* For ccid, etoken* drivers remove polling loop, review the force_poll
configuration option, this reduces power consumption and CPU load.
* Fix some issues caused by newer udev version.
* Handle T1 abort better.
* Some build system fixes.
* Some minor fixes.
* Re-add api documentation (pre-generated), like we used to.
http://www.opensc-project.org/pipermail/opensc-announce/2009-May/000025.html
New in 0.11.8; 2009-05-07;
* Fix security problem in pkcs11-tool gen_keypair (PublicExponent 1)
* fix compiling without openssl.
* updated and improve entersafe driver. FTCOS/PK-01C cards are supported
now, compatible with cards writen by Feitian's software on windows.
Pkgsrc changes:
- Adjust dependencies
- Whitespace fix in Makefile to placate pkglint
Upstream changes:
version 0.007; 2009-04-22
* in XS code, use the correct "PREINIT:" instead of "INIT:" to introduce
variable declarations
* test Uklblowfish with long keys
version 0.006; 2009-04-21
* in C::E::Family, new method "as_class" to work around Crypt::CBC
brain damage
* use simpler "parent" pragma in place of "base"
* in documentation, use the term "truth value" instead of the less
precise "boolean"
* drop prototypes from method subs (where the prototypes have no effect)
* in C::E::Family, abandon use of the "fields" module
* add casts for pointer target signedness to avoid compiler warnings
* use full stricture in Build.PL
* Version 2.6.6 (released 2009-04-30)
libgnutls: Corrected double free on signature verification failure.
Reported by Miroslav Kratochvil. See the advisory
for more details. [GNUTLS-SA-2009-1] [CVE-2009-1415]
libgnutls: Fix DSA key generation.
Noticed when investigating the previous GNUTLS-SA-2009-1 problem. All
DSA keys generated using GnuTLS 2.6.x are corrupt. See the advisory
for more details. [GNUTLS-SA-2009-2] [CVE-2009-1416]
libgnutls: Check expiration/activation time on untrusted certificates.
Reported by Romain Francoise. Before the
library did not check activation/expiration times on certificates, and
was documented as not doing so. We have realized that many
applications that use libgnutls, including gnutls-cli, fail to perform
proper checks. Implementing similar logic in all applications leads
to code duplication. Hence, we decided to check whether the current
time (as reported by the time function) is within the
activation/expiration period of certificates when verifying untrusted
certificates.
This changes the semantics of gnutls_x509_crt_list_verify, which in
turn is used by gnutls_certificate_verify_peers and
gnutls_certificate_verify_peers2. We add two new
gnutls_certificate_status_t codes for reporting the new error
condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED. We also
add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour.
API and ABI modifications:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.
Changelog:
pcsc-lite-1.5.3: Ludovic Rousseau
- SCardEstablishContext(): check we do not reuse an already allocated
hContext
Thanks to Daniel Nobs for the bug report and patch
- pcsclite.h: add missing SCARD_E_* and SCARD_W_* return code. They are
unused by pcsc-lite but defined on Windows
- reader.h: add PIN_PROPERTIES_STRUCTURE structure and
FEATURE_IFD_PIN_PROPERTIES
Thanks to Martin Paljak for the patch
- remove powermgt_macosx.c since it is using APSL version 1.1 instead of
the BSD-like licence like the other files
Thanks to Stanislav Brabec for the bug report
- avoid a possible crash due to a race condition
Thanks to Matheus Ribeiro for the patch
- change default log level from PCSC_LOG_INFO to PCSC_LOG_ERROR to limit
syslog pollution
- CardDisconnect(): call RFUnlockAllSharing() instead of
RFUnlockSharing() to release all nested locks. The problem occurs if
SCardBeginTransaction() are made without corresponding
SCardEndTransaction(). OpenSC "pkcs11-tool -I" exhibits such a
behavior.
Thanks to Marc Rios Valles for the bug report
- some other minor improvements and bug corrections
Packages Collection.
The netpgp command can digitally sign files and verify that the
signatures attached to files were signed by a given user identifier.
netpgp can also encrypt files using the public or private keys of
users and, in the same manner, decrypt files which were encrypted.
The netpgp utility can also be used to generate a new key-pair for a
user. This key is in two parts, the public key (which can be used by
other people) and a private key.
In addition to these primary uses, the third way of using netpgp is to
maintain keyrings. Keyrings are collections of public keys belonging
to other users. By using other means of identification, it is
possible to establish the bona fides of other users. Once trust has
been established, the public key of the other user will be signed.
