1.4.2:
Controller ready_timeout defaults to 5.0
More detailed message in TimeoutError during Controller.start()
IMPORTANT: No more leak of sensitive info during smtp_AUTH
1.4.1:
local_part_limit (max length of email address local part) is now customizable, defaults to 0 (no limit)
1.4.0:
PROXY Protocol support
SMTPS/STARTTLS support from CLI
UnixSocketController
Improvement on tox+pytest to enable stable run for pypy3-on-Windows, MacOS, and Cygwin
Example on how to implement SMTP AUTH
1.3.2:
Fixed:
Documentation issues that causes some automated build systems to fail
Improper IPv6 detection on systems whose kernel does not support IPv6
Also:
Add info about GPG Signing key to README and PyPI
A 'hidden' testenv named static to run pytype
1.3.1:
Smarter localhost determination
No longer failing on hostname=""
1.3.0:
"AUTH LOGIN " support
Command Call Limit to stop misbehaving clients
"authenticator" system to replace "auth_callback"
"handle_EHLO" can modify return values
(Almost) transparant passing of keyword args given to
Controller to SMTP
Now uses TLS Context as-is
Complete conversion of test cases from unittest/nose2 to
pytest
Improve compatibility with setuptools<=46.4.0
Upstream changes:
1.448 2021-03-05T15:01:18Z
* Promote to a user release
1.447_01 2021-03-02T16:11:23Z
* Try handling all-numeric user and group names (but, also, wtf?)
Github #26.
1.447 2021-02-24T21:32:41Z
* Trying harder to get the tests to pass on Cygwin
1.446 2021-02-20T21:18:48Z
* Better cygwin detection, from Achim Gratz
1.445 2021-02-16T08:57:34Z
* Get the tests to pass under Cygwin (Github #17, from Slaven Rezić)
1.444 2021-01-06T03:40:19Z
* Remove Travis, add GitHub actions
* Add file_is_symlink_not_ok
1.443_03 2020-06-15T13:13:42Z
* Merge some test additions from Desmond Daignault (GitHub #20)
1.443_02 2020-06-15T12:10:34Z
* Deprecated directories in tests appropriate for only plain files.
It's a diag() message now but will be a test failure later.
1.443_01 2020-06-12T11:54:41Z
* change the file_writeable_ok tests to file_writable_ok, which
is the correct spelling. The old names work but now warn to use
the new name.
* Some updates to refresh the tests.
* Start mirroring Test2::Tools::File so we support the same names.
Thanks to Torbjørn Lindahl for spotting rough edges.
Changes since v4.6.0:
wolfSSL Release 4.7.0 (February 16, 2021)
Release 4.7.0 of wolfSSL embedded TLS has bug fixes and new features including:
New Feature Additions
* Compatibility Layer expansion SSL_get_verify_mode, X509_VERIFY_PARAM API,
X509_STORE_CTX API added
* WOLFSSL_PSK_IDENTITY_ALERT macro added for enabling a subset of TLS alerts
* Function wolfSSL_CTX_NoTicketTLSv12 added to enable turning off session
tickets with TLS 1.2 while keeping TLS 1.3 session tickets available
* Implement RFC 5705: Keying Material Exporters for TLS
* Added --enable-reproducible-build flag for making more deterministic
library outputs to assist debugging
* Added support for S/MIME (Secure/Multipurpose Internet Mail Extensions)
bundles
Fixes
* Fix to free mutex when cert manager is free’d
* Compatibility layer EVP function to return the correct block size and type
* DTLS secure renegotiation fixes including resetting timeout and retransmit
on duplicate HelloRequest
* Fix for edge case with shrink buffer and secure renegotiation
* Compile fix for type used with curve448 and PPC64
* Fixes for SP math all with PPC64 and other embedded compilers
* SP math all fix when performing montgomery reduction on one word modulus
* Fixes to SP math all to better support digit size of 8-bit
* Fix for results of edge case with SP integer square operation
* Stop non-ct mod inv from using register x29 with SP ARM64 build
* Fix edge case when generating z value of ECC with SP code
* Fixes for PKCS7 with crypto callback (devId) with RSA and RNG
* Fix for compiling builds with RSA verify and public only
* Fix for PKCS11 not properly exporting the public key due to a missing key
type field
* Call certificate callback with certificate depth issues
* Fix for out-of-bounds read in TLSX_CSR_Parse()
* Fix incorrect AES-GCM tag generation in the EVP layer
* Fix for out of bounds write with SP math all enabled and an edge case of
calling sp_tohex on the result of sp_mont_norm
* Fix for parameter check in sp_rand_prime to handle 0 length values
* Fix for edge case of failing malloc resulting in an out of bounds write
with SHA256/SHA512 when small stack is enabled
Improvements/Optimizations
* Added --enable-wolftpm option for easily building wolfSSL to be used with
wolfTPM
* DTLS macro WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT added for resending flight
only after a timeout
* Update linux kernel module to use kvmalloc and kvfree
* Add user settings option to cmake build
* Added support for AES GCM session ticket encryption
* Thread protection for global RNG used by wolfSSL_RAND_bytes function calls
* Sanity check on FIPs configure flag used against the version of FIPs
bundle
* --enable-aesgcm=table now is compatible with --enable-linuxkm
* Increase output buffer size that wolfSSL_RAND_bytes can handle
* Out of directory builds resolved, wolfSSL can now be built in a separate
directory than the root wolfssl directory
Vulnerabilities
* [HIGH] CVE-2021-3336: In earlier versions of wolfSSL there exists a
potential man in the middle attack on TLS 1.3 clients. Malicious
attackers with a privileged network position can impersonate TLS 1.3
servers and bypass authentication. Users that have applications with
client side code and have TLS 1.3 turned on, should update to the latest
version of wolfSSL. Users that do not have TLS 1.3 turned on, or that are
server side only, are NOT affected by this report. For the code change
see #3676. Thanks to Aina Toky Rasoamanana and Olivier Levillain from
Télécom SudParis for the report.
