpenSC now depends on xsltproc utility and docbook-xsl to build docs and man
* Remove iconv dependency. EstEID driver now uses the commonName from the
certificate for card label.
* Possibility to change the default behavior for card resets via
opensc.conf.
This is necessary to avoid making opensc threaded, since then it can't
be dlopened by a non-threaded program.
Add patch comments.
Set LICENSE (modified-bsd, verified via wdiff).
This change is almost entirely due to manu@.
Fix a tyop in DESCR.
Upstream changes:
-----------------
v1.9.0 (6th Nov 2012)
---------------------
* #97 (with a little #93): Improve config parsing of `ProxyCommand` directives
and provide a wrapper class to allow subprocess-driven proxy commands to be
used as `sock=` arguments for `SSHClient.connect`.
* #77: Allow `SSHClient.connect()` to take an explicit `sock` parameter
overriding creation of an internal, implicit socket object.
* Thanks in no particular order to Erwin Bolwidt, Oskari Saarenmaa, Steven
Noonan, Vladimir Lazarenko, Lincoln de Sousa, Valentino Volonghi, Olle
Lundberg, and Github user `@acrish` for the various and sundry patches
leading to the above changes.
v1.8.1 (6th Nov 2012)
---------------------
* #90: Ensure that callbacks handed to `SFTPClient.get()` always fire at least
once, even for zero-length files downloaded. Thanks to Github user `@enB` for
the catch.
* #85: Paramiko's test suite overrides
`unittest.TestCase.assertTrue/assertFalse` to provide these modern assertions
to Python 2.2/2.3, which lacked them. However on newer Pythons such as 2.7,
this now causes deprecation warnings. The overrides have been patched to only
execute when necessary. Thanks to `@Arfrever` for catch & patch.
v1.8.0 (3rd Oct 2012)
---------------------
* #17 ('ssh' 28): Fix spurious `NoneType has no attribute 'error'` and similar
exceptions that crop up on interpreter exit.
* 'ssh' 32: Raise a more useful error explaining which `known_hosts` key line was
problematic, when encountering `binascii` issues decoding known host keys.
Thanks to `@thomasvs` for catch & patch.
* 'ssh' 33: Bring `ssh_config` parsing more in line with OpenSSH spec, re: order of
setting overrides by `Host` specifiers. Specifically, the overrides now go by
file order instead of automatically sorting by `Host` value length. In
addition, the first value found per config key (e.g. `Port`, `User` etc)
wins, instead of the last. Thanks to Jan Brauer for the contribution.
* 'ssh' 36: Support new server two-factor authentication option
(`RequiredAuthentications2`), at least re: combining key-based & password
auth. Thanks to Github user `bninja`.
* 'ssh' 11: When raising an exception for hosts not listed in
`known_hosts` (when `RejectPolicy` is in effect) the exception message was
confusing/vague. This has been improved somewhat. Thanks to Cal Leeming for
highlighting the issue.
* 'ssh' 40: Fixed up & expanded EINTR signal handling. Thanks to Douglas Turk.
* 'ssh' 15: Implemented parameter substitution in SSHConfig, matching the
implementation of `ssh_config(5)`. Thanks to Olle Lundberg for the patch.
* 'ssh' 24: Switch some internal type checking to use `isinstance` to help prevent
problems with client libraries using subclasses of builtin types. Thanks to
Alex Morega for the patch.
* Fabric #562: Agent forwarding would error out (with `Authentication response
too long`) or freeze, when more than one remote connection to the local agent
was active at the same time. This has been fixed. Thanks to Steven McDonald
for assisting in troubleshooting/patching, and to GitHub user `@lynxis` for
providing the final version of the patch.
* 'ssh' 5: Moved a `fcntl` import closer to where it's used to help avoid
`ImportError` problems on Windows platforms. Thanks to Jason Coombs for the
catch + suggested fix.
* 'ssh' 4: Updated implementation of WinPageant integration to work on 64-bit
Windows. Thanks again to Jason Coombs for the patch.
* Added an IO loop sleep() call to avoid needless CPU usage when agent
forwarding is in use.
* Handful of internal tweaks to version number storage.
* Updated `setup.py` with `==dev` install URL for `pip` users.
* Updated `setup.py` to account for packaging problems in PyCrypto 2.4.0
* Added an extra `atfork()` call to help prevent spurious RNG errors when
running under high parallel (multiprocess) load.
* Merge PR #28: https://github.com/paramiko/paramiko/pull/28 which adds a
ssh-keygen like demo module. (Sofian Brabez)
v1.7.7.2 16may12
----------------
* Merge pull request #63: https://github.com/paramiko/paramiko/pull/63 which
fixes exceptions that occur when re-keying over fast connections. (Dwayne
Litzenberger)
Change MASTER_SITE, and therefore fetch with curl.
Specify C99, after guessing that from warnings.
Enable extra warnings (reported upstream).
2012-02-29 - Version 1.10
* PolarSSL crypto engine by Adriaan de Jong
* build: --disable-crypto-engine-win32 renamed to --disable-crypto-engine-cryptoapi
* api: PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_WIN32 renamed to
PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_CRYPTOAPI.
* api: PKCS11H_ENGINE_CRYPTO_WIN32 renamed to
PKCS11H_ENGINE_CRYPTO_CRYPTOAPI
2011-08-16 - Version 1.09
* Do not retry if CKR_BUFFER_TOO_SMALL and none NULL target.
