+ bring over change from christos in src/crypto to check for
the end of an ASCII-armored signature
+ no need for namespace protection in array.h any more, now
that netpgp/verify.h now contains opaque structures
+ minor typo clean-up in a definition (benign, ignored by compiler)
signing-party (2.4-1) unstable; urgency=medium
* caff, gpg-key2latex, gpgsigs: Ignore "KEY_CONSIDERED" status output
emitted by gpg 2.1.13 and later.
* caff, gpgsigs: Allow input produced by gpgparticipants(1) using gpg
2.1.13. With this version, key IDs are not displayed by default and the
"Key fingerprint = " prefix is omitted.
* caff:
+ Fix GnuPG version number comparison.
+ With GnuPG 2.1.13 or later, use gpgconf(1) to determine the socket
paths. (It is not used on earlier gpg since earlier gpgconf do not
support --homedir.) This fixes compatibility with GnuPG 2.1.13.
(Closes: #834984)
+ When ~/.caff/gnupghome/gpg.conf does not exist, instead of creating a
temporary file (as it's done since signing-party 2.3), parse
~/.gnup/gpg.conf and pass the GnuPG options that are known to be safe
(and useful) for caff to gpg(1) using command line options. This soves
the problem of lingering configuration files in case caff is killed.
+ Use full fingerprints internally to avoid collisions. (However
$CONFIG{'keyid'} and $CONFIG{'local-users'} are kept to 64-bits key IDs
as per RFC 4880 full fingerprints are not available in key signatures,
and thus not exposed by `gpg --with-colons --list-sigs`.)
+ Automatically import the $CONFIG{'also-encrypt-to'} from the normal
GnuPGHOME when possible.
* d/source.lintian-overrides: Add 'debian-watch-file-is-missing' as we're
upstream.
* d/control: Remove Franck Joncourt from the Uploaders list per request of
the MIA team. (Closes: #831321)
-- Guilhem Moulin <guilhem@guilhem.org> Mon, 22 Aug 2016 00:19:48 +0200
Noteworthy changes in version 1.3.5 (2016-08-22) [C19/A11/R6]
------------------------------------------------
* Limit the allowed size of complex ASN.1 objects (e.g. certificates)
to 16MiB.
* Avoid read access to unitialized memory.
* Improve detection of invalid RDNs.
* Encode the OCSP nonce value as an octet string as described by
RFC-6960.
hitch-1.3.1 (2016-08-16)
- Fixes a bug in the autotools configuration which led to man
pages not being built.
hitch-1.3.0 (2016-08-16)
- Fix a bug where we crashed in the OCSP handling if there was no
default SSLCTX configured.
- Minor documentation fix.
hitch-1.3.0-beta3 (2016-07-26)
- Fully automated retrieval and refreshes of OCSP responses (see
configuration.md for details).
- New parameters ocsp-dir, ocsp-resp-tmo and ocsp-connect-tmo.
- Cleanup of various log messages.
- Verification of OCSP staples. Enabled by setting
ocsp-verify-staple = on.
- Make rst2man an optional requirement (#93). Thanks to Barry
Allard.
- Avoid stapling expired OCSP responses
- A few fixes to the shared cache updating code. Thanks to Piyush
Dewnani
hitch-1.3.0-beta2 (2016-05-31)
- Options given on the command line now take presedence over
configuration file settings. I.e. there is no longer a need to
specify --config first to get this behavior.
- Config file regression: "yes" and "no" are now accepted by the
config file parser as boolean values.
- Documentation improvements and spelling fixes.
- Various minor autotools build fixes.
hitch-1.3.0-beta1 (2016-05-11)
- Support for OCSP stapling (see configuration.md for details)
- Initialize OpenSSL locking callback if an engine is loaded. Some
SSL accelerator cards have their custom SSL engine running in a
multithreaded context. For these to work correctly, Hitch needs
to initialize a set of mutexes utilized by the OpenSSL library.
- #82: A mistake in the SNI lookup code caused us to inspect the
wrong list when looking for wildcard certificate matches.
5.22:
KWallet Framework
* disable seession restore for kwalletd5
5.23:
KWallet Framework
* KWalletd migration: fix error handling, stops the migration from
happening on every single boot.