* [LOW] In the case of using custom ECC curves there is the potential for a
crafted compressed ECC key that has a custom prime value to cause a hang
when imported. This only affects applications that are loading in ECC keys
with wolfSSL builds that have compressed ECC keys and custom ECC curves
enabled.
* [LOW] With TLS 1.3 authenticated-only ciphers a section of the server
hello could contain 16 bytes of uninitialized data when sent to the
connected peer. This affects only a specific build of wolfSSL with TLS
1.3 early data enabled and using authenticated-only ciphers with TLS 1.3.
For additional vulnerability information visit the vulnerability page at
https://www.wolfssl.com/docs/security-vulnerabilities/
See INSTALL file for build instructions.
More info can be found on-line at https://wolfssl.com/wolfSSL/Docs.html
Add php-ffi, part of php74 and php80.
PHP is a programming language designed to be embedded into web pages.
The FFI extension implements the Foreign Function Interface, but currently
it is experimental.
Pkgsrc changes:
* Change dependency from botan to botan-devel to get version 2.x.
Upstream changes:
SoftHSM 2.6.1 - 2020-04-29
* Issue #542: Support Ed448/X448 for OpenSSL
* Issue #538: Improved warning and compilation issues for GCC10
* Issue #527: Fixed compilation issues for MacOS 10.15.4/Xcode 11.4
SoftHSM 2.6.0 - 2020-03-17
* Issue #493: Upgrade to Botan 2.
* Issue #530: Update appveyor build.
* Issue #438: Detect crypto algorithms by default.
(Patch from Alon Bar-Lev)
* Issue #455: Provide a new configuration option to allow enabling and
disabling various mechanisms (slots.mechanisms in the softhsm2.conf).
(Thanks to Jakub Jelen)
* Issue #479: Increase SQLite busy timeout from 15 seconds to 3 minutes.
(Patch from Jan Luebbe)
* Issue #513: Add configuration option to reset state on fork closing all
sessions rather than keeping all sessions open in duplicate process.
(Thanks to Anderson Toshiyuki Sasaki)
* Issue #500: C_WaitForSlotEvent implementation.
(Patch from massey101)
* Issue #445: Add wrap support with CKM_AES_CBC.
Bugfixes:
* Issue #418: Set fields to NULL to avoid double free.
(Patch from Brian J Murray)
* Issue #423: ENGINE_load_rdrand is not supported with older openssl.
(Patch from Alon Bar-Lev)
* Issue #429: Updated prerequisite to build from repository.
(Patch from Dharmesh Khandelwal)
* Issue #434: Fix build issues with CMake.
(Patch from Peter Wu)
* Issue #435: Fix botan build without EDDSA.
(Patch from Peter Wu)
* Issue #442: Release resources from OSSLEVPSymmetricAlgorithm.
(Patch from Petr Menšík)
* Issue #449/#502: Do not copy zero sized buffer avoid null pointer reference.
(Patch from space88man)
* Issue #464: Race condition with multiple threads closing last session and
opening a newer sessions.
(Patch from Takarth)
* Issue #452: Fixes to automake build fir undefined macros.
* Issue #462: User PIN count wrongly calculated.
(Patch from Ondrej Hlavaty)
* Issue #516: Fix memory leak in OSSLCryptoFactory.
(Patch from Anderson Sasaki)
* Issue #494: Allow null pointers as arguments when count is zero.
(Patch from Yunjong Jeong)
* Issue #518: Sporadic problem in closing sessions because of lookup of
object without prior locking.
* Issue #506: Check key type for C_EncryptInit and C_DecryptInit.
(Patch from Yunjong Jeong)
* Issue #526: Adjust EDDSA code to return valid EC_PARAMS.
(Patch from Jakub Jelen)
* Issue #452: Autogen failure on undefined macro AC_MSG_ERROR.
* Issue #527: Fixed some build errors for GCC 10.
* Issue #470: Null pointer arguments validation for C_EncryptFinal, etc.
Informally OK'ed by joerg@
Pkgsrc changes:
* Add comment the patches which lacked them.
* Adjust PLIST.
