The Cryptokit library for Objective Caml provides a variety of
cryptographic primitives that can be used to implement cryptographic
protocols in security-sensitive applications. The primitives provided
include:
Symmetric-key cryptography: AES, DES, Triple-DES, ARCfour, in ECB,
CBC, CFB and OFB modes. Public-key cryptography: RSA encryption and
signature; Diffie-Hellman key agreement. Hash functions and MACs:
SHA-1, MD5, and MACs based on AES and DES. Random number generation.
Encodings and compression: base 64, hexadecimal, Zlib compression.
Additional ciphers and hashes can easily be used in conjunction
with the library. In particular, basic mechanisms such as chaining
modes, output buffering, and padding are provided by generic classes
that can easily be composed with user-provided ciphers. More
generally, the library promotes a "Lego"-like style of constructing
and composing transformations over character streams.
OpenSSL CHANGES
_______________
Changes between 0.9.8w and 0.9.8x [10 May 2012]
*) Sanity check record length before skipping explicit IV in DTLS
to fix DoS attack.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
[Steve Henson]
*) Initialise tkeylen properly when encrypting CMS messages.
Thanks to Solar Designer of Openwall for reporting this issue.
[Steve Henson]
The Google Authenticator includes implementations of one-time passcode
generators for several mobile platforms as well as a pluggable
authentication module (PAM). One-time passcodes are generated using
open standards developed by the Initiative for Open Authentication
(OATH) (which is unrelated to OAuth).
These implementations support the HMAC-Based One-time Password (HOTP)
algorithm specified in RFC 4226 and the Time-based One-time Password
(TOTP) algorithm specified in RFC 6238.
Because upstream does not provide a distribution file (yet), I have
pre-packaged the sources myself as of today and uploaded them to
ftp.n.o under my own directory. This explains the 0.0 prefix in the
version number, because if upstream starts providing distfiles with
proper versioning, we don't want our date stamp to be "above" all
official versions.
tool that, in addition to basic syntactic and semantic zone checks,
includes DNSSEC signature verification and NSEC/NSEC3 chain validation,
as well a number of optional policy checks on the zone.
Security fix for CVS-2012-2131.
Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
*) The fix for CVE-2012-2110 did not take into account that the
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter. (CVE-2012-2131)
[Tomas Hoger <thoger@redhat.com>]
=== 0.4.6 2012-04-21
* Fixed nested attributes in #normalize (Shaliko Usubov)
* Make use the path component of the :site parameter (Jonathon M. Abbott)
* Fixed post body's being dropped in 1.9 (Steven Hammond)
* Fixed PUT request handling (Anton Panasenko)
20120309
- Download the certdata from mozilla over SSL (John Joseph Bachir)
- CA updates:
Removes:
- Hellenic Academic and Research Institutions RootCA 2011
20120118
- CA updates:
Add:
- Security Communication RootCA2
- EC-ACC
- Hellenic Academic and Research Institutions RootCA 2011
Remove:
- Verisign Class 4 Public Primary Certification Authority - G2
- TC TrustCenter, Germany, Class 2 CA
- TC TrustCenter, Germany, Class 3 CA
v1.66 2012.04.16
- make it thread safer, thanks to bug report from vega[DOT]james[AT]gmail
[DOT]com, https://rt.cpan.org/Ticket/Display.html?id=76538
v1.65 2012.04.16
- added NPN (Next Protocol Negotiation) support based on patch from kmx
https://rt.cpan.org/Ticket/Display.html?id=76223
v1.64 2012.04.06
- clarify some behavior regarding hostname verfication.
Thanks to DOHERTY for reporting.
v1.63 2012.04.06
- applied patch of DOUGDUDE to ignore die from within eval to make tests
more stable on Win32, https://rt.cpan.org/Ticket/Display.html?id=76147
v1.62 2012.03.28
- small fix to last version
v1.61 2012.03.27
- call CTX_set_session_id_context so that servers session caching works with
client certificates too.
https://rt.cpan.org/Ticket/Display.html?id=76053
v1.60 2012.03.20
- don't make blocking readline if socket was set nonblocking, but return as
soon no more data are available
https://rt.cpan.org/Ticket/Display.html?id=75910
- fix BUG section about threading so that it shows package as thread safe
as long as Net::SSLeay >= 1.43 is used
https://rt.cpan.org/Ticket/Display.html?id=75749
v1.59 2012.03.08
- if SSLv2 is not supported by Net::SSLeay set SSL_ERROR with useful
message when attempting to use it.
- modify constant declarations so that 5.6.1 should work again
v1.58 2012.02.26
- fix t/dhe.t again to enable the workaround only for newer openssl
versions, because this would cause failures on older versions
v1.57 2012.02.26
- fix t/dhe.t for openssl 1.0.1 beta by forcing tlsv1, so that it does
not complain about the too small rsa key which it should not use anyway.
Thanks to paul[AT]city-fan[DOT]org for reporting.
https://rt.cpan.org/Ticket/Display.html?id=75165
v1.56 2012.02.22
- add automatic or explicit (via SSL_hostname) SNI support, needed for
multiple SSL hostnames with same IP. Currently only supported for the
client.
v1.55 2012.02.20
- work around IO::Sockets work around for systems returning EISCONN etc
on connect retry for non-blocking sockets by clearing $! if SUPER::connect
returned true.
https://rt.cpan.org/Ticket/Display.html?id=75101
Thanks for Manoj Kumar for reporting.
v1.54 2012.01.11
- return 0 instead of undef in SSL_verify_callback to fix unitialized
warnings. Thanks to d[DOT]thomas[AT]its[DOT]uq[DOT]edu[DOT]au for
reporting the bug and MIKEM for the fix.
