The PBC (Pairing-Based Cryptography) library is a free C library built
on the GMP library that performs the mathematical operations
underlying pairing-based cryptosystems.
It provides routines such as elliptic curve generation, elliptic curve
arithmetic and pairing computation.
The API is abstract enough that the PBC library can be used even if
the programmer possesses only an elementary understanding of pairings.
There is no need to learn about elliptic curves or much of number
theory. (The minimum requirement is some knowledge of cyclic groups
and properties of the pairing.)
Boneh-Lynn-Shacham short signatures
Hess identity-based signatures
Joux tripartite Diffie-Hellman
Paterson identity-based signatures
Yuan-Li identity-based authenticated key agreement
Zhang-Kim identity-based blind/ring signatures
Zhang-Safavi-Naini-Susilo signatures
Bug Fixes
* amavisd failed to start when spam scanning was disabled either
by @bypass_spam_checks_maps=(1) or by @spam_scanners=(), giving:
Can't locate object method "new" via package "Amavis::SpamControl"
As a workaround one could use a @spam_scanners=(undef) to disable spam
scanning;
* several decoders failed to propagate "Exceeded storage quota" exception,
so the protection of AV scanners against mail bombs was ineffective;
reported by Jorgen Lundman;
* milter usage (AM.PDP): verbatim header edits inserted a header body of
"1" instead of the correct string
* updated AV entry for BitDefender's bdscan to recognize tabs around
a colon in its output; contributed by Steve;
* fix parsing of a combined result from DSPAM (option --classify), as
earlier versions of DSPAM did not include a signature with a combined
result line; problem reported by Marijan Vidmar;
New Features
* provide a true SNMP agent and a MIB, facilitating monitoring the health
of a content filtering system, its performance and mail characteristics;
* a new AV interface to SMTP-based antivirus scanners;
* allow customizing SMTP-status response reason text for blocked messages;
* prevent inserting fake copies of certain important mail header fields
without breaking a DKIM signature;
Changes from previous version (20100601)
Changes to 3.99.13/20101104
+ fix up GNU autoconf framework to reflect new structure
+ add ability in netpgpkeys(1) and netpgp(1) to specify the cipher
(symmetric algorithm)
+ add the camellia cipher implementation from openssl as specified in RFC 5581
+ changes from Peter Pentchev to get rid of an exit(3) in library context
+ changes from Peter Pentchev for manual page hyphens
+ changes from Peter Pentchev to clean up after tests
+ changes from Arnaud Ysmal to avoid dereferencing possible NULL pointers
+ change from Arnaud Ysmal to clean up usage message in netpgpkeys(1)
+ avoid calling bzlib functions if they aren't present
+ when writing out the key as an ssh key, don't include the user id
information at the end, in-line with expectations about standard ssh
key formats
+ since the signing key changed its "menu line" entry from "pub" to
"signature", the offset of the key id moved 7 chars to the right, so
take this into consideration when generating new keys
+ allow the user specification of the secret key file as the
--sshkeyfile or -S argument, and check that the public key file exists
before trying to read it
Changes to 3.99.12/20100907
+ add a pretty print function mj_pretty(3) to libmj
+ added netpgp_write_sshkey(3) to libnetpgp
+ added pgp2ssh(1)
+ added preliminary support for ElGamal decryption, needed for DSA keys
as yet untested, unworking, and a WIP
+ add support for using all ssh keys, even those protected by a passphrase,
for decryption and signing. This rounds off ssh key file support in netpgp.