Upstream changes:
Version 2.17.3, 2020-12-21
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Change base64, base58, base32, and hex encoding and decoding opearations
to run in constant time (GH #2549)
* Fix a build problem on PPC64 building with Clang (GH #2547)
* Fix an install problem introduced in 2.17.2 affecting MSVC 2015
* Fix use of -L flag in linking when configured using ``--with-external-libdir``
(GH #2496)
* Fix a build problem on big-endian PowerPC related to VSX instructions
in the AES code. (GH #2515)
Version 2.17.2, 2020-11-13
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Fix an build problem on ppc64 introduced with certain recent
versions of GCC or binutils where using the DARN instruction
requires using an appropriate -mcpu flag to enable the instruction
in the assembler. (GH #2481 2463)
* Resolve an issue in the modular square root algorithm where a loop
to find a quadratic non-residue could, for a carefully chosen
composite modulus, not terminte in a timely manner. (GH #2482#2476)
* Fix a regression in MinGW builds introduced in 2.17.1
Version 2.17.1, 2020-11-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Fix a build problem that could occur if Python was not in the PATH.
This was known to occur on some installations of macOS.
* Re-enable support for the x86 CLMUL instruction on Visual C++, which was
accidentally disabled starting in 2.12.0. (GH #2460)
Version 2.17.0, 2020-11-05
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Fix a bug in ECDSA which could occur when the group size and hash length
differ. In this case, on occasion the generated signature would not be
accepted by other ECDSA implementations. This was particularly likely to
affect users of 160-bit or 239-bit curves. (GH #2433#2415)
* Fix a bug in ECDSA verification when the public key was chosen to be
a small multiple of the group generator. In that case, verification
would fail even if the signature was actually valid. (GH #2425)
* SIV's functionality of supporting multiple associated data inputs has been
generalized onto the AEAD_Mode interface. However at the moment SIV is the
only AEAD implemented which supports more than one AD. (GH #2440)
* The contents of ASN.1 headers ``asn1_str.h``, ``asn1_time.h``, ``asn1_oid.h``
and ``alg_id.h`` have been moved to ``asn1_obj.h``. The header files remain
but simply forward the include to ``asn1_obj.h``. These now-empty header files
are deprecated, and will be removed in a future major release. (GH #2441)
* The contents of X.509/PKIX headers ``asn1_attribute.h`` ``asn1_alt_name.h``
``name_constraint.h`` ``x509_dn.h`` ``cert_status.h`` and ``key_constraint.h``
have been merged into ``pkix_enums.h`` (for enumerations) and ``pkix_types.h``
(for all other definitions). The previous header files remain but simply
forward the include to the new header containing the definition. These
now-empty header files are deprecated, and will be removed in a future major
release. (GH #2441)
* A number of other headers including those related to HOTP/TOTP, XMSS,
PKCS11, PSK_DB have also been merged. Any now deprecated/empty headers
simply include the new header and issue a deprecation warning.
(GH #2443#2446#2447 2448 #2449)
* Small optimizations in the non-hardware assisted AES key generation
code path (GH #2417#2418)
* Move the GHASH code to a new module in utils, making it possible
to build GMAC support without requiring GCM (GH #2416)
* Add more detection logic for AVX-512 features (GH #2430)
* Avoid std::is_pod which is deprecated in C++20 (GH #2429)
* Fix a bug parsing deeply nested cipher names (GH #2426)
* Add support for ``aarch64_be`` target CPU (GH #2422)
* Fix order of linker flags so they are always applied effectively (GH #2420)
* Prevent requesting DER encoding of signatures when the algorithm
did not support it (GH #2419)
Version 2.16.0, 2020-10-06
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Now userspace PRNG objects (such as AutoSeeded_RNG and HMAC_DRBG)
use an internal lock, which allows safe concurrent use. This however
is purely a precaution in case of accidental sharing of such RNG
objects; for performance reasons it is always preferable to use
a RNG per thread if a userspace RNG is needed. (GH #2399)
* DL_Group and EC_Group objects now track if they were created from a
known trusted group (such as P-256 or an IPsec DH parameter). If
so, then verification tests can be relaxed, as compared to
parameters which may have been maliciously constructed in order to
pass primality checks. (GH #2409)
* RandomNumberGenerator::add_entropy_T assumed its input was a POD
type but did not verify this. (GH #2403)
* Support OCSP responders that live on a non-standard port (GH #2401)
* Add support for Solaris sandbox (GH #2385)
* Support suffixes on release numbers for alpha/beta releases (GH #2404)
* Fix a bug in EAX which allowed requesting a 0 length tag, which had
the effect of using a full length tag. Instead omit the length field,
or request the full tag length explicitly. (GH #2392#2390)
* Fix a memory leak in GCM where if passed an unsuitable block cipher
(eg not 128 bit) it would throw an exception and leak the cipher
object. (GH #2392#2388)
Version 2.15.0, 2020-07-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Fix a bug where the name constraint extension did not constrain the
alternative DN field which can be included in a subject alternative name. This
would allow a corrupted sub-CA which was otherwise constrained by a name
constraint to issue a certificate with a prohibited DN.
* Fix a bug in the TLS server during client authentication where where
if a (disabled by default) static RSA ciphersuite was selected, then
no certificate request would be sent. This would have an equivalent
effect to a client which simply replied with an empty Certificate
message. (GH #2367)
* Replace the T-Tables implementation of AES with a 32-bit bitsliced
version. As a result AES is now constant time on all processors.
(GH #2346#2348#2353#2329#2355)
* In TLS, enforce that the key usage given in the server certificate
allows the operation being performed in the ciphersuite. (GH #2367)
* In X.509 certificates, verify that the algorithm parameters are
the expected NULL or empty. (GH #2367)
* Change the HMAC key schedule to attempt to reduce the information
leaked from the key schedule with regards to the length of the key,
as this is at times (as for example in PBKDF2) sensitive information.