The other user's public key can be added to our keyring. The other
user will add our public key to their keyring.
This software is built on top of openpgpsdk 0.9.1, but provides a
higher-level interface, is autoconf-ed and libtool-ed, and has had
some significant bugs fixed.
* Version 2.6.5 (released 2009-04-11)
** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to
specify the client hello message record version. Used to overcome buggy
TLS servers. Report by Martin von Gagern.
** GnuTLS no longer uses the libtasn1-config script to find libtasn1.
Libtasn1 0.3.4 or later is required. This is to align with the
upcoming libtasn1 v2.0 release that doesn't have a libtasn1-script.
** API and ABI modifications:
No changes since last version.
Version 2.1 (released 2009-04-17)
- Fix compilation failure on platforms that can't generate empty archives,
e.g., Mac OS X. Reported by David Reiser <dbreiser@gmail.com>.
Version 2.0 (released 2009-04-13)
- Optimized tree generation.
- ASN1 parser code re-generated using Bison 2.4.1.
- Build with more warning flags. Many compiler warnings fixed.
- Compiled with -fvisibility=hidden by default if supported.
See http://gcc.gnu.org/wiki/Visibility
- The libtasn1-config tool has been removed.
For application developers, please stop using libtasn1-config for
finding libtasn1, use proper autoconf checks or pkg-config instead.
For users that need a libtasn1 that provides a libtasn1-config
script (for use with older applications), use libtasn1 v1.x instead.
Version 1.x is still supported.
changes:
-DBus now automatically starts the gnome-keyring service properly
-Initialize daemon with LOGNAME and USERNAME environment variables
-Add DBus method for getting the gnome-keyring environment variables
-misc fixes
- updating package to 1.24
Upstream changes:
v1.24 2009.04.01
- add verify hostname scheme ftp, same as http
- renew test certificates again (root CA expired, now valid for 10 years)
- removed packages p5-IO-Compress-Base, p5-IO-Compress-Zlib,
p5-IO-Compress-Bzip2 and p5-Compress-Zlib because they are
merged into p5-IO-Compress
- Updated dependend packages to depend on p5-IO-Compress
and bump PKGREVISION
Upstream changes:
2.017 30 March 2009
* Merged IO-Compress-Base, IO-Compress-Bzip2, IO-Compress-Zlib &
Compress-Zlib into IO-Compress.
* The interface to Compress-Raw-Zlib now uses the new LimitOutput
feature. This will make all of the zlib-related IO-Compress modules
less greedy in their memory consumption.
* Removed MAN3PODS from Makefile.PL
* A few changes to get the test harness to work on VMS courtesy of
Craig. A. Berry.
* IO::Compress::Base & IO::Uncompress::Base
Downgraded some croaks in the constructors to just set $! (by letting
the code attempt to open a file and fail).
This makes the behavior more consistent to a standard open.
[RT #42657]
* IO::Uncompress::Base
Doing a seek with MultiStream could drop some of the uncompressed
data. Fixed.
* IO::Compress::Zip
- Fixed problem with the uncompressed & uncompressed fields when
zip64 is enabled. They were set to 0x0000FFFF instead of
0xFFFFFFFF. Also the ZIP64 extra field was 4 bytes short.
Problem spotted by Dino Chiesa.
* IO::Uncompress::Unzip
- use POSIX::mktime instead of Time::Local::timelocal to convert
the zip DOS time field into Unix time.
* Compress::Zlib
- Documented Compress::Zlib::zlib_version()
From distribution NEWS file:
Many fixes and improvements to the ID-WSF 1 support, new API to load SSL keys
off memory, documentation for ID-WSF methods, general robustness and memory
leak fixes.
- Added a "lookaside" mode to cvm-qmail, to assist with proper chaining
to cvm-vmailmgr or other modules.
- Fixed failure in cvm-qmail when virtualdomains did not exist.
- Fixed client.h symlink to point to v2client.h to match the library.
- Fixed cvm-vmailmgr to fail with OUTOFSCOPE=1 when the virtual password
table file does not exist, instead of failing with an I/O error.
This should improve its ability to chain with other modules.