This package provides an object oriented interface to GNU Privacy Guard
(GnuPG). It requires the GnuPG executable to be on the system.
Though GnuPG can support symmetric-key cryptography, this package is
intended only to facilitate public-key cryptography.
Changes for 2.036 not documented.
2.035 2016/08/11
- fixes for issues introduced in 2.034
- return with error in configure_SSL if context creation failed. This
might otherwise result in an segmentation fault later.
- apply builtin defaults before any (user configurable) global settings
(i.e. done with set_defaults, set_default_context...) so that builtins
don't replace user settings
Thanks to joel[DOT]a[DOT]berger[AT]gmail[DOT]com for reporting
* keychain 2.8.2 (06 Nov 2015)
Summary: Support new ssh features, bug fix release.
Support for new hash algorithms (Ben Boeckel)
Remove bashisms (Daniel Hertz)
Various optimizations (Daniel Hahler)
--timeout option now gets passed to agent, doc fixes (Andrew Bezella, Emil
Lundberg)
RPM, Makefile fixes (Mike Frysinger)
* keychain 2.8.1 (29 May 2015)
Summary: POSIX compatibility and bug fix release.
Only set PATH to a standard value if PATH is not set. Otherwise, do not
modify.
Makefile Cygwin and RPM spec fixes (thanks Luke Bakken and Ricardo Silva)
Confhost fixes. Deprecate in_path. Use command -v instead.
Find_pids: Modify "ps" call to work with non-GNU ps. (Bryan Drewery)
Re-introduce POSIX compatibility (remove shopt.) (vaeth)
* keychain 2.8.0 (21 Mar 2015)
Support for OpenSSH 6.8 fingerprints.
Support for GnuPG 2.1.0.
Handle private keys that are symlinks, even if the associated public key is
in the target directory rather than alongside the symlink.
Allow private keys to have extensions, such as foo.priv. When looking for
matching public keys, look for foo.priv.pub, but also strip extension and
look for foo.pub if foo.priv.pub doesn't exist.
Initial support for --list/-l option to list SSH keys.
Updated docs for fish shell usage.
* keychain 2.7.2_beta1 (07 July 2014)
Various changes and updates:
Fixes for fish from Marc Joliet.
Keychain will default to start only ssh-agent unless GPG is explicitly
updated using --agents.
Write ~/.gpg-agent-info when launching gpg-agent - fix from Thomas Spura.
Add support for injecting agents into systemd (Ben Boeckel)
Add support for --query option (Ben Boeckel)
Add --absolute flag, allowing user to set a full path without getting a
.keychain suffix automatically appended.
Add --confhost option to scan ~/.ssh/config file to locate private key
path specified there.
Changelog:
2016-08-17 Werner Koch <wk@gnupg.org>
Release 1.4.21.
gpg: Add dummy option --with-subkey-fingerprint.
* g10/gpg.c (opts): Add dummy option.
build: Create a swdb file during "make distcheck".
* Makefile.am (distcheck-hook): New.
2016-08-17 Ineiev <ineiev@gnu.org>
po: Update Russian translation.
2016-08-17 Werner Koch <wk@gnupg.org>
random: Hash continuous areas in the csprng pool.
* cipher/random.c (mix_pool): Store the first hash at the end of the
pool.
cipher: Improve readability by using a macro.
* cipher/random.c (mix_pool): Use DIGESTLEN instead of 20.
2016-08-09 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
gpg: Avoid publishing the GnuPG version by default.
* g10/gpg.c (main): initialize opt.emit_version to 0
* doc/gpg.texi: document different default for --emit-version
2016-08-04 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Clean up "allow to"
* README, cipher/cipher.c, cipher/pubkey.c, doc/gpg.texi: replace
"allow to" with clearer text
In standard English, the normal construction is "${XXX} allows ${YYY}
to" -- that is, the subject (${XXX}) of the sentence is allowing the
object (${YYY}) to do something. When the object is missing, the
phrasing sounds awkward, even if the object is implied by context.
There's almost always a better construction that isn't as awkward.
These changes should make the language a bit clearer.
