Packaged for wip by Jonathan Schleifer.
PKCS#5 v2.0 PBKDF2 Module
This module implements the password-based key derivation function, PBKDF2,
specified in RSA PKCS#5 v2.0.
Packaged for wip by Neil Booth.
Implementation of AES in pure Python.
As such it will be slow (hence the project name) but still useful when
faster ones are not available (for example, for JavaScript clients in
browsers, and Python servers on Google App Engine).
1.5 - 2016-08-26
~~~~~~~~~~~~~~~~
* Added
:func:`~cryptography.hazmat.primitives.asymmetric.padding.calculate_max_pss_salt_length`.
* Added "one shot"
:meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey.sign`
and
:meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey.verify`
methods to DSA keys.
* Added "one shot"
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign`
and
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify`
methods to ECDSA keys.
* Switched back to the older callback model on Python 3.5 in order to mitigate
the locking callback problem with OpenSSL <1.1.0.
* :class:`~cryptography.x509.CertificateBuilder`,
:class:`~cryptography.x509.CertificateRevocationListBuilder`, and
:class:`~cryptography.x509.RevokedCertificateBuilder` now accept timezone
aware ``datetime`` objects as method arguments
* ``cryptography`` now supports OpenSSL 1.1.0 as a compilation target.
v2.20, 30.03.2016
- made passing a custom padding method possible without specifying a cipher before
- added verifying correct truncation of custom padding methods
- added verifying padded bytes when truncating (for standard and zeroes padding)
- added testing encrypt_hex and decrypt_hex function style
- added testing start-crypt-finish
- added testing usage of pre-existing cipher objects
- updated eg/ecb.pl to recognize cipher modules in the Crypt::OpenSSL namespace
- added option to eg/ecb.pl to print the Crypt::ECB version used
- changed license again, to GPL or Artistic
Update stunnel to 5.35.
- Add patch to provide an explicit chroot option to the default
configuration sample (option is documented but not found within
the default conf file). While here, enable setuid/setgid as
stunnel user/group creations are handled by package.
- Rework SUBSTs so that they apply to the correct sample
config file.
Changelog:
Version 5.35, 2016.07.18, urgency: HIGH
* Bugfixes
- Fixed incorrectly enforced client certificate requests.
- Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
- Fixed thread safety of the configuration file reopening.
Version 5.34, 2016.07.05, urgency: HIGH
* Security bugfixes
- Fixed malfunctioning "verify = 4".
* New features
- Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
- Added three new service-level options: requireCert, verifyChain,
and verifyPeer for fine-grained certificate verification control.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
Version 5.33, 2016.06.23, urgency: HIGH
* New features
- Improved memory leak detection performance and accuracy.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- SNI support also enabled on OpenSSL 0.9.8f and later (thx to
Guillermo Rodriguez Garcia).
- Added support for PKCS #12 (.p12/.pfx) certificates (thx to
Dmitry Bakshaev).
* Bugfixes
- Fixed a TLS session caching memory leak (thx to Richard Kraemer).
Before stunnel 5.27 this leak only emerged with sessiond enabled.
- Yet another WinCE socket fix (thx to Richard Kraemer).
- Fixed passphrase/pin dialogs in tstunnel.exe.
- Fixed a FORK threading build regression bug.
- OPENSSL_NO_DH compilation fix (thx to Brian Lin).
+ bring over change from christos in src/crypto to check for
the end of an ASCII-armored signature
+ no need for namespace protection in array.h any more, now
that netpgp/verify.h now contains opaque structures
+ minor typo clean-up in a definition (benign, ignored by compiler)
signing-party (2.4-1) unstable; urgency=medium
* caff, gpg-key2latex, gpgsigs: Ignore "KEY_CONSIDERED" status output
emitted by gpg 2.1.13 and later.
* caff, gpgsigs: Allow input produced by gpgparticipants(1) using gpg
2.1.13. With this version, key IDs are not displayed by default and the
"Key fingerprint = " prefix is omitted.
* caff:
+ Fix GnuPG version number comparison.