- Added cvm-sqlite from Wayne Marshall
Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
*) Don't set val to NULL when freeing up structures, it is freed up by
underlying code. If sizeof(void *) > sizeof(long) this can result in
zeroing past the valid field. (CVE-2009-0789)
*) Fix bug where return value of CMS_SignerInfo_verify_content() was not
checked correctly. This would allow some invalid signed attributes to
appear to verify correctly. (CVE-2009-0591)
*) Reject UniversalString and BMPString types with invalid lengths. This
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
a legal length. (CVE-2009-0590)
*) Set S/MIME signing as the default purpose rather than setting it
unconditionally. This allows applications to override it at the store
level.
*) Permit restricted recursion of ASN1 strings. This is needed in practice
to handle some structures.
*) Improve efficiency of mem_gets: don't search whole buffer each time
for a '\n'
*) New -hex option for openssl rand.
*) Print out UTF8String and NumericString when parsing ASN1.
*) Support NumericString type for name components.
*) Allow CC in the environment to override the automatically chosen
compiler. Note that nothing is done to ensure flags work with the
chosen compiler.
mk/dlopen.buildlink3.mk until very late in the proceedings. Fixes build on
Linux. No PKGREVISION bump required, no functional change on platforms where
the build completed.
Addresses PR pkg/41080.
Ok'd by wiz@
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
1.3.10:
- add support for MSI StarReader SMART, Noname reader (from
Omnikey), Xiring Xi Sign PKI, Realtek 43 in 1 + Sim + Smart Card
Reader, Atmel AT98SC032CT, Aktiv Rutoken Magistra, TianYu CCID
SmartKey, Precise Biometrics 200 MC and 250 MC
- add a patch to support the bogus OpenPGP card (on board key
generation sometimes timed out)
- disable support of the contactless part of SDI010 and SCR331DI
(this code was reverse engineered and hard to maintain)
- some minor bugs removed
1.3.9:
- add support for Aladdin eToken PRO USB 72K Java, Cherry
SmartTerminal ST-1200USB, Atmel AT91SO, SpringCard Prox'N'Roll,
CSB6 Basic, EasyFinger Ultimate, CSB6 Ultimate, EasyFinger
Standard, CrazyWriter, CSB6 Secure, KONA USB SmartCard, HP MFP
Smart Card Reader, ACS ACR122U PICC, Gemalto PDT, VMware Virtual
USB CCID
- MacOSX/configure: do not overwrite PCSC_CFLAGS, PCSC_LIBS,
LIBUSB_CFLAGS and LIBUSB_LIBS if already defined by the user
- by default, link statically against libusb on Mac OS X
- IFDHPowerICC(): use a very long timeout for PowerUp since the card
can be very slow to send the full ATR (up to 30 seconds at 4 MHz)
- SecurePINVerify(): correct a bug when using a Case 1 APDU and a
SCM SPR532 reader
- log the reader name instead of just the pcscd Lun
- some minor bugs removed
pcsc-lite-1.5.2:
- SCardGetStatusChange(): return if the state of the reader changed
since the previous call. Thanks to Thomas Harning for the patch
- SCardCancel() no works as expected. It got broken in version 1.5.0.
Closes: [#311342] SCardCancel does not cancel an outstanding
SCardGetStatusChange
- log TxBuffer and RxBuffer if the SCardControl() command failed.
Closes: [#311376] PCSC_LOG_VERBOSE via -dd; print details of "Card not
transacted"
- add a mutex to avoid a race condition
Closes: [#311377] Race condition in SCardBeginTransaction
- SCardGetStatusChange() may not return if the reader was removed.
- some other minor improvements and bug corrections
pcsc-lite-1.5.1:
- Extended APDU of more than 2048 bytes were corrupted. The problem was
introduced in version 1.3.3 (2 years ago) by making the code compile
with Sun Studio 11.
Thanks to Eric Mounier for the patch
- some other minor improvements and bug corrections
pcsc-lite-1.5.0:
- correctly handle up to PCSCLITE_MAX_READERS_CONTEXTS readers (instead
of PCSCLITE_MAX_READERS_CONTEXTS-1)
- SCardGetStatusChange()
. now returns SCARD_E_TIMEOUT instead of SCARD_S_SUCCESS if dwTimeout
== 0 (conform to Windows XP)
. add support of reader name \\?PnP?\Notification to detect reader
insertion/removal (conform to Windows XP)
. if a reader disappear also set SCARD_STATE_UNAVAILABLE in
dwEventState (more conform to Windows XP)
- SCardStatus(): add support of SCARD_AUTOALLOCATE for pcchReaderLen and
pcbAtrLen
- SCardGetStatusChange() now uses asynchronous events instead of polling
- more and/or better Doxygen documentation
- SCardTransmit(): correctly pass the pioRecvPci parameter
- SCardConnect() and SCardReconnect(): correct a bug when two
applications were calling SCardConnect() or SCardReconnect() at the
exact same time
- pcscd logs the command name sent by the application (when in debug mode)
- some other minor improvements and bug corrections
pkgsrc changes:
* add net/avahi dependency to enable key sharing support
Changes between 2.24.0 and 2.26.0:
==================================
* Searching by key identifiers now shows results.