Fix spelling: "occured" should be "occurred"
* checks/armor.test, cipher/des.c, g10/ccid-driver.c, g10/pkclist.c,
util/regcomp.c, util/regex_internal.c: correct the spelling of
"occured" to "occurred"
2016-08-04 NIIBE Yutaka <gniibe@fsij.org>
g10: Fix checking key for signature validation.
* g10/sig-check.c (signature_check2): Not only subkey, but also primary
key should have flags.valid=1.
2016-08-03 Justus Winter <justus@g10code.com>
Partially revert "g10: Fix another race condition for trustdb access."
This amends db246f8b which accidentally included the compiled
translation files.
2016-07-09 NIIBE Yutaka <gniibe@fsij.org>
gpgv: Tweak default options for extra security.
* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
cached status. Similarly, set opt.flags.require_cross_cert for backsig
validation for subkey signature.
2016-07-06 NIIBE Yutaka <gniibe@fsij.org>
g10: Fix keysize with --expert.
* g10/keygen.c (ask_keysize): It's 768 only for DSA.
2016-06-28 NIIBE Yutaka <gniibe@fsij.org>
g10: Fix --list-packets.
* g10/gpg.c (main): Call set_packet_list_mode after assignment of
opt.list_packets.
* g10/mainproc.c (do_proc_packets): Don't stop processing with
--list-packets as the comment says.
* g10/options.h (list_packets): Fix the comment.
* g10/parse-packet.c: Fix the condition for opt.list_packets.
2016-06-15 Niibe Yutaka <gniibe@fsij.org>
g10: Fix another race condition for trustdb access.
* g10/tdbio.c (create_version_record): Call create_hashtable to always
make hashtable, together with the version record.
(get_trusthashrec): Remove call to create_hashtable.
2016-02-12 NIIBE Yutaka <gniibe@fsij.org>
g10: Make sure to have the directory for trustdb.
* g10/tdbio.c (tdbio_set_dbname): Return earlier if !CREATE. Check
the directory and create it if none before calling take_write_lock.
2016-02-01 Werner Koch <wk@gnupg.org>
Fix possible sign extension problem with newer compilers.
* cipher/des.c (READ_64BIT_DATA): Cast to u32 before shifting by 24.
* cipher/blowfish.c (do_encrypt_block): Ditto.
(do_decrypt_block): Ditto.
* cipher/camellia.c (CAMELLIA_RR8): Ditto.
* cipher/cast5.c (do_encrypt_block): Ditto.
(do_decrypt_block): Ditto.
(do_cast_setkey): Ditto.
* cipher/twofish.c (INPACK): Ditto.
* util/iobuf.c (block_filter): Ditto.
2016-01-26 NIIBE Yutaka <gniibe@fsij.org>
g10: Fix iobuf API of filter function for alignment.
* include/iobuf.h (struct iobuf_struct): Remove DESC.
* util/iobuf.c (iobuf_desc): New.
(print_chain, iobuf_close, iobuf_open, iobuf_fdopen, iobuf_sockopen)
(iobuf_create, iobuf_append, iobuf_openrw, iobuf_ioctl)
(iobuf_push_filter2, pop_filter, underflow): Use iobuf_desc.
(file_filter, sock_filter, block_filter): Fill the description.
* g10/armor.c, g10/cipher.c, g10/compress-bz2.c, g10/compress.c,
g10/encode.c, g10/encr-data.c, g10/mdfilter.c, g10/pipemode.c,
g10/progress.c, g10/textfilter.c: Likewise.
2016-01-15 Werner Koch <wk@gnupg.org>
Fix possible AIX problem with sysconf in rndunix.
* cipher/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
(start_gatherer): Detect misbehaving sysconf.
2016-01-13 NIIBE Yutaka <gniibe@fsij.org>
Fix to support git worktree.
* Makefile.am: Use -e for testing .git.
2015-12-21 NIIBE Yutaka <gniibe@fsij.org>
po: Update Japanese translation.
These are the perl5 bindings for libnetpgpverify.
These bindings allow OpenPGP (RFC 4880), including PGP and GPG, and
SSH signatures on files and data to be verified.