* Fixup OpenSSL engine's rsa_priv_enc to use RSA size output buffer.
* OPENDNSSEC-330: NSEC3PARAM TTL should be set to zero.
Bugfixes:
* OPENDNSSEC-306: Cant delete zone until Enforcer made signerconf.
* OPENDNSSEC-281: Commandhandler sometimes unresponsive.
* OPENDNSSEC-299: ods-ksmutil <enter> now includes policy import
* OPENDNSSEC-300: ods-ksmutil policy purge documented with a warning
* OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27)
* OPENDNSSEC-342: Auditor comparisons made case-insensitive
* OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process
* Add udev rules files to packed distribution.
Version 1.8.1 (released 2012-10-17)
* Memory leak fixes and potential crash fixes in osx backend.
* Error reporting fixes in osx backend, reporting correct errors and
better errors.
* Provide new another udev permissions file that works on udev version
greater than 188. Autodetects from configure which to use.
* Add new binary ykinfo, can be used to get serial number, version and
touch level from a YubiKey.
Version 1.8.0 (released 2012-09-28)
* Added ./configure --enable-gcc-warnings to enable a lot of warnings.
* Added Continuous integration at travis-ci
(http://travis-ci.org/#!/Yubico/yubikey-personalization)
* Added yk_challenge_response() function for doing challenge response
with a key.
* Fixed functions for NDEF writing, adding:
ykp_ndef_alloc(), ykp_ndef_free() and ykp_set_ndef_access_code()
also providing compatible name YK_NDEF in ykcore.h and exporting
yk_write_ndef() there.
Change return values from ndef_construct_*() functions to make them
consistent with the rest of the library.
* Fixed a crash bug when the library was called from different threads.
* Check return code from libusb_init() so we avoid crashing there.
Also use a usb context instead of relying on default.
* Fix numerous warnings.
* Fix compilation in MSVC2010.
Version 1.7.0 (released 2012-06-07)
* Add support for new features in YubiKey 2.3:
ALLOW_UPDATE flag that allows updating of configuration in slots.
Update command (-u) to do update of existing config.
Swap command (-x) to swap contents of two updatable slots
DORMANT flag that's settable/removable if ALLOW_UPDATE is set
USE_NUMERIC_KEYPAD flag for sending the OATH OTP using keypad scan codes
instead
FAST_TRIG flag for faster triggering of slot one if slot two is empty
* Change the library around some to make the 2.3 features available.
Use ykp_alloc() instead of ykp_create_config().
Use ykp_configure_version() instead of ykp_configure_for() to set the version.
Use ykp_configure_command() instead of ykp_configure_for() to set slot.
Use yk_write_command() instead of yk_write_config().
The new commands doesn't set any default configuration at all.
* Add library support for the YubiKey NEO beta
ykp_construct_ndef_uri() for preparing a URI to write.
ykp_construct_ndef_text() for preparing a text to write.
yk_write_ndef() to write the constructed NDEF.
* Add support for the YubiKey NEO beta
Writing NDEF URI with -n http://example.com/foo/
Writing NDEF Text record with -t example
* liboath: The usersfile is now fflush'ed and fsync'ed.
* liboath: A memory leak fixed.
* oathtool: The --counter parameter now works on 32-bit platforms.
* API and ABI is backwards compatible with the previous version.
OATH_FILE_FLUSH_ERROR: Added.
OATH_FILE_SYNC_ERROR: Added.
OATH_FILE_CLOSE_ERROR: Added.
OATH_LAST_ERROR: Added.
Version 1.12.5 (released 2012-08-19)
* oathtool: The --counter parameter now supports larger values.
Before it used an 'int' type and now it uses a 'longlong' type.
Needed for eSecuTech tokens as they use a 64-bit value for their
initial counter. see <https://savannah.nongnu.org/support/?108114>.
* Added gnulib self-tests.
* API and ABI is backwards compatible with the previous version.
Version 1.12.4 (released 2012-06-17)
* liboath: Usersfile code handles multiple lines for a single user.
This can be used when a single user carries multiple tokens (with
different OATH secrets) and any of them should be permitted.
* API and ABI is backwards compatible with the previous version.
Version 1.12.3 (released 2012-05-31)
* pam_oath: Fix "try_first_pass".
* API and ABI is backwards compatible with the previous version.
Version 1.12.2 (released 2012-04-04)
* liboath: usersfile function now works on FreeBSD.
* tests: liboath usersfile self-test is skipped if there is no datefudge.
* API and ABI is backwards compatible with the previous version.
Version 1.12.1 (released 2012-04-01)
* liboath, oathtool: Base32 decoding now permit lowercase characters.
* API and ABI is backwards compatible with the previous version.
Version 1.12.0 (released 2012-04-01)
* oathtool: Added --base32 parameter to decode base32 keys.
* oathtool: Verbose output (-v) now print key data in base32 format too.
* liboath: Added base32 functions. Added hex encoding function.
The new APIs are oath_bin2hex, oath_base32_decode, and
oath_base32_encode.
* liboath: Gnulib's snprintf is used for better portability.
The system snprintf is known to have bugs on some systems, see the
Gnulib manual for more information.
* API and ABI is backwards compatible with the previous version.
oath_bin2hex: New function.
oath_base32_decode: New function.
oath_base32_encode: New function.
OATH_INVALID_BASE32: New error code.