* Disable interactive tree search in key manager.
* Add libcryptui documentation.
* Remove use of GTK+ deprecated symbols.
* Allow creation and deletion of keyrings from main GUI.
* Only autostart seahorse-daemon when key sharing is enabled.
* seahorse-daemon registers with session manager properly.
* Remove bits of libcryptui that are now handled by the gcr library
from gnome-keyring.
* Tons of other fixes and changes.
Changes between 2.24.0 and 2.26.0:
==================================
* Refactor PKI code to make it modular, loosely coupled and easier
to hack and test.
* Add standard widgets for display of certificates.
* If login keyring doesn't exist when changing a PAM password,
don't create it automatically.
* Overhaul the secure memory allocator to have memory guards,
be valgrind compatible, and also be sparing with secure memory.
* When importing keys, prompt to initialize new PKCS#11 tokens.
* Fix export of RSA keys to be more interoperable.
* Make the gp11 library multi-thread safe.
* Rework initialization of daemon, and the way that it
integrates with the new session manager.
* Close open file descriptors before starting daemon from PAM.
* Don't leave keyring daemon running if PAM just started it
for a password change.
* Register environment variables with session properly.
* Remove usage of deprecated glib/gtk stuff.
* Hundreds of other smaller changes and fixes.
* Fixed PDF XSS issue where a non-GET request for a PDF file would crash the
Apache httpd process. Discovered by Steve Grubb at Red Hat.
* Removed an invalid "Internal error: Issuing "%s" for unspecified error."
message that was logged when denying with nolog/noauditlog set and
causing the request to be audited.
* Fixed parsing multipart content with a missing part header name which
would crash Apache. Discovered by "Internet Security Auditors"
(isecauditors.com).
* Added ability to specify the config script directly using --with-apr
and --with-apu.
* Updated copyright year to 2009.
* Added macro expansion for append/prepend action.
* Fixed race condition in concurrent updates of persistent counters. Updates
are now atomic.
* Cleaned up build, adding an option for verbose configure output and making
the mlogc build more portable.
config file or command line and will pass any function call by openssl to a
PKCS#11 module.
Engine_pkcs11 is meant to be used with smart cards and software for using
smart cards in PKCS#11 format, such as OpenSC. Originaly this engine was a
part of OpenSC, until OpenSC was split into several small projects for
improved flexibility.
on some platforms that lacked shared library support in the past. The
list hasn't been maintained at all and the gain is very limited, so just
get rid of it.
Alliance standards: ID-FF, ID-WSF and SAML. It defines processes for
federated identities, single sign-on and related protocols. Lasso is
built on top of libxml2, XMLSec and OpenSSL and is GPL licensed.
This package provides python bindings for Lasso.
Alliance standards: ID-FF, ID-WSF and SAML. It defines processes for
federated identities, single sign-on and related protocols. Lasso is
built on top of libxml2, XMLSec and OpenSSL and is GPL licensed.
* hide_empty_slots now on by default.
* pinpad supported fixed for Mac OS X.
* ruToken driver was updated.
* openct virtual readers reduced to 2 by default.
* link with iconv on Mac OS X for i18n support.
* Security issue: Fix private data support. [CVE-2009-0368]
* Enable lock_login by default.
* Disable allow_soft_keygen by default.
Its main focus is on cards that support cryptographic operations, and
facilitate their use in security applications such as mail encryption,
authentication, and digital signature. OpenSC implements the PKCS#11 API
so applications supporting this API such as Mozilla Firefox and Thunderbird
can use it. OpenSC implements the PKCS#15 standard and aims to be compatible
with every software that does so, too.
format for PC/SC-Lite, as CT-API driver, or as a small and lean middleware,
so applications can use it with minimal overhead. OpenCT also has a primitive
mechanism to export smart card readers to remote machines via TCP/IP.
