SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
encrypted network connections. Connections are transparently
intercepted through a network address translation engine and
redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates
a new SSL/TLS connection to the original destination address, while
logging all data transmitted. SSLsplit is intended to be useful
for network forensics and penetration testing.
SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections
over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit
generates and signs forged X509v3 certificates on-the-fly, based
on the original server certificate subject DN and subjectAltName
extension. SSLsplit fully supports Server Name Indication (SNI)
and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE
cipher suites. Depending on the version of OpenSSL, SSLsplit
supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL
2.0 as well. SSLsplit can also use existing certificates of which
the private key is available, instead of generating forged ones.
SSLsplit supports NULL-prefix CN certificates and can deny OCSP
requests in a generic way. For HTTP and HTTPS connections, SSLsplit
removes response headers for HPKP in order to prevent public key
pinning, for HSTS to allow the user to accept untrusted certificates,
and Alternate Protocols to prevent switching to QUIC/SPDY.
Noteworthy changes in version 1.6.3 (2015-02-27) [C20/A0/R3]
------------------------------------------------
* Use ciphertext blinding for Elgamal decryption [CVE-2014-3591].
See http://www.cs.tau.ac.il/~tromer/radioexp/ for details.
* Fixed data-dependent timing variations in modular exponentiation
[related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
are Practical].
* Improved asm support for older toolchains.
Noteworthy changes in version 1.4.19 (2015-02-27)
-------------------------------------------------
* Use ciphertext blinding for Elgamal decryption [CVE-2014-3591].
See http://www.cs.tau.ac.il/~tromer/radioexp/ for details.
* Fixed data-dependent timing variations in modular exponentiation
[related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
are Practical].
* Detect faulty use of --verify on detached signatures.
* Changed the PKA method to use CERT records and hashed names.
* New import option "keep-ownertrust".
* Support algorithm names when generating keys using the --command-fd
method.
* Updated many translations.
* Updated build system.
* Fixed a regression in keyserver import
* Fixed argument parsing for option --debug-level.
* Fixed DoS based on bogus and overlong key packets.
* Fixed bugs related to bogus keyrings.
* The usual minor minor bug fixes.
Changes from 0.98.5.
--------------------
- library shared object revisions.
- installation issues on some Mac OS X and FreeBSD platforms.
- includes a patch from Sebastian Andrzej Siewior making
ClamAV pid files compatible with systemd.
- Fix a heap out of bounds condition with crafted Yoda's
crypter files. This issue was discovered by Felix Groebert
of the Google Security Team.
- Fix a heap out of bounds condition with crafted mew packer
files. This issue was discovered by Felix Groebert of the
Google Security Team.
- Fix a heap out of bounds condition with crafted upx packer
files. This issue was discovered by Kevin Szkudlapski of
Quarkslab.
- Fix a heap out of bounds condition with crafted upack packer
files. This issue was discovered by Sebastian Andrzej Siewior.
CVE-2014-9328.
- Compensate a crash due to incorrect compiler optimization when
handling crafted petite packer files. This issue was discovered
by Sebastian Andrzej Siewior.
Noteworthy changes in version 2.0.27 (2015-02-18)
-------------------------------------------------
* gpg: Detect faulty use of --verify on detached signatures.
* gpg: New import option "keep-ownertrust".
* gpg: Uses SHA-256 for all signature types also on RSA keys.
* gpg: Added support for algo names when generating keys using the
--command-fd method.
* gpg: Unless --allow-weak-digest-algos is used the insecure MD5
based fingerprints are shown as all zeroe
* gpg: Fixed DoS based on bogus and overlong key packets.
* gpg: Better error reporting for keyserver problems.
* Fixed several bugs related to bogus keyrings and improved some
other code.
0.52 - 2016-02-16
- Skip "grp" records, generated by GPG 2.1; this suppresses "unknown
record type" warnings
- Add explicit Fatal dependency; though nominally part of code perl,
RedHat's perl does not ship with it
- Ensure that the trustdb is created before attempting to encrypt; gpg2
requires that it exist, even for commands with --trust-model=always.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751266
Darwin. Let's do that instead of removing that library, since it would
involve disabling another CFLAG to function properly. Do the same for
OpenBSD which fixes the build there too. Add options.mk file to enable the
user to choose the libcrack and debug options at build time. Bump
PKGREVISION.
Upstream changes:
=================
Release 1.6.5. Changes:
== Features ==
* Support Gpg4win alongside Cygwin
== Bug Fixes ==
* Work around unit tests bug with GnuPG 2.1.0 and 2.1.1
* Manually migrate unit tests keys to GnuPG 2.1 series
* Restore support GnuPG 2.0 series
Release 1.6.4. Changes:
== Features ==
* "add" is an alias of "insert"
* `pass edit` will no longer make a commit if the password does not change
* Symbolic links are now followed
* Remove gpg agent check, due to the auto-starting gpg-agent in GnuPG 2.1
== Bug Fixes ==
* Avoid trailing slash in `pass grep`
* Account for $CLIP_TIME in messages
* revelation2pass, keepassx2pass, and other script improvements
* Fix .gpg extension in tree listings, and preserve colors
* Improved support for getopt on OSX
* Updates for zsh and fish completion autoloading
* Always preserve TTY for pinentry
* Only use encryption subkeys
* Better clip error messages
* No longer use hidden recipients
Suite B support for TLS 1.2 and DTLS 1.2
Support for DTLS 1.2
TLS automatic EC curve selection.