Version 1.0.7
- Use p1_utils 1.0.5
- Do not log warning on sha1 nif reload attempt
Version 1.0.6
- Fix compilation on rebar3
Version 1.0.5
- OpenSSL 1.1.0 compliance
- Use p1_utils 1.0.4
Version 1.0.4
- Better compliance with R17 and R18
extracted from Changelog:
1.8.18: Ludovic Rousseau
10 August 2016
- SCardDisconnect(): much faster with SCARD_UNPOWER_CARD
- SCardConnect(): Fix a possible duplicated hCard context
- Fix compilation on FreeBSD
- Fix compilation on Solaris
- Some other minor improvements
1.8.17: Ludovic Rousseau
29 May 2016
- Fix SCardEndTransaction() issue with a SCARD_SHARE_EXCLUSIVE connection
- Fix an issue when used with systemd (problem in signal handler)
- SCardGetAttrib(): set pcbAttrLen when buffer is too small
- Doxygen: SCardGetAttrib() pbAttr can be NULL
- Doxygen: SCardGetAttrib() *pcbAttrLen contains the buffer size
- fix compilation warnings and link errors on SunOS
- Some other minor improvements
1.8.16: Ludovic Rousseau
20 March 2016
- SCardCancel() was not correctly handled
When a SCardGetStatusChange() was cancelled then a next PC/SC call
after the SCardGetStatusChange() may fail with a strange error code if
the event waited in SCardGetStatusChange() occurs.
- Doxygen: fix different documentation issues
- SCARD_SCOPE_GLOBAL is now defined in a public header (even if never used)
- Enable Trace and Profile features using compiler flags and without
modifying the source code
- Some other minor improvements and bug corrections
1.8.15: Ludovic Rousseau
25 December 2015
- Add support of remove and/or customize PC/SC reader names using
PCSCLITE_FILTER_IGNORE_READER_NAMES and PCSCLITE_FILTER_EXTEND_READER_NAMES
See http://ludovicrousseau.blogspot.fr/2015/12/remove-andor-customize-pcsc-reader-names.html
- Some other minor improvements and bug corrections
Upstream changes:
0.05 2015-11-14 NEILB
- Updated github repo URL after changing my github username
- Added [MetaJSON] to dist.ini so META.json is included in releases
- Doc: changed usage of "local $^W" to "no warnings 'redefine'"
- Fixed a couple of typos in the doc
- Dropped usage of "use vars"
- Module didn't have the required final "1;" or equivalent.
Was only by luck it had been.
------------------------------------------
2.034 2016/08/08
- move handling of global SSL arguments into creation of context, so that these
get also applied when creating a context only.
--------------------------------------
0.73 Jun 10, 2016
- Some old perl versions doesn't like Errno constant subs
being called without parents. Add them.
0.72 Jun 9, 2016
- Rerelease as stable.
0.71_03 Mar 16, 2016
- Improve shell detection code.
- Use a timeout to kill external commands not returning
control.
- improve ksh version checking in tests (bug report by jtzako
via PerlMonks)
0.71_02 Mar 11, 2016
- Lighten master socket checks in async mode in order to avoid
blocking and setting custom signal handlers which can
interfere with event-programming frameworks (bug report by
Doug Hoyte).
0.71_01 Jan 20, 2016
- Add entry on the documentation about how to integrate the
module with event-oriented programming frameworks (bug
report by Doug Hoyte, #gh17)
- Use an adaptative delaying algorithm while waiting for the
multiplexing socket to pop up (bug report by Doug Hoyte,
#gh17).
- Improve SIGCHLD handling and interoperability with other
modules setting custom handlers (bug report by Doug Hoyte,
#gh16).
- Drop patch-Makefile.PL, see below at 1.01 Feature item.
(Upsteam)
- Updated devel/p5-Net-DNS-SEC 0.22 to 1.02
-----------------------------------------
**** 1.02 September 16, 2015
Fix: Bug in t/10-keyset.t raises exception in Net::DNS
**** 1.01 August 3, 2015
Feature
The RRs previously implemented in Net::DNS::SEC are now
integrated with Net::DNS.