+ With GnuPG 2.1.13 or later, use gpgconf(1) to determine the socket
paths. (It is not used on earlier gpg since earlier gpgconf do not
support --homedir.) This fixes compatibility with GnuPG 2.1.13.
(Closes: #834984)
+ When ~/.caff/gnupghome/gpg.conf does not exist, instead of creating a
temporary file (as it's done since signing-party 2.3), parse
~/.gnup/gpg.conf and pass the GnuPG options that are known to be safe
(and useful) for caff to gpg(1) using command line options. This soves
the problem of lingering configuration files in case caff is killed.
+ Use full fingerprints internally to avoid collisions. (However
$CONFIG{'keyid'} and $CONFIG{'local-users'} are kept to 64-bits key IDs
as per RFC 4880 full fingerprints are not available in key signatures,
and thus not exposed by `gpg --with-colons --list-sigs`.)
+ Automatically import the $CONFIG{'also-encrypt-to'} from the normal
GnuPGHOME when possible.
* d/source.lintian-overrides: Add 'debian-watch-file-is-missing' as we're
upstream.
* d/control: Remove Franck Joncourt from the Uploaders list per request of
the MIA team. (Closes: #831321)
-- Guilhem Moulin <guilhem@guilhem.org> Mon, 22 Aug 2016 00:19:48 +0200
Noteworthy changes in version 1.3.5 (2016-08-22) [C19/A11/R6]
------------------------------------------------
* Limit the allowed size of complex ASN.1 objects (e.g. certificates)
to 16MiB.
* Avoid read access to unitialized memory.
* Improve detection of invalid RDNs.
* Encode the OCSP nonce value as an octet string as described by
RFC-6960.
hitch-1.3.1 (2016-08-16)
- Fixes a bug in the autotools configuration which led to man
pages not being built.
hitch-1.3.0 (2016-08-16)
- Fix a bug where we crashed in the OCSP handling if there was no
default SSLCTX configured.
- Minor documentation fix.
hitch-1.3.0-beta3 (2016-07-26)
- Fully automated retrieval and refreshes of OCSP responses (see
configuration.md for details).
- New parameters ocsp-dir, ocsp-resp-tmo and ocsp-connect-tmo.
- Cleanup of various log messages.
- Verification of OCSP staples. Enabled by setting
ocsp-verify-staple = on.
- Make rst2man an optional requirement (#93). Thanks to Barry
Allard.
- Avoid stapling expired OCSP responses
- A few fixes to the shared cache updating code. Thanks to Piyush
Dewnani
hitch-1.3.0-beta2 (2016-05-31)
- Options given on the command line now take presedence over
configuration file settings. I.e. there is no longer a need to
specify --config first to get this behavior.
- Config file regression: "yes" and "no" are now accepted by the
config file parser as boolean values.
- Documentation improvements and spelling fixes.
- Various minor autotools build fixes.
hitch-1.3.0-beta1 (2016-05-11)
- Support for OCSP stapling (see configuration.md for details)
- Initialize OpenSSL locking callback if an engine is loaded. Some
SSL accelerator cards have their custom SSL engine running in a
multithreaded context. For these to work correctly, Hitch needs
to initialize a set of mutexes utilized by the OpenSSL library.
- #82: A mistake in the SNI lookup code caused us to inspect the
wrong list when looking for wildcard certificate matches.
5.22:
KWallet Framework
* disable seession restore for kwalletd5
5.23:
KWallet Framework
* KWalletd migration: fix error handling, stops the migration from
happening on every single boot.
This package provides an object oriented interface to GNU Privacy Guard
(GnuPG). It requires the GnuPG executable to be on the system.
Though GnuPG can support symmetric-key cryptography, this package is
intended only to facilitate public-key cryptography.
Changes for 2.036 not documented.
2.035 2016/08/11
- fixes for issues introduced in 2.034
- return with error in configure_SSL if context creation failed. This
might otherwise result in an segmentation fault later.
- apply builtin defaults before any (user configurable) global settings
(i.e. done with set_defaults, set_default_context...) so that builtins
don't replace user settings
Thanks to joel[DOT]a[DOT]berger[AT]gmail[DOT]com for reporting
* keychain 2.8.2 (06 Nov 2015)
Summary: Support new ssh features, bug fix release.