(GH #2362)
* Add Processor_RNG which wraps RDRAND or the POWER DARN RNG
instructions. The previous RDRAND_RNG interface is deprecated.
(GH #2352)
* The documentation claimed that mlocked pages were created with a
guard page both before and after. However only a trailing guard page
was used. Add a leading guard page. (GH #2334)
* Add support for generating and verifying DER-encoded ECDSA signatures
in the C and Python interfaces. (GH #2357#2356)
* Workaround a bug in GCC's UbSan which triggered on a code sequence
in XMSS (GH #2322)
* When building documentation using Sphinx avoid parallel builds with
version 3.0 due to a bug in that version (GH #2326#2324)
* Fix a memory leak in the CommonCrypto block cipher calls (GH #2371)
* Fix a flaky test that would occasionally fail when running the tests
with a large number of threads. (GH #2325#2197)
* Additional algorithms are now deprecated: XTEA, GOST, and Tiger.
They will be removed in a future major release.
Version 2.14.0, 2020-04-06
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Add support for using POWER8+ VPSUMD instruction to accelerate GCM
(GH #2247)
* Optimize the vector permute AES implementation, especially improving
performance on ARMv7, Aarch64, and POWER. (GH #2243)
* Use a new algorithm for modular inversions which is both faster and
more resistant to side channel attacks. (GH #2287#2296#2301)
* Address an issue in CBC padding which would leak the length of the
plaintext which was being padded. Unpadding during decryption was
not affected. Thanks to Maximilian Blochberger for reporting this.
(GH #2312)
* Optimize NIST prime field reductions, improving ECDSA by 3-9% (GH #2295)
* Increase the size of the ECC blinding mask and scale it based on the
size of the group order. (GH #880#893#2308)
* Add server side support for the TLS asio wrapper. (GH #2229)
* Add support for using Windows certificate store on MinGW (GH #2280)
* Use the library thread pool instead of a new thread for RSA computations,
improving signature performance by up to 20%. (GH #2257)
* Precompute and cache additional fields in ``X509_Certificate`` (GH #2250)
* Add a CLI utility ``cpu_clock`` which estimates the speed of the
processor cycle counter. (GH #2251)
* Fix a bug which prevented using DER-encoded ECDSA signatures with a PKCS11
key (GH #2293)
* Enable use of raw block ciphers from CommonCrypto (GH #2278)
* Support for splitting up the amalgamation file by ABI extension has
been removed. Instead only ``botan_all.cpp`` and ``botan_all.h`` are
generated. (GH #2246)
* Improve support for baremetal systems with no underlying OS, with
target OS ``none`` (GH #2303#2304#2305)
* The build system now avoids using ``-rpath=$ORIGIN`` or (on macOS)
install_name which allowed running the tests from the build
directory without setting ``LD_LIBRARY_PATH``/``DYLD_LIBRARY_PATH``
environment variables. Instead set the dynamic linker variables
appropriately, or use ``make check``. (GH #2294#2302)
* Add new option ``--name-amalgamation`` which allows naming the
amalgamation output, instead of the default ``botan_all``. (GH #2246)
* Avoid using symbolic links on Windows (GH #2288#2286#2285)
* Fix a bug that prevented compilation of the amalgamation on ARM and
POWER processors (GH #2245#2241)
* Fix some build problems under Intel C++ (GH #2260)
* Remove use of Toolhelp Windows library, which was known to trigger
false positives under some antivirus systems. (GH #2261)
* Fix a compilation problem when building on Windows in Unicode mode.
Add Unicode build to CI to prevent regressions. (GH #2254#2256)
* Work around a GCC bug affecting old libc (GH #2235)
* Workaround a bug in macOS 10.15 which caused a test to crash.
(GH #2279#2268)
* Avoid a crash in PKCS8::load_key due to a bug in Clang 8.
(GH #2277)
Version 2.13.0, 2020-01-06
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Add Roughtime client (GH #2143#1842)
* Add support for XMSS X.509 certificates (GH #2172)
* Add support for X.509 CRLs in FFI layer and Python wrapper (GH #2213)
* It is now possible to disable TLS v1.0/v1.1 and DTLS v1.0 at build time.
(GH #2188)
* The format of encrypted TLS sessions has changed, which will
invalidate all existing session tickets. The new format will make
it easier to support ticket key rotation in the future. (GH #2225)
* Improve RSA key generation performance (GH #2148)
* Make gcd computation constant-time (GH #2147)
* Add AVX2 implementation of SHACAL2 (GH #2196)
* Update BSI policy to reflect 2019 update of TR 02102-2 (GH #2195)
* Support more functionality for X.509 in the Python API (GH #2165)
* Add ``generic`` CPU target useful when building for some new or unusual
platform.
* Disable MD5 in BSI or NIST modes (GH #2188)
* Disable stack protector on MinGW as it causes crashes with some recent
versions. (GH #2187)
* On Windows the DLL is now installed into the binary directory (GH #2233)
* Previously Windows required an explicit ``.lib`` suffix be added when
providing an explicit library name, as is used for example for Boost.
Now the ``.lib`` suffix is implicit, and should be omitted.