API to set TLS supported signature algorithms and curves
SSL_CONF configuration API.
TLS Brainpool support.
ALPN support.
CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
** libgnutls: Corrected regression introduced in 3.2.19 related to
session renegotiation. Reported by Dan Winship.
** libgnutls: Corrected parsing issue with OCSP responses.
** API and ABI modifications:
No changes since last version.
Upstream Changelog:
+ The TZ environment variable is now checked for safety instead of
simply being copied to the environment of the command.
This fixes a potential security issue.
+ Sudo now only builds Position Independent Executables (PIE) by
default on Linux systems and verifies that a trivial test program
builds and runs.
+ On Solaris 11.1 and higher, sudo binaries will now have the ASLR tag
enabled if supported by the linker.
Fail2Ban scans log files like /var/log/pwdfail and bans IP
that makes too many password failures. It updates firewall
rules to reject the IP address. Theses rules can be defined by
the user. Fail2Ban can read multiple log files such as sshd
or Apache web server ones.
---
5.0
---
* Version numbering is now derived from the code repository tags via `hgtools
<https://pypi.python.org/pypi/hgtools>`_.
* Build and install now requires setuptools.
+ recognise signatures made by subkeys as well as by primary keys
+ print out the relevant key which signed the file, even if it's
a subkey and not the primary key itself.
+ keep the same API as before
with many thanks to Jonathan Perkin
## 1.6.0
* Fix colorize to use the correct API (@fazibear)
* Lock colorize (sorry guys) version at >= 0.7.0
## 1.6.0 (Yanked, because of colorize.)
* Force dependency on colorize v0.6.0
* Add your entries here, remember to credit yourself however you want to be
credited!
* Remove strip from capture to preserve whitespace. Nick Townsend
* Add vmware_fusion Vagrant provider. Nick Townsend
* Add some padding to the pretty log formatter
## 1.5.1
* Use `sudo -u` rather than `sudo su` to switch users. Mat Trudel
## 1.5.0
* Deprecate background helper - too many badly behaved pseudo-daemons. Lee Hambley
* Don't colourize unless $stdout is a tty. Lee Hambley
* Remove out of date "Known Issues" section from README. Lee Hambley
* Dealy variable interpolation inside `as()` block. Nick Townsend
* Fixes for functional tests under modern Vagrant. Lewis Marshal
* Fixes for connection pooling. Chris Heald
* Add `localhost` hostname to local backend. Adam Mckaig
* Wrap execptions to include hostname. Brecht Hoflack
* Remove `shellwords` stdlib dependency Bruno Sutic
* Remove unused `cooldown` accessor. Bruno Sutic
* Replace Term::ANSIColor with a lighter solution. Tom Clements
* Documentation fixes. Matt Brictson
## 1.4.0
https://github.com/capistrano/sshkit/compare/v1.3.0...v1.4.0
* Removed `invoke` alias for [`SSHKit::Backend::Printer.execute`](https://github.com/capistrano/sshkit/blob/master/lib/sshkit/backends/printer.rb#L20). This is to prevent collisions with
methods in capistrano with similar names, and to provide a cleaner API. See [capistrano issue 912](https://github.com/capistrano/capistrano/issues/912) and [issue 107](https://github.com/capistrano/sshkit/issues/107) for more details.
* Connection pooling now uses a thread local to store connection pool, giving each thread its own connection pool. Thank you @mbrictson see [#101](https://github.com/capistrano/sshkit/pull/101) for more.
* Command map indifferent towards strings and symbols thanks to @thomasfedb see [#91](https://github.com/capistrano/sshkit/pull/91)
* Moved vagrant wrapper to `support` directory, added ability to run tests with vagrant using ssh. @miry see [#64](https://github.com/capistrano/sshkit/pull/64)
* Removed unnecessary require `require_relative '../sshkit'` in `lib/sshkit/dsl.rb` prevents warnings thanks @brabic.