+ add a single character alias (-S file) for [--sshkeyfile file] to
netpgpkeys(1) and netpgp(1)
Changes to 3.99.11/20100809
+ update hkpd(8) to reflect the -S argument to hkpd(8)
+ add reachover Makefile support for hkpd(8) and hkpc(1)
+ regen autoconf with new version and date information
Changes to 3.99.10/20100809
+ check return value from option setting function in netpgpkeys(1)
+ be smarter when checking for a null id
+ add test for crap being returned when listing specific keys in netpgpkeys(1)
+ take the public key from the pubring, not the secring when exporting
keys
+ allow hkpd to serve ssh keys in pgp format
+ test on whether a seckey is needed, not on a userid needed, for ssh keys
Changes to 3.99.9/20100809
+ add single character options to netpgp(1) and netpgpkeys(1)
+ add -o long-option (=value)? to netpgp(1) and netpgpkeys(1)
+ save subkeys when parsing keys. when listing keys, note that the first
subkey is for encryption
+ rationalise birthtime/expiration timestamps into a single function
+ clean up some 64-bit (amd64) lint
Changes to 3.99.8/20100805
+ free a regular expression after using it
+ be a bit less typedef-happy when it's not needed
+ added minimalist JSON (libmj) to distribution
+ add a function in ops layer to construct JSON serialised text from keys
+ use json output from the library in netpgpkeys(1)
+ added check for alternative openssl location
Changes to 3.99.7/20100701
+ recognise ascii-armoured encrypted messages properly, in memory and
in files
+ fix a bug when printing out the public key when prompting for a secret
key
+ print error message and exit for now when trying to encrypt with a DSA key
+ fix bug reported by dyoung when trying to print out the encryption key
fingerprint
Changes to 3.99.6/20100701
+ make some synonyms for --ssh-keys
+ make proper defaults for home dir for ssh key files as well as pgp files
+ modify regression test script to ensure that ssh-keygen and netpgpkey's
idea of ssh keys are the same
+ return any error codes when reading ssh pub or private keys
Changes to 3.99.5/20100613
+ make ssh fingerprints (md5) match netpgp listing
+ use the more functional hexdump function from ssh2pgp in place of the
older hexdump function from openpgpsdk
+ pass hash type down from command line where needed
+ add test for netpgp/ssh key fingerprint matching
+ make netpgpkeys(1) take a --hash= option
=== 0.4.4 2010-10-31
* Fix LoadError rescue in tests: return can't be used in this context
(Hans de G raaff)
* HTTP headers should be strings. (seancribbs)
* ensure consumer uri gets set back to original config even if an error occurs
(Brian Finney)
* Yahoo uses & to split records in OAuth headers (Brian Finney)
* Added support for Rails 3 in client/action_controller_request (Pelle)
* fix: LDAP write on userPassword fails when chasing referral and cached
policy error is POLICY_ERROR_PASSWORD_EXPIRED
* fix: only request attributes that are actually used
* fix: canonicalize PAM_USER name
Noteworthy changes in version 1.4.11 (2010-10-18)
-------------------------------------------------
* Bug fixes and portability changes.
* Minor changes for better interoperability with GnuPG-2.
* Added mechanism CKM_RSA_X_509 (use Botan 1.9.7 to fix a bug
when verifying these signatures)
* The softhsm command now have the option --module <path>
To use a PKCS#11 library other than SoftHSM.
* The softhsm command now import all parts of the RSA key.
CKA_EXPONENT_1, CKA_EXPONENT_2, and CKA_COEFFICIENT is not needed
by SoftHSM but might be needed by other HSM:s.
* Ticket #163: softhsm-keyconv now support BIND format v1.3
* Write message to stderr when the config file cannot be found
* CKA_WRAP_WITH_TRUSTED was not handled correctly. But it has not
been a problem since wrapping is not supported.
* Set CKA_KEY_GEN_MECHANISM to CK_UNAVAILABLE_INFORMATION when
importing objects.
* C_GetInfo now returns CKR_CRYPTOKI_NOT_INITIALIZED if library
is not initialized.
* Force clean up if the app does not do C_Finalize (using auto_ptr)
* Limit the scope of the session objects to the owner application
* softhsm --optimize will clean up leftovers (session objects)
from applications that haven't closed down properly.
* Do not use CKF_HW, the mechanisms are not performed by a device.
* The ulMinKeySize and ulMaxKeySize are not used for the digesting
mechanisms, but we set them to zero for applications that forget
this.