OATH_BASE32_OVERFLOW: New error code.
OATH_MALLOC_ERROR: New error code.
- Fix X-HKP-Results-Count so that limit=0 returns no results, but include
the header, to let a client poll for how many results exist, without
retrieving any. See:
http://lists.nongnu.org/archive/html/sks-devel/2010-11/msg00015.html
- Add UPGRADING document to explain upgrading Berkeley DB without
rebuilding. System bdb versions often change with new SKS releases
for .deb and .rpm distros.
- Cleanup build errors for bdb/bdb_stubs.c. Patch from Mike Doty
- Update cryptokit from version 1.0 to 1.5 without requiring OASIS
build system or other additional dependencies
- build, fastbuild, & pbuild fixed to ignore signals USR1 and USR2
- common.ml and reconSC.ml were using different values for minumimum
compatible version. This has been fixed.
- Added new server mime-types, and trying another default document (Issue 6)
In addition to the new MIME types added in 1.1.[23], the server now
looks over a list and and serves the first index file that it finds
Current list: index.html, index.htm, index.xhtml, index.xhtm, index.xml.
- options=mr now works on get as well as (v)index operations. This is
described in http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00
sections 3.2.1.1. and 5.1.
- Updated copyright notices in source files
- Added sksclient tool, similar to old pksclient
- Add no-cache instructions to HTTP response (in order for reverse proxies
not to cache the output from SKS)
- Use unique timestamps for keydb to reduce occurrances of Ptree corruption.
- Added Interface specifications (.mli files) for modules that were missing
them
- Yaron pruned some no longer needed source files from the tree.
- Improved the HTTP status and HTTP error codes returned for various
situations and added checks for more error conditions.
- Add a suffix to version (+) indicating non-release or development builds
- Add an option to specify the contact details of the server administrator
that shows in the status page of the server. The information is in the
form of an OpenPGP KeyID and set by server_contact: in sksconf
- Add a `sks version` command to provide information on the setup.
- Added configuration settings for the remaining database table files. If
no pagesize settings are in sksconf, SKS will use 2048 bytes for key
and 512 for ptree. The remainining files' pagesize will be set by BDB
based on the filesystem settings, typically this is 4096 bytes.
See sampleConfig/sksconf.typical for settings recommended by db_tuner.
- Makefile: Added distclean target. Dropped autogenerated file from VCS.
- Allow tuning BDB environment before creation in [fast]build and pbuild.
If DB_CONFIG exists in basedir, copy it to DB dir before DB creation.
Preference is given to DB_CONFIG.KDB and DB_CONFIG.PTree over DB_CONFIG.
- Add support for Elliptic Curve Public keys (ECDSA, ECDH)
- Add check if an upload is a revocation certificate, and if it is,
produce an error message tailored for this.
1.1.3
- Makefile fix for 'make dep' if .depend does not exist. Issue #4
- Makefile fix: sks and sks_add_mail fail to link w/o '-ccopt -pg'
Issue #23
- Added -disable_mailsync and -disable_log_diffs to sks.pod
- Added file extensions .css, .jpeg, .htm, .es, .js, .xml, .shtml, .xhtm,
.xhtml and associated MIME types to server code. Part of Issue #6
- Added sample configuration files in sampleConfig directory
- Added sample web page files in sampleWeb directory. Issues #7, 9, 19
- Allow requests for non-official options hget, hash, status, & clean to
be preceded by '-x'. Closes issues #10, 11, 13, & 14.
- Allow &search with long subkey ID (16 digit) and subkey fingerprint
subkey lookup was failing with other than a short key ID. However,
public key lookup was working with short and long key ID and fingerprints.
This patch makes subkey lookup behave the same as full key lookup.
http://lists.gnupg.org/pipermail/gnupg-users/2012-January/043495.html
- Patch recon script so that POST includes HTTP version number.
File::KeePass gives access to KeePass version 1 (kdb) and version
2 (kdbx) databases.
The version 1 and version 2 databases are very different in
construction, but the majority of information overlaps and many
algorithms are similar. File::KeePass attempts to iron out as many
of the differences.
File::KeePass gives nearly raw data access. There are a few utility
methods for manipulating groups and entries. More advanced manipulation
can easily be layered on top by other modules.
File::KeePass is only used for reading and writing databases and
for keeping passwords scrambled while in memory. Programs dealing
with UI or using of auto-type features are the domain of other
modules on CPAN. File::KeePass::Agent is one example.
It is in pure python to avoid portability issues, since most DES
implementations are programmed in C (for performance reasons).
Triple DES class is also implemented, utilising the DES base. Triple DES
is either DES-EDE3 with a 24 byte key, or DES-EDE2 with a 16 byte key.
See the "About triple DES" section below more info on this algorithm.
The code below is not written for speed or performance, so not for those
needing a fast des implementation, but rather a handy portable solution
ideal for small usage.
Upstream changes:
2.31 Tue Oct 30 07:03:40 EDT 2012
- Fixes to regular expressions to avoid rare failures to
correctly strip padding in decoded messages.
- Add padding type = "none".
- Both fixes contributed by Bas van Sisseren.
Today you need to remember many passwords. You need a password for
the Windows network logon, your e-mail account, your website's FTP
password, online passwords (like website member account), etc. etc.
etc. The list is endless. Also, you should use different passwords
for each account. Because if you use only one password everywhere
and someone gets this password you have a problem... A serious
problem. The thief would have access to your e-mail account, website,
etc. Unimaginable.