* Doc fixes thanks @seanhandley @vojto
[2014/12/02]
* Version 2.4.1
- sp_loginclass support should NOT have been added to password implementation
[2014/12/01]
* Version 2.4.0
- Add support for sp_loginclass via pwd.h
=== 2.9.2-rc3
* Remove advertised algorithms that were not working (curve25519-sha256@libssh.org) [mfazekas]
=== 2.9.2-rc2
* number_of_password_prompts is now accepted as ssh option, by setting it 0 net-ssh will not ask for password for password auth as with previous versions [mfazekas]
=== 2.9.2-rc1
* Documentation fixes and refactoring to keepalive [detiber, mfazekas]
=== 2.9.2-beta
* Remove advertised algorithms that were not working (ssh-rsa-cert-* *ed25519 acm*-gcm@openssh.com) [mfazekas]
* Unkown algorithms now ignored instead of failed [mfazekas]
* Asks for password with password auth (up to number_of_password_prompts) [mfazekas]
* Removed warnings [amatsuda]
=== 2.9.1 / 13 May 2014
* Fix for unknown response from agent on Windows with 64-bit PuTTY [chrahunt]
* Support negative patterns in host lookup from the SSH config file [nirvdrum]
=== 2.9.0 / 30 Apr 2014
* New ciphers [chr4]
* Added host keys: ssh-rsa-cert-v01@openssh.comssh-rsa-cert-v00@openssh.comssh-ed25519-cert-v01@openssh.com ssh-ed25519
* Added HMACs: hmac-sha2-512-etm@openssh.comhmac-sha2-256-etm@openssh.comumac-128-etm@openssh.com
* Added Kex: aes256-gcm@openssh.comaes128-gcm@openssh.comcurve25519-sha256@libssh.org
* Added private key support for id_ed25519
* IdentiesOnly will not disable ssh_agent - fixes#148 and new fix for #137 [mfazekas]
* Ignore errors during ssh agent negotiation [simonswine, jasiek]
* Added an optional "options" argument to test socket open method [jefmathiot]
* Added gem signing (again) with new cert [delano]
=== 2.8.1 / 19 Feb 2014
* Correct location of global known_hosts files [mfischer-zd]
* Fix for password authentication [blackpond, zachlipton, delano]
3.1.8 Oct 23 2014
- Add support for Ruby 2.1 in compiled Windows binaries [GH #102]
3.1.9 Oct 23 2014
- Rebuild corrupt binaries
3.1.10 Jan 28 2015
- Fix issue with dumping a BCrypt::Password instance to YAML in Ruby 2.2 [GH #107 by @mattwildig]
2.012 2014/02/02
- fix t/ocsp.t in case no HTTP::Tiny is installed
2.011 2014/02/01
- fix t/ocsp.t - don't count on revoked.grc.com using OCSP stapling #101855
- added option 'purpose' to Utils::CERT_create to get better control of the
certificates purpose. Default is 'server,client' for non-CA (contrary to
only 'server' before)
- removed RC4 from default cipher suites on the server site
https://github.com/noxxi/p5-io-socket-ssl/issues/22
- refactoring of some tests using Test::More thanks to Sweet-kid and the
2015 Pull Request Challenge
+ dump the huge output to /dev/null so that we can see what's
happening with the other tests in testit.sh
+ fix from jperkin@, don't try to be clever when selecting the only
key id in a keyring
+ add a test for single key (non-ssh) pubring
+ dump the huge output in testing script to /dev/null so that we can
see what's happening with the other tests in testit.sh
+ fix from jperkin@, don't try to be clever when selecting the only
key id in a keyring
+ add a test for single key (non-ssh) pubring
Noteworthy changes in version 1.18 (2015-01-26) [C14/A14/R0]
-----------------------------------------------
* New translations for Hungarian, Portuguese, Russian, and
traditional Chinese. Updated other translations.
* New error codes.
* Interface changes relative to the 1.17 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_FORBIDDEN NEW.
GPG_ERR_OBJ_TERM_STATE NEW.
GPG_ERR_REQUEST_TOO_SHORT NEW.
GPG_ERR_REQUEST_TOO_LONG NEW.
GPG_ERR_LEGACY_KEY NEW.
This version includes support for the '-c dump' command, which dumps
the contents of all PGP packets to stdout. Note that since we're
verifying, no private keys are involved.
1.68 2015-01-24
Fixed a problem on OSX when macports openssl 1.x is installed: headers from
macport were found but older OSX openssl libraries were linked, resulting
in "Symbol not found: _EVP_MD_do_all_sorted".
Added notes about runtime error "no OPENSSL_Applink", when calling
Net::SSLeay::P_PKCS12_load_file.
2.010 2014/01/14
- new options SSL_client_ca_file and SSL_client_ca to let the server send
the list of acceptable CAs for the client certificate.
- t/protocol_version.t - fix in case SSLv3 is not supported in Net::SSLeay.
RT#101485, thanks to TEAM.
1.67 2015-01-17
Improvements to inc/Module/Install/PRIVATE/Net/SSLeay.pm to handle the
case whe there are muliple OPENSSLs installed. Patch from HBRAND
Fixed a documentation error in get_peer_cert_chain, reported by tejas.
Fixed a problem with building on Windows that prevented correct OpenSSL
directory detection with version 1.0.1j as delivered with Shining Light OpenSSL.
Fixed a problem with building on Windows that prevented finding MT or MD
versions of SSL libraries.
Updated doc in README.Win32 to build with Microsoft Visual Studio 2010 Express.
Added Windows crypt32 library to Windows linking as some compilers/platforms seem to
require it and it is innocuous otherwise. For Steve Hay.