* Remove the 32-bit x86 inline asm for Visual C++ as it seemed to not offer
much in the way of improved performance. (GH #2204#256)
* Resolve all compile time warnings generated by GCC, Clang and MSVC.
Modify CI to compile with warnings-as-errors. (GH #2170#2206#2211#2212)
* Fix bugs linking to 3rd party libraries on Windows due to invalid
link specifiers. (GH #2210#2215)
* Add long input and NIST Monte-Carlo hash function tests.
* Fix a bug introduced in 2.12.0 where ``TLS::Channel::is_active`` and
``TLS::Channel::is_closed`` could simultaneously return true.
(GH #2174#2171)
* Use ``std::shared_ptr`` instead of ``boost::shared_ptr`` in some examples.
(GH #2155)
Version 2.12.1, 2019-10-14
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Fix a bug that prevented building with nmake (GH #2142#2141)
* Fix an issue where make install would attempt to build targets which
were disabled. (GH #2140)
* If the option ``--without-documentation`` is used, avoid invoking the
documentation build script. (GH #2138)
* Fix a bug that prevented compilation on x86-32 using GCC 4.9 (GH #2139)
* Fix a bug in CCM encryption, where it was possible to call ``finish`` without
ever setting a nonce (GH #2151#2150)
* Improve ECIES/DLIES interfaces. If no initialization vector was set, they
would typically produce hard to understand exceptions. (GH #2151#2150)
Version 2.12.0, 2019-10-07
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Many currently public headers are being deprecated. If any such header is
included by an application, a warning is issued at compile time. Headers
issuing this warning will be made internal in a future major release.
(GH #2061)
* RSA signature performance improvements (GH #2068#2070)
* Performance improvements for GCM (GH #2024#2099#2119), OCB (#2122),
XTS (#2123) and ChaCha20Poly1305 (GH #2117), especially for small messages.
* Add support for constant time AES using NEON and AltiVec (GH
#2093#2095#2100)
* Improve performance of POWER8 AES instructions (GH #2096)
* Add support for the POWER9 hardware random number generator (GH #2026)
* Add support for 64-bit version of RDRAND, doubling performance
on x86-64 (GH #934#2022)
* In DTLS server, support a client crashing and then reconnecting from
the same source port, as described in RFC 6347 sec 4.2.8 (GH #2029)
* Optimize DTLS MTU splitting to split precisely to the set MTU (GH #2042)
* Add support for the TLS v1.3 downgrade indicator. (GH #2027)
* Improve the error messages generated when an invalid TLS state
transition occurs (GH #2030)
* Fix some edge cases around TLS close_notify support. (GH #2054)
* Modifications to support GOST 34.10-2012 signatures (GH #2055#2056#1860#1897)
* Add some new APIs on ``OID`` objects (GH #2057)
* Properly decode OCSP responses which indicate an error (GH #2110)
* Add a function to remove an X.509 extension from an Extensions object.
(GH #2101#2073#2065)
* Support Argon2 outputs longer than 64 bytes (GH #2079#2078)
* Correct a bug in CAST-128 which caused incorrect computation using
11, 13, 14, or 15 byte keys. (GH #2081)
* Fix a bug which would cause Streebog to produce incorrect outputs for
certain messages (GH #2082#2083)
* Fix a bug that prevented loading EC points with an affine x or y
value of 0. For certain curves such points can exist. (GH #2102)
* Fix a bug which would cause PBKDF2 to go into a very long loop if
it was requested to use an iteration count of 0. (GH #2090#2088)
* The BearSSL provider has been removed (GH #2020)
* Add a new ``entropy`` cli which allows sampling the output of
the entropy sources.
* Add new ``base32_enc`` and ``base32_dec`` cli for base32 encoding
operations. (GH #2111)
* Support setting TLS policies in CLIs like ``tls_client`` and
``tls_proxy_server`` (GH #2047)
* The tests now run in multithreaded mode by default. Provide option
``--test-threads=1`` to return to previous single-threaded
behavior. (GH #2071#2075)
* Cleanups in TLS record layer (GH #2021)
* Fix typos in some OCSP enums which used "OSCP" instead. (GH #2048)
* In the Python module, avoid trying to load DLLs for names that
don't match the current platform (GH #2062#2059)
* In the Python module, also look for ``botan.dll`` so Python
wrapper can run on Windows. (GH #2059#2060)
* Add support for TOTP algorithm to the Python module. (GH #2112)
* Now the minimum Windows target is set to Windows 7 (GH #2036#2028)
* Add ``BOTAN_FORCE_INLINE`` macro to resolve a performance issue
with BLAKE2b on MSVC (GH #2092#2089)
* Avoid using ``__GNUG__`` in headers that may be consumed by a C
compiler (GH #2013)
* Improve the PKCS11 tests (GH #2115)
* Fix a warning from Klocwork (GH #2128#2129)
* Fix a bug which caused amalgamation builds to fail on iOS (GH #2045)
* Support disabling thread local storage, needed for building on
old iOS (GH #2045)
* Add a script to help with building for Android, using Docker (GH
#2016#2033#513)
* Add Android NDK build to Travis CI (GH #2017)
v2.3.0:
DEPRECATED
This project is no longer maintained. You can still use a REST client like Requests or other third-party Python library to access the Discogs REST API.
v2.2.2:
Updates dependencies to resolve security vulnerabilities, and modernizes Python versions under test.