* Used wrong buffer size for signatures. This was only a problem
for keys where (key size % 8 == 1), e.g. 1025 bit keys.
* C_Login now returns CKR_USER_ANOTHER_ALREADY_LOGGED_IN instead of
CKR_USER_TOO_MANY_TYPES
* Version 2.10.2 (released 2010-09-30)
** Use Libtool 2.2.10 to ease MinGW64 builds.
** libgnutls: Add new extended key usage ipsecIKE.
** libgnutls: Is now more liberal in the PEM decoding.
That is spaces and tabs are being skipped.
** libgnutls: Renamed NULL MAC to MAC-NULL to prevent clash with NULL cipher.
This prevented the usage of the TLS ciphersuites with NULL cipher.
See <http://thread.gmane.org/gmane.network.gnutls.general/2093>.
** libgnutls: The %COMPAT flag now allows larger records that violate the
TLS spec.
** libgnutls: Fix asynchronous API handling.
The code was clearing session hash data on EAGAIN. Problem reported
by Sjoerd Simons <sjoerd.simons@collabora.co.uk> and Vivek
Dasmohapatra <vivek@collabora.co.uk>. See
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4531>.
** gnutls-cli: Flush stdout/stderr before removing buffering.
Reported by Knut Anders Hatlen see
<http://savannah.gnu.org/support/?107481>.
* add tests
* Corrected a bogus array initialization.
* Effectively double-escaped the normalized params for inclusion in the
signature base as required by sections 9.1.1 and 9.1.3 of the OAuth 1.0
specification.
2010-09-20 -- pycryptopp v0.5.25
* make setup backwards-compatible to Python 2.4
* fix incompatibilities between setup script and older versions of darcsver
* don't attempt to compile Mac OS X extended attribute files (this fixes the build breaking)
* include a version number of the specific version of Crypto++ in extraversion.h
* small changes to docs
2010-09-18 -- pycryptopp v0.5.20
* fix bugs in assembly implementation of SHA-256 from Crypto++
* fix it to compile on *BSD (#39)
* improve doc strings
* add a quick start-up-self-test of SHA256 (#43)
* execute the quick start-up-self-tests of AES and SHA256 on module import
This module provides common interface to HMAC functionality. HMAC is a
kind of "Message Authentication Code" (MAC) algorithm whose standard
is documented in RFC2104. Namely, a MAC provides a way to check the
integrity of information transmitted over or stored in an unreliable
medium, based on a secret key.
Originally written by Daiki Ueno. Converted to a RubyGem by Geoffrey Grosenbach
LuaSec is a binding for OpenSSL library to provide TLS/SSL communication.
This version delegates to LuaSocket the TCP connection establishment
between the client and server. Then LuaSec uses this connection to start
a secure TLS/SSL session.
(Based on wip/luasec.)
pkgsrc changes:
- add license definition
Upstream changes:
0.15 Sun Sep 12 13:46:13 2010
- added crc64 support, #50064
Thanks to Anders Ossowicki <aowi@novozymes.com>
- added bit reversing per byte, #59575
Thanks to Joel Peshkin <joel@peshkin.net>
- clone method nwo copies content too
Thanks to Stefan Ochs <stefan.ochs@opentext.com>
* Install README.LDAP when "ldap" is enabled in PKG_OPTIONS.
* Fix build problem when "kerberos" is enabled in PKG_OPTIONS.
Bump PKGREVISION since default PLIST has changed.
* Fixed bug with DB_CHECKINODE
Version 0.15
* Added new grouped option
* Sort files in report by filename
* Added support for e2fsattrs attribute
* Added support for ftype attribute
* Bug fixes
relevant bugs) version:
Major changes between version 1.7.4p3 and 1.7.4p4:
* A potential security issue has been fixed with respect to the
handling of sudo's -g command line option when -u is also
specified. The flaw may allow an attacker to run commands as a
user that is not authorized by the sudoers file.