Support for new hash algorithms (Ben Boeckel)
Remove bashisms (Daniel Hertz)
Various optimizations (Daniel Hahler)
--timeout option now gets passed to agent, doc fixes (Andrew Bezella, Emil
Lundberg)
RPM, Makefile fixes (Mike Frysinger)
* keychain 2.8.1 (29 May 2015)
Summary: POSIX compatibility and bug fix release.
Only set PATH to a standard value if PATH is not set. Otherwise, do not
modify.
Makefile Cygwin and RPM spec fixes (thanks Luke Bakken and Ricardo Silva)
Confhost fixes. Deprecate in_path. Use command -v instead.
Find_pids: Modify "ps" call to work with non-GNU ps. (Bryan Drewery)
Re-introduce POSIX compatibility (remove shopt.) (vaeth)
* keychain 2.8.0 (21 Mar 2015)
Support for OpenSSH 6.8 fingerprints.
Support for GnuPG 2.1.0.
Handle private keys that are symlinks, even if the associated public key is
in the target directory rather than alongside the symlink.
Allow private keys to have extensions, such as foo.priv. When looking for
matching public keys, look for foo.priv.pub, but also strip extension and
look for foo.pub if foo.priv.pub doesn't exist.
Initial support for --list/-l option to list SSH keys.
Updated docs for fish shell usage.
* keychain 2.7.2_beta1 (07 July 2014)
Various changes and updates:
Fixes for fish from Marc Joliet.
Keychain will default to start only ssh-agent unless GPG is explicitly
updated using --agents.
Write ~/.gpg-agent-info when launching gpg-agent - fix from Thomas Spura.
Add support for injecting agents into systemd (Ben Boeckel)
Add support for --query option (Ben Boeckel)
Add --absolute flag, allowing user to set a full path without getting a
.keychain suffix automatically appended.
Add --confhost option to scan ~/.ssh/config file to locate private key
path specified there.
Changelog:
2016-08-17 Werner Koch <wk@gnupg.org>
Release 1.4.21.
gpg: Add dummy option --with-subkey-fingerprint.
* g10/gpg.c (opts): Add dummy option.
build: Create a swdb file during "make distcheck".
* Makefile.am (distcheck-hook): New.
2016-08-17 Ineiev <ineiev@gnu.org>
po: Update Russian translation.
2016-08-17 Werner Koch <wk@gnupg.org>
random: Hash continuous areas in the csprng pool.
* cipher/random.c (mix_pool): Store the first hash at the end of the
pool.
cipher: Improve readability by using a macro.
* cipher/random.c (mix_pool): Use DIGESTLEN instead of 20.
2016-08-09 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
gpg: Avoid publishing the GnuPG version by default.
* g10/gpg.c (main): initialize opt.emit_version to 0
* doc/gpg.texi: document different default for --emit-version
2016-08-04 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Clean up "allow to"
* README, cipher/cipher.c, cipher/pubkey.c, doc/gpg.texi: replace
"allow to" with clearer text
In standard English, the normal construction is "${XXX} allows ${YYY}
to" -- that is, the subject (${XXX}) of the sentence is allowing the
object (${YYY}) to do something. When the object is missing, the
phrasing sounds awkward, even if the object is implied by context.
There's almost always a better construction that isn't as awkward.
These changes should make the language a bit clearer.
Fix spelling: "occured" should be "occurred"
* checks/armor.test, cipher/des.c, g10/ccid-driver.c, g10/pkclist.c,
util/regcomp.c, util/regex_internal.c: correct the spelling of
"occured" to "occurred"
2016-08-04 NIIBE Yutaka <gniibe@fsij.org>
g10: Fix checking key for signature validation.
* g10/sig-check.c (signature_check2): Not only subkey, but also primary
key should have flags.valid=1.
2016-08-03 Justus Winter <justus@g10code.com>
Partially revert "g10: Fix another race condition for trustdb access."
This amends db246f8b which accidentally included the compiled
translation files.