Fixed a failure in t/external/20_cert_chain.t where some platforms do not
have HTTPS in /etc/services. Reported and patched by Gisle Aas.
Recent 1.0.2 betas have dropped the SSLv3_method function.
This patch leaves out the function on newer versions, much the same as
the SSLv2 deprecation is handled. Patch from Tom Molesworth.
Fix the ALPN test, which was incorrectly failing on OpenSSL due to the
LibreSSL check (earlier versions bailed out before that line).Patch from
Tom Molesworth.
0.7.2 - 2015-01-16
~~~~~~~~~~~~~~~~~~
* Updated Windows wheels to be compiled against OpenSSL 1.0.1l.
* ``enum34`` is no longer installed on Python 3.4, where it is included in
the standard library.
* Added a new function to the OpenSSL bindings to support additional
functionality in pyOpenSSL.
It's not available.
ftp://ftp.belnet.be/pub/OpenBSD/OpenSSH/portable/ (capitalize openbsd) is
availabe, but it's a mirror, not the special old distfile holder.
Moreover, mirrors have good enough old versions, and "old" subdirectory
have much old distfiles.
* Version 1.0.1
- DLL_EXPORT was renamed SODIUM_DLL_EXPORT in order to avoid
collisions with similar macros defined by other libraries.
- sodium_bin2hex() is now constant-time.
- crypto_secretbox_detached() now supports overlapping input and output
regions.
- NaCl's donna_c64 implementation of curve25519 was reading an extra byte
past the end of the buffer containing the base point. This has been
fixed.
2.009 2014/01/12
- remove util/analyze.pl. This tool is now together with other SSL tools in
https://github.com/noxxi/p5-ssl-tools
- added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) thanks to TEAM,
RT#101452
2015-01-12 Gisle Aas <gisle@ActiveState.com>
Release 2.54
David Mitchell: silence some compiler warnings
Jonathan Hall: Add ->context() feature
Steve Hay: Sync with blead
bulk88: const the vtable
zefram: 5.6 threads test fix
Upstream changes:
5.95 Sat Jan 10 12:15:36 MST 2015
- modified the bit-ordering test (ref. t/bitorder.t)
-- supplied directory-change preamble for CORE builds
5.94 Sat Jan 10 00:45:28 MST 2015
- added support for threaded builds
-- PERL_GET_NO_CONTEXT, pTHX_, aTHX_, etc.
-- employed 'const' storage class where possible
-- ref. rt.cpan.org #101260
- simplified shabits() routine (bitwise input buffering)
-- slightly less efficient but easier to understand
-- ref. rt.cpan.org #101344
- minor documentation tweaks and additions
Before 1.6.0 version, libgcrypt called pth_init() on it's own,
in later version dirmngr has to be the one to call pth_init().
With this dirmngr actually works (does not seg fault immediately).
Since it's a runtime problem, PKGREVISION bumped.
OK@ wiz
Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
message can cause a segmentation fault in OpenSSL due to a NULL pointer
dereference. This could lead to a Denial Of Service attack. Thanks to
Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
(CVE-2014-3571)
[Steve Henson]
*) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
dtls1_buffer_record function under certain conditions. In particular this
could occur if an attacker sent repeated DTLS records with the same
sequence number but for the next epoch. The memory leak could be exploited
by an attacker in a Denial of Service attack through memory exhaustion.
Thanks to Chris Mueller for reporting this issue.
(CVE-2015-0206)
[Matt Caswell]
*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
method would be set to NULL which could later result in a NULL pointer
dereference. Thanks to Frank Schmirler for reporting this issue.
(CVE-2014-3569)
[Kurt Roeckx]
*) Abort handshake if server key exchange message is omitted for ephemeral
ECDH ciphersuites.
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
reporting this issue.
(CVE-2014-3572)
[Steve Henson]
*) Remove non-export ephemeral RSA code on client and server. This code
violated the TLS standard by allowing the use of temporary RSA keys in
non-export ciphersuites and could be used by a server to effectively
downgrade the RSA key length used to a value smaller than the server
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
INRIA or reporting this issue.
(CVE-2015-0204)
[Steve Henson]
*) Fixed issue where DH client certificates are accepted without verification.
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client to
authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
this issue.
(CVE-2015-0205)
[Steve Henson]
*) Ensure that the session ID context of an SSL is updated when its
SSL_CTX is updated via SSL_set_SSL_CTX.
The session ID context is typically set from the parent SSL_CTX,
and can vary with the CTX.
[Adam Langley]
*) Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.
1. Reject signatures with non zero unused bits.
If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.
2. Check certificate algorithm consistency.
Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.
Thanks to Konrad Kraszewski from Google for reporting this issue.
3. Check DSA/ECDSA signatures use DER.
Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.
This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).
Further analysis was conducted and fixes were developed by Stephen Henson
of the OpenSSL core team.