KeePass is a free open source password manager, which helps you to
manage your passwords in a secure way. You can put all your passwords
in one database, which is locked with one master key or a key file.
So you only have to remember one single master password or select
the key file to unlock the whole database. The databases are
encrypted using the best and most secure encryption algorithms
currently known (AES and Twofish).
ChangeLog Since 2.3.5:
* fix a bug when receiving a signature using the InclusiveNamespaces
PrefixList by copying namespace declaration from upper level at the level of
the signed node.
* fix compilation warning on recent version of GCC
1.49 2012-09-25
Fixed problem where on some platforms test t/local/07_tcpecho.t would
bail out if it could not bind port 1212. Now now tries a number of ports to bind to until
successful.
Improvements to unsigned casting contributed by Reini Urban.
Improvements to Net::SSLeay::read to make it easier to use with non-blocking IO:
contributed by James Marshall: It modifies
Net::SSLeay::read() to return the result from SSL_read() as the second
return value, if Net::SSLeay::read() is called in list context. Its
behavior should be unchanged if called in scalar or void context. This
result code seems to be required for full support of non-blocking I/O,
since users need to handle SSL_ERR_WANT_READ, SSL_ERROR_WANT_WRITE, etc.
Fixed a problem where t/local/kwalitee.t fails with
Module::CPANTS::Analyse 0.86. Patch from Paul.
Fixed a number of typos patched by Giles.
Fixed a compiler warning from Compiling with gcc-4.4 and -Wall, patched by Giles.
Fixed problems with get_https4: documentation was wrong, $header_ref was
not correctly set and $server_cert was not returned.
Fixed a problem that could cause a Perl exception about no blength
method on undef. Reported by "Stephen J. Smith via RT". https://rt.cpan.org/Ticket/Display.html?id=79309
Added documentation about how to mitigatxe various SSL/TLS
vulnerabilities.
Fixed problem reported by Mike Doherty: SSL_MODE_* are defined in ssl.h,
and should be available as constants, but I do not see them listed in constants.h
5.72 Mon Sep 24 15:22:08 MST 2012
- adjusted module installation directory for later Perls
-- As of 5.11 Perl searches 'site' first, so use that
-- ref. INSTALLDIRS in Makefile.PL
-- thanks to Robert Sedlacek for patch
0.64 2012-08-06 01:23:30
- Drastically simplify Makefile.PL to resolve RT bugs #61249, #61324,
#63553, #68208, and #68084.
- Forgot to update Changes for 0.63, so this version overrides that.
0.61_05 2012-08-04 00:40:22 UTC
- Trying to distinguish between good vs bad zero returns from underlying
SSL_read/SSL_write broke stuff (see RT bug #78695). Revert to previous
behavior.
- Completely re-organize Makefile.PL. I hope these changes will help take
care of RT bugs #61324, #61249, #63553, and #68084 etc. This is not
necessarily finished, but I want to see what happens on CPAN Testers at
this point before making a few other minor changes.
0.60 2012-07-29 21:43:47 UTC
- Release 0.59_03 as 0.60 so distributions can pick up various fixes. The most
important one seems to be bug RT #70565. This should take care of bug RT
#77167
- SSL_read and SSL_write now try to handle incomplete reads/writes (see bug RT
RT #64054). The current test suite does is not very comprehensive, so caution
is recommended at this point. Also, if you have good test cases, I would love
to incorporate them into the distribution.
0.59_03 2012-03-10 00:45:28 UTC
- Bump version number and upload to CPAN.
0.59_02 2012-03-08 16:16:03 UTC
- Forgot to update Changes for 0.59_01. The following is a combined list of
the more important fixes incorporated in both.
- Bug RT #64054: Handle incomplete reads/writes better
- Bug RT #73754: Add LWP::Protocol::https to PREREQ_PM
- Bug RT #73755: Crypt-SSLeay does not verify hosts (yet). Don't let that
cause a failure during tests.
- Streamline t/02-live.t using Try::Tiny and done_testing
- Plus assorted related small changes.
0.58_01 2010-09-08 19:11:39 UTC
- L<text|scheme:...> is not supported in POD for 5.8.5 and earlier.
- TODOs in POD should stand out
- Add /boot/common/ssl and some other directories to unix_ssl_dirs (see bug
#60936).
of the scrypt key derivation function. On modern hardware and with default
parameters, the cost of cracking the password on a file encrypted by scrypt
enc is approximately 100 billion times more than the cost of cracking the
same password on a file encrypted by openssl enc; this means that a five-
character password using scrypt is stronger than a ten-character password
using openssl
Generated file didn't pass -Werror check on gcc4.7. The problem is
well-known and already fixed on the current version of mit-krb5. The
patch added here was taken from upstream.
No revbump necessary, won't change binary on systems that already built it.
* 1.8.14, 2012-07-18
- The malloc allocator would return null instead of throwing in the event of
an allocation failure, which could cause an application crash due to null
pointer dereference where normally an exception would occur.
- Recent versions of OpenSSL include extra information in ECC private keys,
the presence of which caused an exception when such a key was loaded by
botan. The decoding of ECC private keys has been changed to ignore these
fields if they are set.
- AutoSeeded_RNG has been changed to prefer /dev/random over /dev/urandom
- Fix detection of s390x (Debian bug 638347)
In the Makefile, remove PYDISTUTILSPKG=yes, add
.include "../../lang/python/egg.mk", and set PKGREVISION=1.