4.0.2:
Properly include requirements.txt in the manifest.
4.0.1:
No changes from 4.0.0, this release is purely to fix some github actions and documentation builds
4.0.0:
This release contains many months of work and lots of breaking changes. For full details, please see: https://flask-jwt-extended.readthedocs.io/en/stable/v4_upgrade_guide/
3.25.1:
The only change it this release is that we are setting the metadata that marks this as the last release to support python versions earlier then 3.6 (including python 2).
3.25.0:
Add JWT_ENCODE_ISSUER option
Require PyJWT before version 2.0.0a to prevent breaking changes. (we will update to the 2.0.0 pyjwt release once it's out of the alpha/early release).
Version 3.10.0
This will be the last major and minor version to support Python 2.7
The next non-patch release should be version 4.0.0.
New Features / Improvements
Add API.search_30_day and API.search_full_archive
Update allowed parameters for API.home_timeline
Add trim_user, exclude_replies, include_entities
Remove page as erroneously documented parameter
Reorder count to be the first parameter
Update allowed parameters for API.get_oembed
Add hide_thread, theme, link_color, widget_type, dnt
Remove id
Remove API.update_profile_background_image
Add support for Python 3.9
Switch from Travis CI to GitHub Actions to run tests and deploy releases
Update and improve various documentation
Bug Fixes
Use mimetypes.guess_type as fallback for determining image file type
Use proper MIME type in Content-Type header for uploaded images
Allow file parameter to be used again for API.media_upload
Allow file parameter to be used again for API.update_profile_banner, API.update_profile_image, and API.update_with_media
Fix User.lists, User.lists_memberships, and User.lists_subscriptions to retrieve information about the user in question rather than the authenticating user
Version 3.9.0
New Features / Improvements
Add API.create_media_metadata
Update allowed parameters for API.update_status
Add exclude_reply_user_ids, attachment_url, possibly_sensitive, trim_user, enable_dmcommands, fail_dmcommands, card_uri
Remove in_reply_to_status_id_str, source
Add allowed parameters to API.get_status
trim_user, include_my_retweet, include_entities, include_ext_alt_text, include_card_uri
Add allowed parameters to API.statuses_lookup
include_ext_alt_text, include_card_uri
Improve API.lookup_users
Improve and optimize API.statuses_lookup, API.create_media_metadata, API.update_status
Add reverse as allowed parameter for API.lists_all
Add count as allowed parameter for API.lists_memberships
Add count as allowed parameter for API.lists_subscriptions
Add include_entities as allowed parameter for API.list_timeline
Add allowed parameters to API.list_subscribers
count, include_entities, skip_status
Add support for Python 3.8
Update and improve setup.py
Use requests socks extra instead of requiring PySocks directly
Allow uploading of images with file names without extensions
Support uploading WebP images
Add missing attributes to Relationship model
Update max allowed size for uploaded GIFs
Add _json attribute to DirectMessage model
Update and improve tests
Add documentation for extended Tweets
Document API.lookup_users
Add documentation for running tests
Add Korean translation of documentation
Add Polish translation of documentation
Document API.lookup_friendships
Update and improve various documentation
Bug Fixes
Fix handling of invalid credentials for API.verify_credentials
Handle boolean value for API.verify_credentials include_email parameter
Allow Cursor to be used with API.list_direct_messages by adding DMCursorIterator
Version 3.8.0
New Features / Improvements
Allow streams to use daemon threads
Remove API.set_delivery_device
Remove simplejson import and usage
Allow cursor parameter for API.blocks_ids and API.mutes_ids
Drop support for Python 3.4
Allow perform_block parameter for API.report_spam
Add API.mutes
Allow count parameter for API.friends
Remove since, from, to, and source as allowed parameters for API.search
Handle location deletion and withheld content notices for streams
Allow usage of equality and difference operators with User objects
Add _json attribute to Category, Friendship, and List models
Remove API.suggested_categories, API.suggested_users, and API.suggested_users_tweets
Update and improve tests and cassettes
Update DirectMessage model
Replace API.direct_messages and API.sent_direct_messages with API.list_direct_messages
Update API.get_direct_message, API.send_direct_message, and API.destroy_direct_message
Update and improve various documentation
Bug Fixes
Exclude examples during installation
Properly initialize OAuthHandler.request_token
Properly handle map_ parameter for API.statuses_lookup
Support cursor pagination for API.blocks_ids and API.mutes_ids
Return values for API.update_profile_background_image and API.update_profile_banner
Replace usage of root logger
Close Requests sessions
Version 3.7.0
New Features / Improvements
Allow trim_user and exclude_replies as parameters for API.user_timeline
Allow tweet_mode parameter for API.statuses_lookup
Drop support for Python 2.6 and 3.3
Discord Server
Add proxy support for streams
Add API.create_mute, API.destroy_mute, and API.mutes_ids
Allow tweet_mode parameter for API.lookup_users
Bug Fixes
Fix AttributeError during streaming
Update how requirements are specified
Fix compatibility issue with Python 3.7
Version 3.6.0
New Features / Improvements
Parse Status.quoted_status as a Status object
Allow in_reply_to_status_id_str as a parameter for API.update_status and API.update_with_media
Add stall_warnings parameter to Stream.sample
Add API.unretweet
Allow auto_populate_reply_metadata as a parameter for API.update_status and API.update_with_media
Allow profile_link_color as a parameter for API.update_profile
Add support for Python 3.6
Bug Fixes
Update file size limit for API.media_upload
Fix JSONParser.parse returning None in certain cases
Include URL parameters when accessing cache
Properly re-raise exceptions during streaming
Fix AttributeError and TypeError during streaming
Properly encode filter_level for Stream.filter
v2.0.1
Changed
- Rename CHANGELOG.md to CHANGELOG.rst and include in docs
Fixed
- Fix `from_jwk()` for all algorithms
v2.0.0
Drop support for Python 2 and Python 3.0-3.5
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Python 3.5 is EOL so we decide to drop its support. Version ``1.7.1`` is
the last one supporting Python 3.0-3.5.