(CVE-2014-8275)
[Steve Henson]
*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
results on some platforms, including x86_64. This bug occurs at random
with a very low probability, and is not known to be exploitable in any
way, though its exact impact is difficult to determine. Thanks to Pieter
Wuille (Blockstream) who reported this issue and also suggested an initial
fix. Further analysis was conducted by the OpenSSL development team and
Adam Langley of Google. The final fix was developed by Andy Polyakov of
the OpenSSL core team.
(CVE-2014-3570)
[Andy Polyakov]
*) Do not resume sessions on the server if the negotiated protocol
version does not match the session's version. Resuming with a different
version, while not strictly forbidden by the RFC, is of questionable
sanity and breaks all known clients.
[David Benjamin, Emilia Käsper]
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject
early CCS messages during renegotiation. (Note that because
renegotiation is encrypted, this early CCS was not exploitable.)
[Emilia Käsper]
*) Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.
Similarly, ensure that the client requires a session ticket if one
was advertised in the ServerHello. Previously, a TLS client would
ignore a missing NewSessionTicket message.
[Emilia Käsper]
0.7.1 - 2014-12-28
~~~~~~~~~~~~~~~~~~
* Fixed an issue preventing compilation on platforms where ``OPENSSL_NO_SSL3``
was defined.
0.7 - 2014-12-17
~~~~~~~~~~~~~~~~
* Cryptography has been relicensed from the Apache Software License, Version
2.0, to being available under *either* the Apache Software License, Version
2.0, or the BSD license.
* Added key-rotation support to :doc:`Fernet </fernet>` with
:class:`~cryptography.fernet.MultiFernet`.
* More bit-lengths are now support for ``p`` and ``q`` when loading DSA keys
from numbers.
* Added :class:`~cryptography.hazmat.primitives.interfaces.MACContext` as a
common interface for CMAC and HMAC and deprecated
:class:`~cryptography.hazmat.primitives.interfaces.CMACContext`.
* Added support for encoding and decoding :rfc:`6979` signatures in
:doc:`/hazmat/primitives/asymmetric/utils`.
* Added
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` to
support the loading of OpenSSH public keys (:rfc:`4253`). Only RSA and DSA
keys are currently supported.
* Added initial support for X.509 certificate parsing. See the
:doc:`X.509 documentation</x509>` for more information.
Collection.
Password management should be simple and follow Unix philosophy. With pass,
each password lives inside of a gpg encrypted file whose filename is the title
of the website or resource that requires the password. These encrypted files
may be organized into meaningful folder hierarchies, copied from computer to
computer, and, in general, manipulated using standard command line file
management utilities.
pass makes managing these individual password files extremely easy. All
passwords live in ~/.password-store, and pass provides some nice commands for
adding, editing, generating, and retrieving passwords. It is a very short and
simple shell script. It's capable of temporarily putting passwords on your
clipboard and tracking password changes using git
This is a collection of both secure hash functions (such as SHA256 and
RIPEMD160), and various encryption algorithms (AES, DES, RSA, ElGamal,
etc.). The package is structured to make adding new modules easy.
One possible application of the modules is writing secure administration
tools. Another application is in writing daemons and servers. Clients
and servers can encrypt the data being exchanged and mutually
authenticate themselves; daemons can encrypt private data for added
security. Python also provides a pleasant framework for prototyping and
experimentation with cryptographic algorithms; thanks to its
arbitrary-length integers, public key algorithms are easily implemented.
In lib/x509/rfc2818_hostname.c, ipv6 related structs are used, but
at least on FreeBSD, arpa/inet.h does not contains the necessary
structs. If netinet/in.h is present, we use it instead of arpa/inet.h.
Reviewed by wiz
packaged for wip by nros.
The Qore xmlsec module gives Qore programs the possibility to support
XML signature(xmldsig) and XML encryption(xmlenc) as defined by W3C.
packaged for wip by nros.
The ssh2 module provides Qore the possibility to communicate with sshd
servers via the ssh2 protocol; the underlying functionality is provided
by libssh2.
packaged for wip by nros.
ASN.1(Abstract Syntax Notation One) module for Qore provides an API to
dynamically create, parse and convert ASN.1 data structures to concrete
output formats (like DER).
2.008 2014/12/16
- work around recent OCSP verification errors for revoked.grc.com (badly signed
OCSP response, Firefox also complains about it) in test t/external/ocsp.t.
- util/analyze.pl - report more details about preferred cipher for specific TLS
versions
- New Features:
- donuts: - Added the ability to summarize information
about a zone in the output, such as the upcoming
entire zone expiry time, etc
- Added the ability to query live zones for
records to analyze. EG:
donuts live:good-a,badsign-a test.dnssec-tools.org
- Added a -V switch to dump records analyzed
- libval: - Add support for conditionally checking all RRSIGs
on an assertion even if one that validates is
already found.
- Look for zonecuts based on NS records, not SOA
- Added initial support for TSIG in order to enable
libval to query recursive name servers that
authorized recursive lookup for only those hosts
that used a particular TSIG key.
- Validator.pm - Store respondent name server information in result
structure.