* A bug has been fixed where "sudo -l" output was incomplete if
multiple sudoers sources were defined in nsswitch.conf and there
was an error querying one of the sources.
* The log_input, log_output, and use_pty sudoers options now work
correctly on AIX. Previously, sudo would hang if they were
enabled.
* Fixed "make install" when sudo is built in a directory other
than the directory that holds the sources.
* The runas_default sudoers setting now works properly in a
per-command Defaults line.
* Suspending and resuming the bash shell when PAM is in use now
works properly. The SIGCONT signal was not being propagated to
the child process.
Major changes between version 1.7.4p2 and 1.7.4p3:
* A bug has been fixed where duplicate HOME environment variables
could be set when the env_reset setting was disabled and the
always_set_home setting was enabled in sudoers.
* The value of sysconfdir is now substituted into the path to the
sudoers.d directory in the installed sudoers file.
* Fixed compilation problems on Irix and other platforms.
* If multiple PAM "auth" actions are specified and the user enters
^C at the password prompt, sudo will now abort any subsequent
"auth" actions. Previously it was necessary to enter ^C once for
each "auth" action.
Major changes between version 1.7.4p1 and 1.7.4p2:
* Fixed a bug where sudo could spin in a cpu loop waiting for the
child process.
* Packaging fixes for sudo.pp to better handle patchlevels.
Major changes between version 1.7.4 and 1.7.4p1:
* Fix a bug introduced in sudo 1.7.3 that prevented the -k and -K
options from functioning when the tty_tickets sudoers option was
enabled.
* Sudo no longer prints a warning when the -k or -K options are
specified and the ticket file does not exist.
* Changes to the configure script to enable cross-compilation of
Sudo.
Major changes between version 1.7.3 and 1.7.4:
* Sudoedit will now preserve the file extension in the name of the
temporary file being edited. The extension is used by some
editors (such as emacs) to choose the editing mode.
* Time stamp files have moved from /var/run/sudo to either
/var/db/sudo, /var/lib/sudo or /var/adm/sudo. The directories
are checked for existence in that order. This prevents users
from receiving the sudo lecture every time the system reboots.
Time stamp files older than the boot time are ignored on systems
where it is possible to determine this.
* Ancillary documentation (README files, LICENSE, etc) is now
installed in a sudo documentation directory.
* Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
in ldap.conf.
* Defaults settings that are tied to a user, host or command may
now include the negation operator. For example:
Defaults:!millert lecture
will match any user but millert.
* The default PATH environment variable, used when no PATH variable
exists, now includes /usr/sbin and /sbin.
* Sudo now uses polypkg for cross-platform packing.
* On Linux, sudo will now restore the nproc resource limit before
executing a command, unless the limit appears to have been
modified by pam_limits. This avoids a problem with bash scripts
that open more than 32 descriptors on SuSE Linux, where
sysconf(_SC_CHILD_MAX) will return -1 when RLIMIT_NPROC is set
to RLIMIT_UNLIMITED (-1).
* Visudo will now treat an unrecognized Defaults entry as a parse
error (sudo will warn but still run).
* The HOME and MAIL environment variables are now reset based on
the target user's password database entry when the env_reset
sudoers option is enabled (which is the case in the default
configuration). Users wishing to preserve the original values
should use a sudoers entry like:
Defaults env_keep += HOME
to preserve the old value of HOME and
Defaults env_keep += MAIL
to preserve the old value of MAIL.
* The tty_tickets option is now on by default.
* Fixed a problem in the restoration of the AIX authdb registry
setting.
* If PAM is in use, wait until the process has finished before
closing the PAM session.
* Fixed "sudo -i -u user" where user has no shell listed in the
password database.
* When logging I/O, sudo now handles pty read/write returning ENXIO,
as seen on FreeBSD when the login session has been killed.
* Sudo now performs I/O logging in the C locale. This avoids
locale-related issues when parsing floating point numbers in the
timing file.
* Added support for Ubuntu-style admin flag dot files.