Require cryptography >= 3
^^^^^^^^^^^^^^^^^^^^^^^^^
Drop support for PyCrypto and ECDSA
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We've kept this around for a long time, mostly for environments that
didn't allow installing cryptography.
Drop CLI
^^^^^^^^
Dropped the included cli entry point.
Improve typings
^^^^^^^^^^^^^^^
We no longer need to use mypy Python 2 compatibility mode (comments)
``jwt.encode(...)`` return type
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Tokens are returned as string instead of a byte string
Dropped deprecated errors
^^^^^^^^^^^^^^^^^^^^^^^^^
Removed ``ExpiredSignature``, ``InvalidAudience``, and
``InvalidIssuer``. Use ``ExpiredSignatureError``,
``InvalidAudienceError``, and ``InvalidIssuerError`` instead.
Dropped deprecated ``verify_expiration`` param in ``jwt.decode(...)``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Use
``jwt.decode(encoded, key, algorithms=["HS256"], options={"verify_exp": False})``
instead.
Dropped deprecated ``verify`` param in ``jwt.decode(...)``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Use ``jwt.decode(encoded, key, options={"verify_signature": False})``
instead.
Require explicit ``algorithms`` in ``jwt.decode(...)`` by default
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Example: ``jwt.decode(encoded, key, algorithms=["HS256"])``.
Dropped deprecated ``require_*`` options in ``jwt.decode(...)``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For example, instead of
``jwt.decode(encoded, key, algorithms=["HS256"], options={"require_exp": True})``,
use
``jwt.decode(encoded, key, algorithms=["HS256"], options={"require": ["exp"]})``.
Added
~~~~~
Introduce better experience for JWKs
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Introduce ``PyJWK``, ``PyJWKSet``, and ``PyJWKClient``.
.. code:: python
import jwt
from jwt import PyJWKClient
token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5FRTFRVVJCT1RNNE16STVSa0ZETlRZeE9UVTFNRGcyT0Rnd1EwVXpNVGsxUWpZeVJrUkZRdyJ9.eyJpc3MiOiJodHRwczovL2Rldi04N2V2eDlydS5hdXRoMC5jb20vIiwic3ViIjoiYVc0Q2NhNzl4UmVMV1V6MGFFMkg2a0QwTzNjWEJWdENAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vZXhwZW5zZXMtYXBpIiwiaWF0IjoxNTcyMDA2OTU0LCJleHAiOjE1NzIwMDY5NjQsImF6cCI6ImFXNENjYTc5eFJlTFdVejBhRTJINmtEME8zY1hCVnRDIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.PUxE7xn52aTCohGiWoSdMBZGiYAHwE5FYie0Y1qUT68IHSTXwXVd6hn02HTah6epvHHVKA2FqcFZ4GGv5VTHEvYpeggiiZMgbxFrmTEY0csL6VNkX1eaJGcuehwQCRBKRLL3zKmA5IKGy5GeUnIbpPHLHDxr-GXvgFzsdsyWlVQvPX2xjeaQ217r2PtxDeqjlf66UYl6oY6AqNS8DH3iryCvIfCcybRZkc_hdy-6ZMoKT6Piijvk_aXdm7-QQqKJFHLuEqrVSOuBqqiNfVrG27QzAPuPOxvfXTVLXL2jek5meH6n-VWgrBdoMFH93QEszEDowDAEhQPHVs0xj7SIzA"
kid = "NEE1QURBOTM4MzI5RkFDNTYxOTU1MDg2ODgwQ0UzMTk1QjYyRkRFQw"
url = "https://dev-87evx9ru.auth0.com/.well-known/jwks.json"
jwks_client = PyJWKClient(url)
signing_key = jwks_client.get_signing_key_from_jwt(token)
data = jwt.decode(
token,
signing_key.key,
algorithms=["RS256"],
audience="https://expenses-api",
options={"verify_exp": False},
)
print(data)
Support for JWKs containing ECDSA keys
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Add support for Ed25519 / EdDSA
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Pull Requests
~~~~~~~~~~~~~
- Add PyPy3 to the test matrix
- Require tweak
- Decode return type is dict[str, Any]
- Fix linter error in test\_cli
- Run mypy with tox
- Document (and prefer) pyjwt[crypto] req format
- Correct type for json\_encoder argument
- Prefer https:// links where available
- Pass python\_requires argument to setuptools
- Rename [wheel] section to [bdist\_wheel] as the former is legacy
- Remove setup.py test command in favor of pytest and tox
- Fix mypy errors
- DX Tweaks
- Add support of python 3.8
- Fix 406
- Add support for Ed25519 / EdDSA, with unit tests
- Remove Python 2.7 compatibility
- Fix simple typo: encododed -> encoded
- Enhance tracebacks.