- Owl - additional sensor modules
- additional data analysis on manager
- logging to the Owl sensors modules
- optimized sensor data organization
(requires software upgrades on both sensor and
manager at the same time)
- added -restart option to owl-sensord for
restarting sensor modules
- improvements to the installation guide
- rollerd - generalized zonegroup entry in rollecs to be lists of tags
- rndc option support added
- dnssec-check - Ported to Qt5
- dnssec-nodes - Ported to Qt5
- lookup - Ported to Qt5
- dnssec-system-tray
- Ported to Qt5
- Bug Fixes
- Fixed bugs in libval, rollerd, blinkenlights, Owl
sensor modules, and Owl manager
- Use rlimits to try and limit file descriptor use in
libsres so we don't run out of available sockets.
- Eliminate a few hardcoded paths in various perl modules
- Fix various compiler warnings
- Update autoconf and related files
upstream. Thanks wiz@ for advice.
-------------------------
2014-10-26 Werner Koch <wk@gnupg.org>
Release 0.9.0.
(.. ommitted ..)
Remove support form QT3 and GTK+-1.
* configure.ac: Remove old qt and gtk+-1 support.
-- This will remove pinentry-{gtk,qt} by next commit.
-- Touched files on this commit are Makefile.common and distinfo only
-------------------------
2014-10-26 Werner Koch <wk@gnupg.org>
Release 0.9.0.
gtk: Aboid segv for opaste keys.
* gtk+-2/gtksecentry.c (gtk_secure_entry_class_init): Disable paste
key bindings.
Remove support form QT3 and GTK+-1.
* configure.ac: Remove old qt and gtk+-1 support.
* Makefile.am: Ditto.
2014-10-26 Stanislav Ochotnicky <sochotnicky@redhat.com>
Check if we are on tty before initializing curses.
* pinentry/pinentry-curses.c (dialog_run): Check stant stdin and stout
are connected to ttys.
2014-10-26 Werner Koch <wk@gnupg.org>
gtk: Allow pasting using the mouse.
* gtk+-2/gtksecentry.h (_GtkSecureEntry): Add fields insert_pos,
real_changed, cand change_count.
(_GtkSecureEntryClass): Add field paste_clipboard.
* gtk+-2/gtksecentry.c (PASTE_CLIPBOARD): New.
(gtk_secure_entry_class_init): Set paste_clipboard and create
paste-clipboard signal.
(gtk_secure_entry_button_press): Call gtk_secure_entry_pase.
(begin_change, end_change, emit_changed): New.
(gtk_secure_entry_real_insert_text): Use emit_changed.
(gtk_secure_entry_real_delete_text): Ditto.
(paste_received, gtk_secure_entry_paste)
(gtk_secure_entry_paste_clipboard): New.
2014-10-24 Werner Koch <wk@gnupg.org>
gtk+-2: Make current focus visible again.
* gtk+-2/pinentry-gtk-2.c (grab_keyboard): Return false
(ungrab_keyboard): Ditto.
gtk+-2: Implement the SETREPEAT command.
* gtk+-2/pinentry-gtk-2.c (repeat_entry, error_label): New.
(button_clicked): Implement repeat check.
(changed_text_handler): Clear repeat field.
(create_window): Add repeat entry.
Add commands to allow implementing a "repeat passphrase" field.
* pinentry/pinentry.c (cmd_setrepeat): New.
(cmd_setrepeaterror): New.
(register_commands): Add new commands.
(cmd_getpin): Print "PIN_REPEATED" status.
Another commit follows for other files.
This is the last version pinentry-{qt,gtk} are available.
-----------------------------------------
2014-09-18 Werner Koch <wk@gnupg.org>
Release 0.8.4.
Add missing build support files and move them to build-aux.
Use generic autogen.sh script.
* autogen.rc: New.
* autogen.sh: New. Take from GnuPG.
* Makefile.am (EXTRA_DIST): Add autogen.rc.
(DISTCHECK_CONFIGURE_FLAGS): Disable qt4.
2014-08-12 Werner Koch <wk@gnupg.org>
common: Fix compiler warning.
* pinentry/pinentry.c (pinentry_utf8_to_local): Use cast for iconv arg.
(pinentry_local_to_utf8): Ditto.
New pinentry-tty version for dumb terminals.
* Makefile.am: Add pinentry-tty.
* NEWS: Add news about pinentry-tty.
* README: Update.
* configure.ac: Add support for this pinentry.
* tty/Makefile.am: New.
* tty/pinentry-tty.c: New.
2014-08-06 Andre Heinecke <aheinecke@intevation.de>
Check for MOC also if pinentry-qt is disabled.
* configure.ac: Call QT_PATH_MOC if pinentry_qt4 is not no.
Add fallbacks for SetForegroundWindow.
If that foreground window fails pinentry-qt now tries to
attach to the current foreground process and then tries
to set the foreground window again. If that fails it also
calls ShowWindow as a last resort.
* qt4/pinentrydialog.cpp (raiseWindow): Add fallbacks in
case SetForegroundWindow fails.