This fixes errors from "make package" complaining about files
that were installed but not present in the PLIST.
Support for TLSA records.
Support for ILNP (NID, L64, L3, LP) records (untested).
Support for IPSECKEY records.
Handle TYPEXXX for known types correctly.
A number of NSEC3-related bug fixes.
Miscellaneous bug fixes.
* Noteworthy changes in release 2.14 (2012-09-24) [stable]
- Added asn1_read_node_value() to obtain a node's value.
This is to deprecate the export of the node_asn internal structure
for the upcoming 3.x release. The ASN1_DATA_NODE type and the
ASN1_ETYPE_* constants were added to support the new function.
2011-03-06 Ludovic Rousseau <rousseau@debian>
* README: release 1.4.12
* PCSC.xs: Also check for SVt_PVIV and not just SVt_IV.
Fixes Debian bug #613722 "libpcsc-perl: GetStatusChange error after print"
* PCSC.xs, PCSC.pm, test.pl: Use lines of less than 80 columns
2010-10-27 Ludovic Rousseau <rousseau@debian>
* create_distrib.sh: compress using bzip2 instead of gzip
* README: release 1.4.11
* PCSCperl.h: SCardCancelTransaction() is no more present in pcsc-lite
* PCSC.pm, PCSC.pod, PCSC.xs, PCSCperl.h:
SCardSetTimout is no more present in pcsc-lite > 1.6.4
It was a pcsc-lite specific and deprecated function
2010-08-18 Ludovic Rousseau <rousseau@debian>
* PCSCperl.h:
use SCARD_READERSTATE * instead of LPSCARD_READERSTATE since is not
define in pcsc-lite < 1.6.3
* README: release 1.4.10
* PCSC.pm, PCSC.xs, PCSCperl.h, README: Update copyright date
* create_distrib.sh: Allow more than one digit in the version numbers
* PCSC.xs, PCSCperl.h:
Use LPSCARD_READERSTATE instead of LPSCARD_READERSTATE_A since it is no
more defined in pcsc-lite >= 1.6.2
2010-06-30 Ludovic Rousseau <rousseau@debian>
* README: release 1.4.9
* PCSC.pm, PCSC.pod, PCSC.xs: sort constants in alphabetical order
* PCSC.pod, PCSC.xs:
SCARD_E_UNSUPPORTED_FEATURE is not specific to pcsc-lite but is also
available on Windows
* PCSC.pm, PCSC.pod, PCSC.xs:
SCARD_W_INSERTED_CARD is no more defined in pcsc-lite 1.6.0 and then
pcsc-perl failed to build. It was an error code specific to pcsc-lite.
2010-01-03 Ludovic Rousseau <rousseau@debian>
* Card/Card.pod: fix spelling error
2009-09-23 Ludovic Rousseau <rousseau@debian>
* README: release 1.4.8
* Card/Card.pod: Correct 3 bugs signaled by podchecker
2009-09-06 Ludovic Rousseau <rousseau@debian>
* PCSC.xs:
PCSC.xs:853: warning: format ‘%d’ expects type ‘int’, but argument 2 has type ‘long unsigned int’
2008-09-28 Ludovic Rousseau <rousseau@debian>
* PCSC.pod: example code for GetStatusChange()
=== 0.4.7 2012-09-03
* Fix merging paths if the path is not empty
* Set a configurable timeout for all requests (Rick Olson)
* Fix nested hash params in Consumer#request (Ernie Miller)
The PLIST was hardcoded for libtls150.so. Build With tcl 8.5, the
generated library becomes libtls85.so. Use the tcl Makefile.version
file to generate a PLIST_SUBST variable to make this future-proof.
This is a bugfix release.
* Fix KDC uninitialized pointer vulnerabilities that could lead to a denial of
service [CVE-2012-1014] or remote code execution [CVE-2012-1015].
* Correctly use default_tgs_enctypes instead of default_tkt_enctypes for TGS
requests.
This update of ocaml-cryptokit to its newest version, 1.6. does
not actually change anything in the functionality of the software.
Upstream, the build system has changed, and there are also a few
changes to the package (most notably, removal of the PLIST.opt in
favour of the PLIST_VARS system)
changes: fix a use-after-free bug which could be used to potentially
execute arbitrary code with root privileges, provided that the user
has been authenticated using a public key and also that a command
restriction is enforced (the "command" option must be used in
the authorized_keys file)
Bugfixes:
* SUPPORT-30: RRSIGs are left in the signed zone when authoritative RRsets
become glue [OPENDNSSEC-282].
* OPENDNSSEC-261: Ldns fails to parse RR that seems syntactically correct.
Was due to memory allocation issues. Provided better log message.
* OPENDNSSEC-285: Signer segfault for 6 or more -v options
* OPENDNSSEC-298: Only unlink existing pidfile on exit if we wrote it.
* OPENDNSSEC-303: Return if open/parse of zonelist.xml fails in ksmutil.c
update_zones() and cmd_listzone().
* OPENDNSSEC-304: Signer Engine: Check pidfile on startup, if pidfile exists
and corresponding process is running, then complain and exit.
* Signer seems to hang on a ods-signer command. Shutdown client explicitly
with shutdown().