- Simplify ``python_requires``
- Document top-level .encode and .decode
- Improve documentation for audience usage
- Correct README on how to run tests locally
- Fix ``tox -e lint`` warnings and errors
- Run pyupgrade across project to use modern Python 3 conventions
- Add Python-3-only trove classifier and remove "universal" from wheel
- Emit warnings about user code, not pyjwt code
- Move setup information to declarative setup.cfg
- CLI options for verifying audience and issuer
- Specify the target Python version for mypy
- Remove unnecessary compatibility shims for Python 2
- Setup GH Actions
- Implementation of ECAlgorithm.from\_jwk
- Remove cli entry point
- Expose InvalidKeyError on jwt module
- Avoid loading token twice in pyjwt.decode
- Default links to stable version of documentation
- Update README.md badges
- Introduce better experience for JWKs
- Fix tox conditional extras
- Return tokens as string not bytes
- Drop support for legacy contrib algorithms
- Drop deprecation warnings
- Update Auth0 sponsorship link
- Update return type for jwt.encode
- Run tests against Python 3.9 and add trove classifier
- Removed redundant ``default_backend()``
- Documents how to use private keys with passphrases
- Update version to 2.0.0a1
- Fix usage example
- add EdDSA to docs
- Remove support for EOL Python 3.5
- Upgrade to isort 5 and adjust configurations
- Remove unused argument "verify" from PyJWS.decode()
- Update typing syntax and usage for Python 3.6+
- Run pyupgrade to simplify code and use Python 3.6 syntax
- Drop unknown pytest config option: strict
- Upgrade black version and usage
- Remove "Command line" sections from docs
- Use existing key\_path() utility function throughout tests
- Replace force\_bytes()/force\_unicode() in tests with literals
- Remove unnecessary Unicode decoding before json.loads()
- Remove unnecessary force\_bytes() calls priot to base64url\_decode()
- Remove deprecated arguments from docs
- Update code blocks in docs
- Refactor jwt/jwks\_client.py without requests dependency
- Tighten bytes/str boundaries and remove unnecessary coercing
- Replace codecs.open() with builtin open()
- Replace int\_from\_bytes() with builtin int.from\_bytes()
- Enforce .encode() return type using mypy
- Prefer direct indexing over options.get()
- Cleanup "noqa" comments
- Replace merge\_dict() with builtin dict unpacking generalizations
- Do not mutate the input payload in PyJWT.encode()
- Use direct indexing in PyJWKClient.get\_signing\_key\_from\_jwt()
- Split PyJWT/PyJWS classes to tighten type interfaces
- Simplify mocked\_response test utility function
- Autoupdate pre-commit hooks and apply them
- Remove unused argument "payload" from PyJWS.\ *verify*\ signature()
- Add utility functions to assist test skipping
- Type hint jwt.utils module
- Prefer ModuleNotFoundError over ImportError
- Fix tox "manifest" environment to pass
- Fix tox "docs" environment to pass
- Simplify black configuration to be closer to upstream defaults
- Use generator expressions
- Simplify from\_base64url\_uint()
- Drop lint environment from GitHub actions in favor of pre-commit.ci
- [pre-commit.ci] pre-commit autoupdate
- Simplify tox configuration
- Combine identical test functions using pytest.mark.parametrize()
- Complete type hinting of jwks\_client.py
Maintenance:
-Fix: correct positioning of search match highlight
-Improve album loading in artist view (#446)
-Fix display of PlayNext command (#445)
-More resilient playlist track deletion (f2bcfca)
-Remove plain-text credential store (#447)
Features:
-Clear search term when ESC is pressed (#384)
-Loop mode is now editable via MPRIS (#437)
-Persist sorting orders for playlists (#436)
-Persist volume and shuffle/repeat state across app restarts (#438)
-Persist track queue across app restarts (#438)
-Add config values to override shuffle/repeat state
-Previously these were set in the [saved_state] section of the configuration.
They can now be set using shuffle and repeat in the configuration's main
section. See the README for details.
-Implement cover drawing as optional feature (#451)
0.20.1
This is essentially 0.20.0, but with a fix that caused 0.20.0 fail for some
builds.
Fixed:
-Fix flaky tree --all test from meain
0.20.0
Added:
-Add support for changing the string between icon and name from
Finn Hediger #363
-Add support for TIME_STYLE environment variable from 999eagle
-Add man page from edneville
Changed:
-Not showing . and .. when --tree with --all from zwpaper #477
Fixed:
-Fix handling blocks passed without -l in cli from meain
-Fix sorting of . and .. when used with folder from meain
-Fix arg parsing for flags that allow multiple values from meain
-Fix tests involving config file for sorting from meain
Update php-memcache to 8.0. This is now for php80.
8.0.0 (2020-12-06)
- Version 8.x support PHP 8.x
- Version 4.x supports PHP 7.0-7.4.
- Version 4.x is considered to be stable for production usage.
- Support for PHP 5.x has been removed, please use memcache extension
ver. 3.x
- Special thanks to Frantisek Drojak - thesource93 (github) and Zaffy
(github) for making this happen