Use raiseWindow also for confirm dialogs.
This should fix the case that the dialog opened
in the foreground but a warning / confirm dialog
opened in the background.
* qt4/pinentryconfirm.cpp, qt4/pinentryconfirm.h (showEvent):
New overwrite base class method to call raiseWindow.
* NEWS: Mention this.
2014-07-30 Andre Heinecke <aheinecke@intevation.de>
Set some accessibility information.
* qt4/main.cpp (qt_cmd_handler): Build buttons with accessibile
Description.
* qt4/pinentrydialog.cpp (setDescription, setError, setOkText)
(setCancelText, setQualityBar): Set an accessible description.
* qt4/pinentryconfirm.cpp (PinentryConfirm): Set message
box contents also as accessible values.
* NEWS: Mention it and the copy/paste change from last year.
2013-07-15 Andre Heinecke <aheinecke@intevation.de>
Lower paste length limit to 300.
This should be more then enough and avoids possible problems
with libassuan cmd line lenght or percent escaping etc.
* qt4/qsecurelineedit.cpp (insert): Lower paste limit
Limit paste length to 1023 characters.
* qt4/qsecurelineedit.cpp (insert): Check for a maximum
length before allocation the secmem string.
Fix contextmenu support for pasting.
MOC ignores preprocessor definitions so we can not conditionally
declare SLOTS. So we now move the ifdefs in the definition and
always declare the SLOTS.
* qt4/qsecurelinedit.cpp (cut, copy, paste): Do nothing if
QT_NO_CLIPBOARD is defined.
* qt4/qsecurelinedit.h: Always declare cut, copy and paste slots
Remove check for RTL extensions.
Our code does nothing RTL specific there anyway. And the
qt_use_rtl_extensions symbol has been removed.
* qt4/qsecurelinedit.cpp: Remove check for RTL extensions.
2013-07-12 Werner Koch <wk@gnupg.org>
Fix for commit fb38be9 to allow for "make distcheck".
* qt4/Makefile.am: Make correct use of BUILT_SOURCES.
2013-05-29 Andre Heinecke <aheinecke@intevation.de>
Add pinentry-qt4-clipboard option.
Enabling this option will make it possible to paste a
passphrase into pinentry-qt4. This defeats the secmem
mechanism but drastically increases usability for some
users.
* configure.ac: New option pinentry-qt4-clipboard.
* qt4/qsecurelineedit.cpp, qt4/qsecurelineedit.h: Activate
clipboard and context menu if PINENTRY_QT4_CLIPBOARD is defined.
Remove qt4 moc files and add moc to buildsystem.
This is neccessary to conditionally enable signals/slots
at build time.
* qt4/Makefile.am: Moc files automatically.
* qt4/pinentryconfirm.moc, qt4/pinentrydialog.moc,
qsecurelineedit.moc: Removed.
Changelog for this version:
pev 0.70 - December 26, 2013
! Missing full/English documentation.
! Missing valid XML and HTML output formats.
! pestr: no support for --net option when parsing unicode strings.
! pestr: unable to handle too big strings.
* libpe: rewritten, now using mmap. (Jardel Weyrich).
* pestr: added countries domains suffixes.
* readpe and peres: output enhancements (Jardel Weyrich).
+ pehash: sections and headers hash calculation (Jardel Weyrich).
+ pehash: ssdeep fuzzy hash calculation.
+ pehash: support for new digest hashes like sha512, ripemd160 and more.
+ peres: added new tool to analyze/extract PE resources (Marcelo Fleury).
+ pescan: cpl malware detection.
+ pescan: undocumented anti-disassembly fpu trick detection.
+ pesec: show and extract cerfiticates from digitally signed binaries (Jardel Weyrich).
- readpe can't show functions exported by ID only.
- readpe: fixed subsystem types (Dmitry Mostovenko).
ChangeLog for this version:
Wed, 12 Nov 2014 14:30:39 EDT (swebb)
-------------------------------------
* bb11176 - Instruct OpenSSL to allow MD5 when in FIPS-compliant mode.
Patch submitted by Reinhard Max.
Mon, 10 Nov 2014 11:03:29 EDT (swebb)
-------------------------------------
* bb11155 - Adjust the logic surrounding adjusting the PE section sizes
This fixes a crash with maliciously crafted yoda's crypter files and
also improves virus detections for PE files.