* opendnssec.spec file removed
Bison 2.6.x+ handles the yydebug functionality differently by predefining
YYDEBUG. The yacc logic is not expecting YYDEBUG to be defined without
an value, so it breaks on an "#if YYDEBUG" macro in a few places.
In order to make this work with pre-2.6 bison as well as current versions,
hard code the inclusion of debug symbols. It doesn't hurt anything and
it fixes the package.
dhbitty is a small public key encryption program written in C. It
uses elliptic curve Diffie-Hellman in the form of Curve25519 to
establish a shared secret between two users, and uses that secret to
symmetrically encrypt and authenticate messages.
There are no private key files; only passphrases. Never lose that
pesky thing again.
Both the sender and the receiver can decrypt a message. In fact,
there is no distinction between sender and receiver. Both passphrases
must be strong.
There is no signing. A similarly useful form of authentication occurs
using only DH. dhbitty attempts to be as simple as possible. It is
not optimized, but achieves a comfortable speed for most uses. It
does not use floating point numbers, or integers longer than 32 bits.
It does not contain more algorithms than are needed.
Example
This is how Alice generates her public key with dhbitty:
$ dhbitty generate alice_public_key.txt
username:passphrase (this is visible!): alice:Keyfiles be damned!
Done.
Bob will do the same thing:
$ dhbitty generate bob_public_key.txt
username:passphrase (this is visible!): bob:Bob's Spectacular Passphrase
Done.
Alice will publish her alice_public_key.txt, and Bob will publish his bob_public_key.txt. They can now access each other's
public keys. (But they should be careful that Eve cannot surreptitiously replace either public key with her own!)
Alice wants to send files to Bob. She packages them into a .tar archive (or any other type of archive with timestamps), along
with her message. Then she uses dhbitty:
$ dhbitty encrypt bob_public_key.txt files_to_bob.tar files_to_bob.tar.dhbt
username:passphrase (this is visible!): alice:Keyfiles be damned!
Done.
Alice sends files_to_bob.tar.dhbt to Bob. Bob will use dhbitty to decrypt this archive:
$ dhbitty decrypt files_to_bob.tar.dhbt files_to_bob.tar
username:passphrase (this is visible!): bob:Bob's Spectacular Passphrase
This is the public key of file's secondary owner:
0002f02b318c307bac07f3148a33c975cea04b79a870f0a5c7771cd38cc1986e
Done.
Bob can verify that the public key dhbitty just gave him indeed is Alice's public key. He unpacks the now-decrypted archive to
access the files Alice sent to him.
In practice, Alice and Bob should use a system like diceware to pick passphrases, in order to be confident of their strength.
Seven words picked using diceware is a good choice.
Note: Nobody that uses git from pkgsrc can install this package.
It conflicts with security/heimdal which is sucked in by dependencies
of scmgit-base. Since the default way of acquiring pkgsrc on
DragonFly is via git, which is provided by the releases and daily
snapshots, effectively this can't be installed by DragonFly users.
Solving the conflict with heimdal, if possible, would be nice.
When this package was updated to version 1.1, it stopped building on
DragonFly. The main issue is that DragonFly doesn't have bind in its
base. NetBSD does, so it zkt finds it there, but otherwise it needs
the configuration switch --enable-binutil-path to be used. This was
added for DragonFly to point at ${PREFIX}/sbin.
zkt requires bind to be installed in order to build. Unlike other
packages like python, postgresql, and ruby where the mk.conf can
define a version otherwise a default is used, no such mechanism
exists to hand the four separate bind packages (at least I don't know
about one). So the inclusion of bind99 is a hack I'm not too proud
of, but I don't have a better solution. With it, it builds in clean
environments like pbulk chroot and Tinderbox. If an individual user
is building from source, they'll be smart enough to comment out this
include if another version of bind is already installed (zkt will
fail on a bind build conflict).
I suspect DragonFly is rather unique in not having bind in base, so
for now this is left as a DragonFly-specific section. Something
like net/bind99/builtin.mk could possibly be used to determine if
no builtin bind is available and thus follow DragonFly approach. I
shall leave it to others to decide.
GNUTLS deprecated gnutils_transport_set_lowat function in version 2.12.0
and finally removed it with version 3.0, breaking any packages that
still reference it.
The lowat feature is now disabled permanently I think.
The patch uses the GNUTLS_VERSION_NUMBER macro to appropriately conceal
the function reference. The same patch is widely seen on the 'net with
other packages that use gnutls like OpenVAS.
is starttls's implementation is incompatible with emacs 22, 23 and probably
24 too, as a result sending emails with ssl/tls authorization fail due to
this
conflict. emacs-21 has its own starttls.el too and I believe it is also
sufficient. I wonder if someone still uses emacs-20 and its smtpmail.el for
sending emails. This change was tested on NetBSD-6 and emacs-{22,23}.
starttls package now DEPENDS on emacs-[0-9]*, that is any emacs flavour is
good enough
Set LICENSE to gnu-gpl-v2
++pkgrevision
It seems that I386 DragonFly (x86_64 is okay), invoking libintl's
bindtextdomain causes pkgsrc's libintl to segfault on a thread
locking operation. Anything linking with libgpg-error on i386
will consequently core dump.
Recognizing this treating the symptom, this patch disabled NLS on
I386 DragonFly.
This is a bugfix release.
* Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers.
* Update a workaround for a glibc bug that would cause DNS PTR queries to occur
even when rdns = false.
* Fix a kadmind denial of service issue (null pointer dereference), which could
only be triggered by an administrator with the "create" privilege.