https://rt.cpan.org/Ticket/Display.html?id=73629
v1.53 2011.12.11
- kill child in t/memleak_bad_hanshake.t if test fails
https://rt.cpan.org/Ticket/Display.html?id=73146
Thanks to CLEACH ofr reporting
v1.52 2011.12.07
- fix syntax error in t/memleak_bad_handshake.t
thanks to cazzaniga[DOT]sandro[AT]gmail[DOT]com for reporting
v1.51 2011.12.06
- disable t/memleak_bad_handshake.t on AIX, because it might hang
https://rt.cpan.org/Ticket/Display.html?id=72170
v1.50 2011.12.06
Thanks to HMBRAND for reporting and Rainer Tammer tammer[AT]tammer[DOT]net for
providing access to AIX system
v1.49 2011.10.28
- another regression for readline fix, this time it failed to return lines
at eof which don't end with newline. Extended t/readline.t to catch this
case and the fix for 1.48
Thanks to christoph[DOT]mallon[AT]gmx[DOT]de for reporting
v1.48 2011.10.26
- bugfix for readline fix in 1.45. If the pending data where false
(like '0') it failed to read rest of line.
Thanks to Victor Popov for reporting
https://rt.cpan.org/Ticket/Display.html?id=71953
v1.47 2011.10.21
- fix for 1.46 - check for mswin32 needs to be /i. Thanks to
Alexandr Ciornii for reporting
v1.46 2011.10.18
- disable test t/signal-readline.t on windows, because signals are
not relevant for this platform and test does not work.
https://rt.cpan.org/Ticket/Display.html?id=71699
v1.45 2011.10.12
- fix readline to continue when getting interrupt waiting for more
data. Thanks to kgc[AT]corp[DOT]sonic[DOT]net for reporting problem
5.71 Wed Feb 29 04:06:10 MST 2012
- prevented $! from getting clobbered in _bail() routine
-- thanks to Zefram for patch
- added example of BITS mode usage to shasum documentation
5.70 Wed Dec 14 02:32:10 MST 2011
- added BITS mode to addfile method and shasum
-- partial-byte inputs now possible via files/STDIN
-- allows shasum to check all 8074 NIST Msg vectors
-- previously required special programming
5.63 Tue Nov 8 02:36:42 MST 2011
- added code to allow very large data inputs all at once
-- previously limited to several hundred MB at a time
-- many thanks to Thomas Drugeon for his elegant patch
- removed outdated reference URLs from several test scripts
-- these URLs aren't essential, and often go stale
-- thanks to Leon Brocard for spotting this
-- ref. rt.cpan.org #68740
NEWS
====
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v:
o Fix for ASN1 overflow bug CVE-2012-2110
Changelog:
Version 4.53, 2012.03.19, urgency: MEDIUM:
* New features
- Added client-mode "sni" option to directly control the value of
TLS Server Name Indication (RFC 3546) extension.
- Added support for IP_FREEBIND socket option with a pached Linux kernel.
- Glibc-specific dynamic allocation tuning was applied to help unused memory
deallocation.
- Non-blocking OCSP implementation.
* Bugfixes
- Compilation fixes for old versions of OpenSSL (tested against 0.9.6).
- Usage of uninitialized variables fixed in exec+connect services.
- Occasional logging subsystem crash with exec+connect services.
- OpenBSD compilation fix (thx to Michele Orru').
- Session id context initialized with session name rather than a constant.
- Fixed handling of a rare inetd mode use case, where either stdin or stdout
is a socket, but not both of them at the same time.
- Fixed missing OPENSSL_Applink http://www.openssl.org/support/faq.html#PROG2
- Fixed crash on termination with FORK threading model.
- Fixed dead canary after configuration reload with open connections.
- Fixed missing file descriptors passed to local mode processes.
- Fixed required jmp_buf alignment on Itanium platform.
- Removed creating /dev/zero in the chroot jail on Solaris platform.
- Fixed detection of WSAECONNREFUSED Winsock error.
- Missing Microsoft.VC90.CRT.manifest added to Windows installer.
Version 4.52, 2012.01.12, urgency: MEDIUM:
* Bugfixes
- Fixed write closure notification for non-socket file descriptors.
- Removed a line logged to stderr in inetd mode.
- Fixed "Socket operation on non-socket" error in inetd mode on Mac OS X
platform.
- Removed direct access to the fields of the X509_STORE_CTX data structure.
Version 4.51, 2012.01.09, urgency: MEDIUM:
* New features
- Updated Win32 binary distribution OpenSSL DLLs to version 0.9.8s-fips.
- Updated Android binary OpenSSL to version 1.0.0f.
- Zlib support added to Win32 and Android binary builds.
- New "compression = deflate" global option to enable RFC 2246 compresion.
For compatibility with previous versions "compression = zlib" and
"compression = rle" also enable the deflate (RFC 2246) compression.
- Separate default ciphers and sslVersion for "fips = yes" and "fips = no".
- UAC support for editing configuration file with Windows GUI.
* Bugfixes
- Fixed exec+connect sections.
- Added a workaround for broken Android getaddrinfo():
http://stackoverflow.com/questions/7818246/segmentation-fault-in-getaddrinfo
Upstream changes:
## ssh 1.7.13 (2012-02-13)
* #5: Moved a `fcntl` import closer to where it's used to help avoid
`ImportError` problems on Windows platforms. Thanks to Jason Coombs for the
catch + suggested fix.
* #4: Updated implementation of WinPageant integration to work on 64-bit
Windows. Thanks again to Jason Coombs for the patch.
Remove devel/py-ctypes (only needed by and supporting python24).
Remove PYTHON_VERSIONS_ACCEPTED and PYTHON_VERSIONS_INCOMPATIBLE
lines that just mirror defaults now.
Miscellaneous cleanup while editing all these files.