Fix: rt.cpan.org #105808
Version test for Pod::Test is broken
Fix: rt.cpan.org #105698
Net-DNS 1.01 conflicts with Net-DNS-SEC 0.22
--------------------------------
New in 0.16.0; 2016-05-15
* build
link OpenSSL in static
option: enable PKCS11 thread locking
* configuration
use one configuration file for all systems
* tools:
package revision as version
** pkcs11-tool
keygen mechanism in pkcs11 tools
write GOST public key
fix CKA_SENSITIVE attribute of public keys
** opensc-explorer:
added command find_tags
allow ASN.1 decoding if the file seems incomplete
** pkcs15-tool:
handle record-based files when doing file caching
option to prine raw data
** sc-hsm-tool:
status info support for SmartCard-HSM V2.0
** doc: some missing options are documented, added documentation
for gid tool
* minidriver:
support for ECC
Windows x509 enrollment
first implementation of CardDeleteContainer
MD logs controlled by register and environment variable
* reader-pcsc
fixed unreleased locks with pcsc-lite
honour PC/SC pt 10 dwMaxAPDUDataSize
added call back for getting vendor/product id
restrict access to card handles after fork
SCardGetAttrib is used to initialize reader's metadata
by default only short APDUs supported
* pkcs11
no slot reserved for hot plug
no more slot created 'per-applications'
atomic operation (TODO: expand)
export all C_* symbols
metadata initialized from package info
fix registering pkcs11 mechanisms multiple times
sloppy initialization for C_GetSlotInfo
* pkcs15
cache of on-card files extended to application paths
configuration option to enable/disable application
make file cache dir configurable
in key info data type introduced 'auxiliary data' -- container
for the non-pkc15 data.
* OpenPGP
support for Gnuk -- USB cryptographic token for GNU Privacy Guard
build without OpenSSL
implemented 'erase card'
additional manufacturers
* MyEID
support for 521 bit ECC keys
ATRs for the new cards
* sc-hsm
read/write support in minidriver
* rtecp
delete keys
* GemSafeV1
support for European Patent Office smart card
sign with SHA256
* Gids
first support for Gids smart card
* dnie
* Feitian PKI card
new ATRs
* IsoApplet
(fixes)
* starcos
initial support for STARCOS 3.4 (German D-Trust cards)
* macosx
install tokend to /Library/Security/ instead /System/Library/Security/
fixed locking issue in pcsc reader
* PIV
allow using of cards where default application in not PIV
support for the Yubikey NEO
* italian-CNS
italian-cns reg file for minidriver
1.77 2016-08-01
Fixed incorrect size to memset in tlsext_ticket_key_cb_invoke.
1.76 2016-07-31
Replaced bzero with memset. Bzero not present on windows.
1.75 2016-07-31
Compatibility with OpenSSL 1.1, tested with openssl-1.1.0-pre5:
- Conditionally remove threading locking code, not needed in 1.1
- Rewrite code that accesses inside X509_ATTRIBUTE struct.
- SSL_CTX_need_tmp_RSA, SSL_CTX_set_tmp_rsa,
SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback support
not available in 1.1.
- SSL_session_reused is now native
- SSL_get_keyblock_size modifed to use new API
- OCSP functions modified to use new API under 1.1
- SSL_set_state removed with 1.1
- SSL_get_state and SSL_state are now equivalent and available in all
versions
- SSL_CTX_v2_new removed
- SESSION_set_master_key removed with 1.1. Code that previously used
SESSION_set_master_key must now set $secret in the session_secret
callback set with SSL_set_session_secret_cb
- With 1.1, $secret in the session_secret
callback set with SSL_set_session_secret_cb can be changed to alter
the master key (required by EAP-FAST).
Added a function EC_KEY_generate_key similar to RSA_generate_key and a
function EVP_PKEY_assign_EC_KEY similar to EVP_PKEY_assign_RSA. Using
these functions it is easy to create and use EC keys in the same way as
RSA keys. Patch provided by Steffen Ullrich. Thanks Steffen.
Testing with LibreSSL 2.4.1, with compatibility patch from Steffen
Ullrich. Thanks Steffen.
Patch from Steffen Ulrich provides support for cross context (and cross process)
session sharing using the stateless TLS session tickets. It uses the
SSL_CTX_set_tlsext_ticket_key_cb function to manage the encryption and
decryption of the tickets but provides a more simplified
interface. Includes new function CTX_set_tlsext_ticket_getkey_cb.