2016-07-09 NIIBE Yutaka <gniibe@fsij.org>
gpgv: Tweak default options for extra security.
* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
cached status. Similarly, set opt.flags.require_cross_cert for backsig
validation for subkey signature.
2016-07-06 NIIBE Yutaka <gniibe@fsij.org>
g10: Fix keysize with --expert.
* g10/keygen.c (ask_keysize): It's 768 only for DSA.
2016-06-28 NIIBE Yutaka <gniibe@fsij.org>
g10: Fix --list-packets.
* g10/gpg.c (main): Call set_packet_list_mode after assignment of
opt.list_packets.
* g10/mainproc.c (do_proc_packets): Don't stop processing with
--list-packets as the comment says.
* g10/options.h (list_packets): Fix the comment.
* g10/parse-packet.c: Fix the condition for opt.list_packets.
2016-06-15 Niibe Yutaka <gniibe@fsij.org>
g10: Fix another race condition for trustdb access.
* g10/tdbio.c (create_version_record): Call create_hashtable to always
make hashtable, together with the version record.
(get_trusthashrec): Remove call to create_hashtable.
2016-02-12 NIIBE Yutaka <gniibe@fsij.org>
g10: Make sure to have the directory for trustdb.
* g10/tdbio.c (tdbio_set_dbname): Return earlier if !CREATE. Check
the directory and create it if none before calling take_write_lock.
2016-02-01 Werner Koch <wk@gnupg.org>
Fix possible sign extension problem with newer compilers.
* cipher/des.c (READ_64BIT_DATA): Cast to u32 before shifting by 24.
* cipher/blowfish.c (do_encrypt_block): Ditto.
(do_decrypt_block): Ditto.
* cipher/camellia.c (CAMELLIA_RR8): Ditto.
* cipher/cast5.c (do_encrypt_block): Ditto.
(do_decrypt_block): Ditto.
(do_cast_setkey): Ditto.
* cipher/twofish.c (INPACK): Ditto.
* util/iobuf.c (block_filter): Ditto.
2016-01-26 NIIBE Yutaka <gniibe@fsij.org>
g10: Fix iobuf API of filter function for alignment.
* include/iobuf.h (struct iobuf_struct): Remove DESC.
* util/iobuf.c (iobuf_desc): New.
(print_chain, iobuf_close, iobuf_open, iobuf_fdopen, iobuf_sockopen)
(iobuf_create, iobuf_append, iobuf_openrw, iobuf_ioctl)
(iobuf_push_filter2, pop_filter, underflow): Use iobuf_desc.
(file_filter, sock_filter, block_filter): Fill the description.
* g10/armor.c, g10/cipher.c, g10/compress-bz2.c, g10/compress.c,
g10/encode.c, g10/encr-data.c, g10/mdfilter.c, g10/pipemode.c,
g10/progress.c, g10/textfilter.c: Likewise.
2016-01-15 Werner Koch <wk@gnupg.org>
Fix possible AIX problem with sysconf in rndunix.
* cipher/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
(start_gatherer): Detect misbehaving sysconf.
2016-01-13 NIIBE Yutaka <gniibe@fsij.org>
Fix to support git worktree.
* Makefile.am: Use -e for testing .git.
2015-12-21 NIIBE Yutaka <gniibe@fsij.org>
po: Update Japanese translation.
These are the perl5 bindings for libnetpgpverify.
These bindings allow OpenPGP (RFC 4880), including PGP and GPG, and
SSH signatures on files and data to be verified.