Update dependency to security/p5-Net-SSLeay to 1.33 as notes in modules
META.yml
Upstream Changes:
v1.23 2009.02.23
- if neither SSL_ca_file nor SSL_ca_path are known (e.g not given and the
default values have no existing file|path) disable checking of
certificates, but carp about the problem
- new test certificates, the old ones expired and caused tests to fail
0.12
Made Cyrus.xs more compatible with Perl API by changing function calls
like Perl_warn() to just warn(), and defining PERL_NO_GET_CONTEXT.
Made SASL properties which take an IP address and load it into the SASL
library more robust by determining if the passed address is in
"struct sockaddr" format or in "IP1.IP2.IP3.IP4;PORT" format.
Fixed passing of "function + params" as a callback.
0.11
Fixed t/callback.t to NOT try connecting to the LDAP server
on localhost since that, well, doesn't work at Pause.
0.10
Added better callback management, Perl memory management,
and three test scripts, as written by Ulrich Pfeifer.
0.09
Changed securesocket GLOB, as suggested by Marius Tomaschewski.
Extended SASL2 support.
0.08
Changed the "code" routine to return the result code of the
last SASL library call. This allows differentiation of the
result of the client_step returning a zero byte string vs.
it saying authentication is complete.
Pkgsrc changes:
o Adjust dependencies according to module requirements (added p5-Crypt-IDEA)
Upstream changes:
1.34 2009.02.01
- Rekey properly after 1 GB of data (rt.cpan.org #25044). Patch by
Peter Oliver.
- Don't try to process nonexistent or empty auth file (rt.cpan.org #41877).
- Fix typo in croak message (rt.cpan.org #42056), thanks to
jamie at audible.transient.net.
- Move 'use base' call after Crypt module loading, per suggestion
(rt.cpan.org #42051).
- Only apply stdin if defined in SSH1 - John Payne (rt.cpan.org #42583)
v1.22 2009.01.24
- Net::SSLeay stores verify callbacks inside hash and never clears them, so
set verify callback to NULL in destroy of context
v1.21 2009.01.22
- auto verification of name in certificate created circular reference between
SSL and CTX object with the verify_callback, which caused the objects to be
destroyed only at program end. Fix it be no longer access $self from inside
the callback.
Thanks to odenbach[AT]uni-paderborn[DOT]de for reporting
v1.20 2009.01.15
- only changes on test suite to make it ready for win32
(tested with strawberry perl 5.8.8)
* Version 2.6.4 (released 2009-02-06)
** libgnutls: Accept chains where intermediary certs are trusted.
Before GnuTLS needed to validate the entire chain back to a
self-signed certificate. GnuTLS will now stop looking when it has
found an intermediary trusted certificate. The new behaviour is
useful when chains, for example, contains a top-level CA, an
intermediary CA signed using RSA-MD5, and an end-entity certificate.
To avoid chain validation errors due to the RSA-MD5 cert, you can
explicitly add the intermediary RSA-MD5 cert to your trusted certs.
The signature on trusted certificates are not checked, so the chain
has a chance to validate correctly. Reported by "Douglas E. Engert"
<deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
** libgnutls: result_size in gnutls_hex_encode now holds
the size of the result. Report by John Brooks <special@dereferenced.net>.
** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.
Reported by Tristan Hill <stan@saticed.me.uk>.
** libgnutls: Permit V1 Certificate Authorities properly.
Before they were mistakenly rejected even though
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Reported by
"Douglas E. Engert" <deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.
** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
This is a bugfix -- the previous attempt to do this from internal x509
certificate verification procedures did not return the correct value
for certificates using a weak hash. Reported by Daniel Kahn Gillmor
<dkg@fifthhorseman.net> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>,
debugged and patch by Tomas Mraz <tmraz@redhat.com> and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>.
** libgnutls: Fix compile error with Sun CC.
Reported by Jeff Cai <jeff.cai@sun.com> in
<https://savannah.gnu.org/support/?106549>.
The pam_mkhomedir module provides the means for automatic creation of
home directories upon login, if necessary. Key Benefits are:
* Uses the Pluggable Authentication Module API defined in OSF DCE RFC 86.0.
* Removes the need to pre-create user home directories.
The software is distributed under the terms of the 2.5-clause BSD license.
The pam_mkhomedir module provides the means for automatic creation of
home directories upon login, if necessary. Key Benefits are:
* Uses the Pluggable Authentication Module API defined in OSF DCE RFC 86.0.
* Removes the need to pre-create user home directories.
The software is distributed under the terms of the 2.5-clause BSD license.