[CVE-2012-1013]
Changes 1.10.1:
This is a bugfix release.
* Fix access controls for KDB string attributes [CVE-2012-1012]
* Make the ASN.1 encoding of key version numbers interoperate with Windows
Read-Only Domain Controllers
* Avoid generating spurious password expiry warnings in cases where the KDC
sends an account expiry time without a password expiry time.
0.4.6 (2011-10-16)
=====
* Added write_certificate function.
* Remove support for SSLv2, which was dropped upstream (thanks Dario Teixeira).
* Added support for compiling under Win32 (thanks David Allsopp), see
README.win32.
* Check for pthreads in configure.
0.4.5 (2011-03-01)
=====
* Use pthread mutexes for locking thread-safe version of ssl.
0.4.4 (2010-01-06)
=====
* Use SSL_CTX_use_certificate_chain_file instead of
SSL_CTX_use_certificate_file.
* Added support for --enable-debugging configure option.
* Don't link with unix library and don't build in custom mode.
0.4.3 (2008-12-18)
=====
* Don't use blocking sections in finalizers since it causes segfaults (thanks
Grégoire Henry and Stéphane Glondu).
from 2.51nb1 to 2.52.
Upstream changes:
2012-06-08 Gisle Aas <gisle@ActiveState.com>
Gisle Aas (3):
Wrong version number in the changelog
The t/threads.t was missing from the MANIFEST
Update expected digests for files
Andrew Fresh (1):
Remove double the
Lyle Hopkins (1):
Digest::Perl::MD5 OO fallback didn't work [RT#66634]
Peter J. Acklam (1):
Fix typos (spelling errors) in cpan/Digest-MD5/*
Shlomi Fish (1):
Modernize the code in the POD.
Zefram (1):
Makes Digest::MD5 work on Perl 5.6 [RT#75032]
security/p5-IO-Socket-SSL from 1.74 to 1.76.
Upstream changes:
v1.76 2012.06.18
- no longer depend on Socket.pm 1.95 for inet_pton, but use Socket6.pm if
no current Socket.pm is available. Thanks to paul[AT]city-fan[DOT]org
for pointing out the problem and providing first patch
v1.75 2012.06.15
- made it possible to explicitly disable TLSv11 and TLSv12 in SSL_version
changes: bugfixes:
-Fixed memory leak in PKCS #8 key import
-Check key identifiers when checking for an issuer
pkgsrc note: This is just a last checkpoint on the 2.x branch, in case
it will be needed for the Q2 branch. Will update to 3.x RSN.
* libclamav: Scan output at end of truncated tar
* libclamav: Fix handling of tar file with malformed header
* libclamav: Scan chm with invalid handling
* freshclam: give custom dbs higher priority during update
* libclamav: detect read races and abort the scan with an error
* libclamav/pe.c: drop old header check
Upstream changes:
-----------------
## ssh 1.7.14 (2012-05-07)
* #15: Implemented parameter substitution in SSHConfig, matching the
implementation of `ssh_config(5)`. Thanks to Olle Lundberg for the patch.
* #24: Switch some internal type checking to use `isinstance` to help prevent
problems with client libraries using subclasses of builtin types. Thanks to
Alex Morega for the patch.
* [Fabric #562](https://github.com/fabric/fabric/issues/562): Agent forwarding
would error out (with `Authentication response too long`) or freeze, when more
than one remote connection to the local agent was active at the same time.
This has been fixed. Thanks to Steven McDonald for assisting in
troubleshooting/patching, and to GitHub user `@lynxis` for providing the
final version of the patch.
===
F-PROT Antivirus for Unix, version 6.2.1
Compatibility for older Linux distros improved (glibc 2.3 for 32 bit version and glibc 2.4 for 64 bit version)
Compatibility for older Solaris/SunOS version improved (both 32 and 64 bit versions are compatible with solaris 8 now)
64 bit FreeBSD now supported
===
F-PROT Antivirus for Unix, version 6.2.0
Scan engine upgraded from 4.6.2 to 4.6.5 with improved detection rates and fewer false positives.
Multiple issues with the mail scanners have been fixed.
===
F-PROT Antivirus for Unix, version 6.1.1
fpupdate fix to prevent crash on certain 64 bit Linux systems.
* OPENDNSSEC-277: Enforcer: Performance optimisation of database access.
Bugfixes:
* SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys as
dead (rather than actually removing them). Leave the key removal to purge
jobs.
(Ok'ed by wiz@)
* misc Release numbering changed to three level "major.minor.revison" scheme
* bug REMOVE_HOLD_TIME was set to 10 days only (Thanks to Chris Thompson)
* doc Improved README file (Thanks to Jan-Piet Mens)
* misc Fix of some typos in log messages
* bug Fixed error in rollover.c (return code of genfirstkey() wasn't checked)
* misc Default of KeySetDir changed from NULL to ".." (best for hierarchical mode)
Default Sig Lifetime changed from 10 days to 3 weeks (21 days)
Default ZSK lifetime changed from 3 months to 4 times the sig lifetime
Default KSK lifetime changed from 1 year to 2 years
Parameter checks in checkconfig() adapted.
KSK random device changed back from /dev/urandom to BIND default
(Be aware of some possibly long delay in key generation)
* func New configure option to set the bind utility path manually (--enable-bindutil_path)
BIND_UTIL_PATH in config_zkt.h will no longer used
* bug If nsec3 is turned on and KeyAlgo (or AddKeyAlgo) is RSHASHA1
or DSA, genkey() uses algorithm type NSECRSASHA1 or NSEC3DSA instead.