Major changes between version 1.7.2p8 and 1.7.3:
* Support for logging a command's input and output as well as the
ability to replay sessions. For more information, see the
documentation for the log_input and log_output Defaults options
in the sudoers manual. Also see the sudoreplay manual for
information on replaying I/O log sessions.
* The use_pty sudoers option can be used to force a command to be
run in a pseudo-pty, even when I/O logging is not enabled.
* On some systems, sudo can now detect when a user has logged out
and back in again when tty-based time stamps are in use.
Supported systems include Solaris systems with the devices file
system, Mac OS X, and Linux systems with the devpts filesystem
(pseudo-ttys only).
* On AIX systems, the registry setting in /etc/security/user is
now taken into account when looking up users and groups.
Sudo now applies the correct the user and group ids when running
a command as a user whose account details come from a different
source (e.g. LDAP or DCE vs. local files).
* Support for multiple sudoers_base and uri entries in ldap.conf.
When multiple entries are listed, sudo will try each one in the
order in which they are specified.
* Sudo's SELinux support should now function correctly when running
commands as a non-root user and when one of stdin, stdout or stderr
is not a terminal.
* Sudo will now use the Linux audit system with configure with the
--with-linux-audit flag.
* Sudo now uses mbr_check_membership() on systems that support it
to determine group membership. Currently, only Darwin (Mac OS X)
supports this.
* When the tty_tickets sudoers option is enabled but there is no
terminal device, sudo will no longer use or create a tty-based
ticket file. Previously, sudo would use a tty name of "unknown".
As a consequence, if a user has no terminal device, sudo will now
always prompt for a password.
* The passwd_timeout and timestamp_timeout options may now be
specified as floating point numbers for more granular timeout
values.
* Negating the fqdn option in sudoers now works correctly when sudo
is configured with the --with-fqdn option. In previous versions
of sudo the fqdn was set before sudoers was parsed.
* Update HOMEPAGE.
* Remove default value of GEM_BUILD.
=== 2.0.23 / 03 Jun 2010
* delay CHANNEL_EOF packet until output buffer is empty [Rich Lane]
Previously, calling #eof! after #send_data would result in the CHANNEL_EOF
packet being sent immediately, ahead of the data in the output buffer. Now
buffer becomes empty.
=== 2.0.22 / 20 Apr 2010
* Fix for: "Parsing the config errors out because it coerces the "1" into an integer and then tries to split it on spaces for multiple host checking." (http://net-ssh.lighthouseapp.com/projects/36253/tickets/10) [Lee Marlow]
=== 2.0.21 / 20 Mar 2010
* Fix for "IdentifyFile" in ~/.ssh/config does not work if no "Host" statement is given (http://net-ssh.lighthouseapp.com/projects/36253/tickets/9-identifyfile-in-sshconfig-does-not-work-if-no-host-statement-is-given#ticket-9-5) [xbaldauf, Delano Mandelbaum]
* Fix for client closes a forwarded connection, but the server is reading, net-ssh terminates with IOError socket closed (http://net-ssh.lighthouseapp.com/projects/36253/tickets/7) [Miklós Fazekas]
* Fix for client force closes (RST) a forwarded connection, but server is reading, net-ssh terminates with exception [Miklós Fazekas]
* Fix for server closes the sending side, the on_eof is not handled. [Miklós Fazekas]
* Removed Hanna dependency in Rakefile [Delano Mandelbaum]
=== 2.0.20 / 10 Feb 2010
* Support "ProxyCommand none" directive [Andy Lo-A-Foe]
=== 2.0.19 / 16 Jan 2010
* Support plus sign in sshconfig hostname [Jason Weathered]
=== 2.0.18 / 15 Jan 2010
* Fix related to #recv(1) to #readpartial change in 2.0.16 [Hans de Graaff, Delano Mandelbaum]
=== 2.0.17 / 14 Dec 2009
* Don't load net/ssh/authentication/pageant on Windows with Ruby 1.9 [Travis Reeder, Delano Mandelbaum]