Version 1.0.7
- Use p1_utils 1.0.5
- Do not log warning on sha1 nif reload attempt
Version 1.0.6
- Fix compilation on rebar3
Version 1.0.5
- OpenSSL 1.1.0 compliance
- Use p1_utils 1.0.4
Version 1.0.4
- Better compliance with R17 and R18
extracted from Changelog:
1.8.18: Ludovic Rousseau
10 August 2016
- SCardDisconnect(): much faster with SCARD_UNPOWER_CARD
- SCardConnect(): Fix a possible duplicated hCard context
- Fix compilation on FreeBSD
- Fix compilation on Solaris
- Some other minor improvements
1.8.17: Ludovic Rousseau
29 May 2016
- Fix SCardEndTransaction() issue with a SCARD_SHARE_EXCLUSIVE connection
- Fix an issue when used with systemd (problem in signal handler)
- SCardGetAttrib(): set pcbAttrLen when buffer is too small
- Doxygen: SCardGetAttrib() pbAttr can be NULL
- Doxygen: SCardGetAttrib() *pcbAttrLen contains the buffer size
- fix compilation warnings and link errors on SunOS
- Some other minor improvements
1.8.16: Ludovic Rousseau
20 March 2016
- SCardCancel() was not correctly handled
When a SCardGetStatusChange() was cancelled then a next PC/SC call
after the SCardGetStatusChange() may fail with a strange error code if
the event waited in SCardGetStatusChange() occurs.
- Doxygen: fix different documentation issues
- SCARD_SCOPE_GLOBAL is now defined in a public header (even if never used)
- Enable Trace and Profile features using compiler flags and without
modifying the source code
- Some other minor improvements and bug corrections
1.8.15: Ludovic Rousseau
25 December 2015
- Add support of remove and/or customize PC/SC reader names using
PCSCLITE_FILTER_IGNORE_READER_NAMES and PCSCLITE_FILTER_EXTEND_READER_NAMES
See http://ludovicrousseau.blogspot.fr/2015/12/remove-andor-customize-pcsc-reader-names.html
- Some other minor improvements and bug corrections
Upstream changes:
0.05 2015-11-14 NEILB
- Updated github repo URL after changing my github username
- Added [MetaJSON] to dist.ini so META.json is included in releases
- Doc: changed usage of "local $^W" to "no warnings 'redefine'"
- Fixed a couple of typos in the doc
- Dropped usage of "use vars"
- Module didn't have the required final "1;" or equivalent.
Was only by luck it had been.
------------------------------------------
2.034 2016/08/08
- move handling of global SSL arguments into creation of context, so that these
get also applied when creating a context only.
--------------------------------------
0.73 Jun 10, 2016
- Some old perl versions doesn't like Errno constant subs
being called without parents. Add them.
0.72 Jun 9, 2016
- Rerelease as stable.
0.71_03 Mar 16, 2016
- Improve shell detection code.
- Use a timeout to kill external commands not returning
control.
- improve ksh version checking in tests (bug report by jtzako
via PerlMonks)
0.71_02 Mar 11, 2016
- Lighten master socket checks in async mode in order to avoid
blocking and setting custom signal handlers which can
interfere with event-programming frameworks (bug report by
Doug Hoyte).
0.71_01 Jan 20, 2016
- Add entry on the documentation about how to integrate the
module with event-oriented programming frameworks (bug
report by Doug Hoyte, #gh17)
- Use an adaptative delaying algorithm while waiting for the
multiplexing socket to pop up (bug report by Doug Hoyte,
#gh17).
- Improve SIGCHLD handling and interoperability with other
modules setting custom handlers (bug report by Doug Hoyte,
#gh16).
- Drop patch-Makefile.PL, see below at 1.01 Feature item.
(Upsteam)
- Updated devel/p5-Net-DNS-SEC 0.22 to 1.02
-----------------------------------------
**** 1.02 September 16, 2015
Fix: Bug in t/10-keyset.t raises exception in Net::DNS
**** 1.01 August 3, 2015
Feature
The RRs previously implemented in Net::DNS::SEC are now
integrated with Net::DNS.