To not conflict with the OpenSSL name in case the more complex interface
will be implemented ever the current simplified interface is called
slightly different: CTX_set_tlsext_ticket_*get*key_cb.
Added documentation about downloading latest version from SVN.
Added missing Module/install files to SVN.
Python-GSSAPI provides both low-level and high level wrappers around
the GSSAPI C libraries. While it focuses on the Kerberos mechanism,
it should also be useable with other GSSAPI mechanisms.
Python-GSSAPI is composed of two parts: a low-level C-style API which
thinly wraps the underlying RFC 2744 methods, and a high-level,
Pythonic API (which is itself a wrapper around the low-level API).
Examples may be found in the examples directory.
The low-level API lives in gssapi.raw. The methods contained therein
are designed to match closely with the original GSSAPI C methods. All
relevant methods and classes may be imported directly from gssapi.raw.
Extension methods will only be imported if they are present.
The high-level API lives directly under gssapi. The classes contained
in each file are designed to provide a more Pythonic, Object-Oriented
view of GSSAPI. The exceptions from the low-level API, plus several
additional exceptions, live in gssapi.exceptions. The rest of the
classes may be imported directly from gssapi. Only classes are
exported by gssapi - all functions are methods of classes in the
high-level API.
2.033 2016/07/15
- support for session ticket reuse over multiple contexts and processes
(if supported by Net::SSLeay)
- small optimizations, like saving various Net::SSLeay constants into variables
and access variables instead of calling the constant sub all the time
- make t/dhe.t work with openssl 1.1.0
2.032 2016/07/12
- Set session id context only on the server side. Even if the documentation for
SSL_CTX_set_session_id_context makes clear that this function is server side
only it actually affects hndling of session reuse on the client side too and
can result in error "SSL3_GET_SERVER_HELLO:attempt to reuse session in
different context" at the client.
2.031 2016/07/08
- fix for bug in session handling introduced in 2.031, RT#115975
Thanks to paul[AT]city-fan[DOT]org for reporting
2.030 2016/07/08
- Utils::CERT_create - don't add given extensions again if they were already
added. Firefox croaks with sec_error_extension_value_invalid if (specific?)
extensions are given twice.
- assume that Net::SSLeay::P_PKCS12_load_file will return the CA certificates
with the reverse order as in the PKCS12 file, because that's what it does.
- support for creating ECC keys in Utils once supported by Net::SSLeay
- remove internal sub session_cache and access cache directly (faster)
Patches have been applied upstream.
Release notes:
* fixed crashing bugs handling errors and handle scope in the SFTPClient class
* added the SftpPoller user module
* force socket disconnect in case of a timeout error when trying to
close a file descriptor
* socket performance instrumentation supported in the SFTPClient class
* user modules moved to top-level qore module directory from
version-specific module directory since they are valid for multiple
versions of qore
* fixed a bug where a crash would result when attempting a connection and
libssh2 would not return any user authentication methods
* implemented an automatic disconnection when timeouts occur to avoid
dead connections
* fixed crashing bugs in the SFTPClient class handling disconnect events
when an sftp handle was open; the handle must be closed before the
socket connection is closed or a crash will result
* implemented the SFTPClient::retrieveFile() and SFTPClient::transferFile()
methods
* ported the SFTPClient class tests to QUnit and added tests for the
new methods
* ported test/sftp-poller.q to QUnit
* fixed a bug in socket handling related to asyncronous socket event polling
and select(2) and lack of socket descriptor bounds checking
(issue 714)
* requires Qore 0.8.12+ to build (uses the new QoreValue API)
- PERL5_MODULE_TYPE= Module::Build::Tiny
- Following package added on BUILD_DEPENDS for make test
p5-Moo>=1.001:../../devel/p5-Moo
(upstream)
- Updated security/p5-Data-SimplePassword to 0.11
-----------------------------------------------
0.10 Tue Dec 3 07:10:44 UTC 2013
* switched to Moo.
0.08 Tue Jun 25 03:03:11 UTC 2013
* added is_available_provider() method.
* added new type 'alpha' to rndpassword.
* improved some tests to reduce test time.
* added zsh completion sample file. (see extra/)
* switched to Minilla.