* bug Error in printconfigdiff() fixed. (Thanks to Holger Wirtz)
* func Description added to (some of the) dnssec.conf parameters
* func Adding a patch from Hrant Dadivanyan to always pre-publish ZSKs
* misc Config file syntax changed to parameter names without underscores.
zkt-conf uses ZKT_VERSION string as config version
* bug "make install-man" now installs all man page
* bug Bug fixed in zfparse.c. zkt-conf was unable to detect an already
included dnskey.db file if another file was included.
* misc destination dnssec-zkt removed from Makefile.in
* func dki_prt_managedkeys() added to dki.c
zkt_list_managedkeys() added to zkt.c
zkt-ls has new option -M to print out a list of managed-keys
* bug Bug fixed in the config parser (zconf.c). Couldn't parse
agorithm RSASHA512 correctly (Thanks to Michael Sinatra)
* Add an anon_fast option that attempts anonymous authentication
(generally implemented via anonymous PKINIT inside the Kerberos
library) and then, if successful, uses those credentials for FAST
armor. If fast_ccache and anon_fast are both specified, anonymous
authentication will be used as a fallback if the specified FAST ticket
cache doesn't exist. Based on patches from Yair Yarom.
* Add a user_realm option to only set the realm for unqualified user
principals. This differs from the existing realm option in that realm
also changes the default realm for authorization decisions and for
verification of credentials. Update the realm option documentation to
clarify the differences and remove incorrect information. Patch from
Roland C. Dowdeswell.
* Add a no_prompt option to suppress the PAM module's prompt for the
user's password and defer all prompting to the Kerberos library. This
allows the Kerberos library to have complete control of the prompting
process, which may be desireable if authentication mechanisms other
than password are in use. Be aware that, with this option set, the
PAM module has no control over the contents of the prompt and cannot
store the user's password in the PAM data. Based on a patch by Yair
Yarom.
* Add a silent option to force the module to behave as if the
application had passed in PAM_SILENT and suppress text messages and
errors from the Kerberos library. Patch from Yair Yarom.
* Add preliminary support for Kerberos trace logging via a trace option
that enables trace logging if supported by the underlying Kerberos
library. The option takes as an argument the file name to which to
log trace output. This option does not yet work with any released
version of Kerberos, but may work with the next release of MIT
Kerberos.
* MIT Kerberos does not add a colon and space to its password prompts,
but Heimdal does. pam-krb5 previously unconditionally added a colon
and space, resulting in doubled colons with Heimdal. Work around this
inconsistency by not adding the colon and space if already present.
* Fix alt_auth_map support to preserve the realm of the authentication
identity when forming the alternate authentication principal, matching
the documentation.
* Document that the alt_auth_map format may contain a realm to force all
mapped principals to be in that realm. In that case, don't add the
realm of the authentication identity. Note that this can be used as a
simple way to attempt authentication in an alternate realm first and
then fall back to the local realm, although any complex attempt at
authentication in multiple realms should instead run the module
multiple times with different realm settings.
* Avoid a NULL pointer dereference if krb5_init_context fails.
* Fix initialization of time values in the module configuration on
platforms (like S/390X) where krb5_deltat is not equivalent to long.
* Close a memory leak when search_k5login is set but the user has no
.k5login file.
* Close several memory leaks in alt_auth_map support.
* Suppress bogus error messages about unknown option for the realm
option. The option was being parsed and honored despite the error.
* Retry authentication under try_first_pass on several other errors in
addition to decrypt integrity check errors to handle a wider array of
possible "password incorrect" error messages from the KDC.
* Update to rra-c-util 4.4:
* Update to C TAP Harness 1.12:
- Bux fix release
- Rollerd's -alwayssign flag logic had a critical error that could
have caused a zone to be signed with the wrong ZSK at particular
points of the ZSK key rolling process.
* Only use libyubikey when --with-cr is used.
* Set correct permissions on tempfile.
* YubiKey 2.2 contains a bug in challenge-response that makes it output the
same response to all challenges unless HMAC_LT64 is set. Add warnings to
ykpamcfg and a warning through conversate in the pam module. Keys programmed
like this should be reprogrammed with the HMAC_LT64 flag set.
* Implement option -ooath-id to easily set OATH token identifier.
* Fix numerous compiler warnings from clang. Thanks to
Clemens Lang <neverpanic@gmail.com>.
* ykclient: Add C++ namespace protection.
* Add multi-server support with curl_multi.
Enabled by default for YubiCloud servers.
Settable with the new library function set_template_urls() or
the urls parameter to ykclient_verify_otp_v2().
* Remove extra % in ykclient help.
* Add ca path option to ykclient, --ca.
Patch from Jay Kline <jay.kline.ctr@hpcmo.hpc.mil>.
* Make the nonce unique for consecutive calls to the same ykclient handle.
* Do url encoding of OTP before sending.
* Fix segfault on curl error.
Patch from Lee Hinman <lee.hinman.ctr@hpc.mil>
decentralized, and highly reliable synchronization. That means that a key
submitted to one SKS server will quickly be distributed to all key servers,
and even wildly out-of-date servers, or servers that experience spotty
connectivity, can fully synchronize with rest of the system.