Fix: rt.cpan.org #105808
Version test for Pod::Test is broken
Fix: rt.cpan.org #105698
Net-DNS 1.01 conflicts with Net-DNS-SEC 0.22
--------------------------------
New in 0.16.0; 2016-05-15
* build
link OpenSSL in static
option: enable PKCS11 thread locking
* configuration
use one configuration file for all systems
* tools:
package revision as version
** pkcs11-tool
keygen mechanism in pkcs11 tools
write GOST public key
fix CKA_SENSITIVE attribute of public keys
** opensc-explorer:
added command find_tags
allow ASN.1 decoding if the file seems incomplete
** pkcs15-tool:
handle record-based files when doing file caching
option to prine raw data
** sc-hsm-tool:
status info support for SmartCard-HSM V2.0
** doc: some missing options are documented, added documentation
for gid tool
* minidriver:
support for ECC
Windows x509 enrollment
first implementation of CardDeleteContainer
MD logs controlled by register and environment variable
* reader-pcsc
fixed unreleased locks with pcsc-lite
honour PC/SC pt 10 dwMaxAPDUDataSize
added call back for getting vendor/product id
restrict access to card handles after fork
SCardGetAttrib is used to initialize reader's metadata
by default only short APDUs supported
* pkcs11
no slot reserved for hot plug
no more slot created 'per-applications'
atomic operation (TODO: expand)
export all C_* symbols
metadata initialized from package info
fix registering pkcs11 mechanisms multiple times
sloppy initialization for C_GetSlotInfo
* pkcs15
cache of on-card files extended to application paths
configuration option to enable/disable application
make file cache dir configurable
in key info data type introduced 'auxiliary data' -- container
for the non-pkc15 data.
* OpenPGP
support for Gnuk -- USB cryptographic token for GNU Privacy Guard
build without OpenSSL
implemented 'erase card'
additional manufacturers
* MyEID
support for 521 bit ECC keys
ATRs for the new cards
* sc-hsm
read/write support in minidriver
* rtecp
delete keys
* GemSafeV1
support for European Patent Office smart card
sign with SHA256
* Gids
first support for Gids smart card
* dnie
* Feitian PKI card
new ATRs
* IsoApplet
(fixes)
* starcos
initial support for STARCOS 3.4 (German D-Trust cards)
* macosx
install tokend to /Library/Security/ instead /System/Library/Security/
fixed locking issue in pcsc reader
* PIV
allow using of cards where default application in not PIV
support for the Yubikey NEO
* italian-CNS
italian-cns reg file for minidriver
1.77 2016-08-01
Fixed incorrect size to memset in tlsext_ticket_key_cb_invoke.
1.76 2016-07-31
Replaced bzero with memset. Bzero not present on windows.
1.75 2016-07-31
Compatibility with OpenSSL 1.1, tested with openssl-1.1.0-pre5:
- Conditionally remove threading locking code, not needed in 1.1
- Rewrite code that accesses inside X509_ATTRIBUTE struct.
- SSL_CTX_need_tmp_RSA, SSL_CTX_set_tmp_rsa,
SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback support
not available in 1.1.
- SSL_session_reused is now native
- SSL_get_keyblock_size modifed to use new API
- OCSP functions modified to use new API under 1.1
- SSL_set_state removed with 1.1
- SSL_get_state and SSL_state are now equivalent and available in all
versions
- SSL_CTX_v2_new removed
- SESSION_set_master_key removed with 1.1. Code that previously used
SESSION_set_master_key must now set $secret in the session_secret
callback set with SSL_set_session_secret_cb
- With 1.1, $secret in the session_secret
callback set with SSL_set_session_secret_cb can be changed to alter
the master key (required by EAP-FAST).
Added a function EC_KEY_generate_key similar to RSA_generate_key and a
function EVP_PKEY_assign_EC_KEY similar to EVP_PKEY_assign_RSA. Using
these functions it is easy to create and use EC keys in the same way as
RSA keys. Patch provided by Steffen Ullrich. Thanks Steffen.
Testing with LibreSSL 2.4.1, with compatibility patch from Steffen
Ullrich. Thanks Steffen.
Patch from Steffen Ulrich provides support for cross context (and cross process)
session sharing using the stateless TLS session tickets. It uses the
SSL_CTX_set_tlsext_ticket_key_cb function to manage the encryption and
decryption of the tickets but provides a more simplified
interface. Includes new function CTX_set_tlsext_ticket_getkey_cb.
To not conflict with the OpenSSL name in case the more complex interface
will be implemented ever the current simplified interface is called
slightly different: CTX_set_tlsext_ticket_*get*key_cb.
Added documentation about downloading latest version from SVN.
Added missing Module/install files to SVN.