Thu, 6 Nov 2014 14:51:26 EDT (swebb)
-------------------------------------
* bb11088 - Merge in fixes for clamscan -a crash bug
Mon, 20 Oct 2014 11:33:18 EDT (swebb)
-------------------------------------
* Revert "bb#10731 - Allow to specificy a group for the socket of which
the user is not a member"
Thu, 31 Jul 2014 19:11:22 EDT (swebb)
-------------------------------------
* Add support for XDP PDF file format
Thu, Jul 31 11:50:23 EDT 2014 (swebb)
------------------------------------
* bb#10731 - Allow specification of a group for the milter socket of which
the user is not a member - patch submitted by Sebastian Andrzej Siewior
Fri, 25 Jul 2014 12:26:04 EDT (klin)
------------------------------------
* bb#10981 - applied LLVM 3.1-3.4 - patch submitted by Andreas Cadhalpun
Fri, 25 Jul 2014 12:06:13 (klin)
--------------------------------
* clambc: added diagnostic tools for bytecode IR
Tue, 8 Jul 2014 19:53:41 EDT (swebb)
------------------------------------
* mass cleanup of compiler warnings
Tue, 08 Jul 11:30:00 EDT 2014 (morgan)
------------------------------------
* 0.98.5 beta release
Mon, 07 Jul 09:00:00 EDT 2014 (swebb)
------------------------------------
* 0.98.5-beta1 release engineering
Thu, 03 Jul 22:14:40 EDT 2014 (swebb)
------------------------------------
* Call cl_initialize_crypto() in cl_init()
Thu, 03 Jul 16:28:10 EDT 2014 (swebb)
------------------------------------
* Finalize PDF parsing code for the preclassification feature
Wed, 25 Jun 16:26:33 EDT 2014 (swebb)
------------------------------------
* Finalize linking in libjson, a new optional dependency
Fri, 13 Jun 2014 16:11:15 EDT (smorgan)
---------------------------------------
* add timeout facility for file property scanning
Tue, 3 Jun 2014 13:31:50 EDT (smorgan)
--------------------------------------
* add callback for user processing of json string and json scan result
Wed, 7 May 2014 10:56:35 EDT (swebb)
------------------------------------
* PE file properties collection
Tue, 6 May 2014 15:26:30 EDT (klin)
-----------------------------------
* add api to read json to the bytecode api
Thu, 1 May 2014 16:59:01 EDT (klin)
-----------------------------------
* docx/pptx/xlsx file properties collection
Wed, 30 Apr 2014 16:38:55 EDT (swebb)
-------------------------------------
* pdf file properties collection
Tue, 22 Apr 2014 14:22:39 EDT (klin)
------------------------------------
* json api wrapper
Mon, 21 Apr 2014 18:30:28 EDT (klin)
------------------------------------
* doc/ppt/xls file properties collection
Wed, 16 Apr 18:14:45 2014 EDT (smorgan)
--------------------------------------
* Initial libjson-c configure/build support and json file properties work
* Version 3.2.20 (released 2014-11-10)
** libgnutls: Removed superfluous random generator refresh on every call
of gnutls_deinit(). That reduces load and usage of /dev/urandom.
** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
Reported by Sean Burford [GNUTLS-SA-2014-5].
** API and ABI modifications:
No changes since last version.
* Version 3.2.19 (released 2014-10-13)
** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
Reported by Joseph Peruski.
** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
handshake's hash buffer, in applications using the heartbeat extension
or DTLS. Reported by Joeri de Ruiter.
** libgnutls: fix issue in DTLS retransmission when session tickets
were in use; reported by Manuel Pégourié-Gonnard.
** libgnutls: Prevent abort() in library if getrusage() fails. Try to
detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.
** guile: new 'set-session-server-name!' procedure; see the manual for
details.
** API and ABI modifications:
No changes since last version.
Changes since 20141129:
+ bring over lint changes from src/crypto version of this utility
+ add a helper function to get an element from a cursor
+ added a small compile and test script, which uses BSD makefiles
+ change WARNS level in BSD Makefile from 6 to 5 - changes to make
WARNS=6 compile are way too intrusive and distracting to be useful
+ bump version to 20141204
Changes:
* The patch for SUPPORT-147 got integrated upstream.
* Regenerate enforcer/utils/Makefile.in diff
Upstream changes:
* SUPPORT-147: Zone updating via zone transfer can get stuck
* Crash on 'retransfer command when not using DNS adapters.
2.007 2014/11/26
- make getline/readline fall back to super class if class is not sslified yet,
i.e. behave the same as sysread, syswrite etc.
This fixes RT#100529
Noteworthy changes in version 1.3.2 (2014-11-25) [C19/A11/R3]
------------------------------------------------
* Fixed a buffer overflow in ksba_oid_to_str.
Noteworthy changes in version 1.3.1 (2014-09-18)
------------------------------------------------
* Fixed memory leak in CRL parsing.
* Build fixes for Windows, Android, and ppc64el.
Python-RSA is a pure-Python RSA implementation. It supports encryption
and decryption, signing and verifying signatures, and key generation
according to PKCS#1 version 1.5. It can be used as a Python library
as well as on the commandline.
This is a small but growing collection of ASN.1 data structures
expressed in Python terms using the pyasn1 data model.
It's thought to be useful to protocol developers and testers.
2.006 2014/11/22
- Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead of
EAGAIN. While this is the same on UNIX it is different on Windows and socket
operations return there (WSA)EWOULDBLOCK and not EAGAIN. Enable non-blocking
tests on Windows too.
- make PublicSuffix::_default_data thread safe
- update PublicSuffix with latest list from publicsuffix.org
