0.7.1 - 2014-12-28
~~~~~~~~~~~~~~~~~~
* Fixed an issue preventing compilation on platforms where ``OPENSSL_NO_SSL3``
was defined.
0.7 - 2014-12-17
~~~~~~~~~~~~~~~~
* Cryptography has been relicensed from the Apache Software License, Version
2.0, to being available under *either* the Apache Software License, Version
2.0, or the BSD license.
* Added key-rotation support to :doc:`Fernet </fernet>` with
:class:`~cryptography.fernet.MultiFernet`.
* More bit-lengths are now support for ``p`` and ``q`` when loading DSA keys
from numbers.
* Added :class:`~cryptography.hazmat.primitives.interfaces.MACContext` as a
common interface for CMAC and HMAC and deprecated
:class:`~cryptography.hazmat.primitives.interfaces.CMACContext`.
* Added support for encoding and decoding :rfc:`6979` signatures in
:doc:`/hazmat/primitives/asymmetric/utils`.
* Added
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` to
support the loading of OpenSSH public keys (:rfc:`4253`). Only RSA and DSA
keys are currently supported.
* Added initial support for X.509 certificate parsing. See the
:doc:`X.509 documentation</x509>` for more information.
Collection.
Password management should be simple and follow Unix philosophy. With pass,
each password lives inside of a gpg encrypted file whose filename is the title
of the website or resource that requires the password. These encrypted files
may be organized into meaningful folder hierarchies, copied from computer to
computer, and, in general, manipulated using standard command line file
management utilities.
pass makes managing these individual password files extremely easy. All
passwords live in ~/.password-store, and pass provides some nice commands for
adding, editing, generating, and retrieving passwords. It is a very short and
simple shell script. It's capable of temporarily putting passwords on your
clipboard and tracking password changes using git
This is a collection of both secure hash functions (such as SHA256 and
RIPEMD160), and various encryption algorithms (AES, DES, RSA, ElGamal,
etc.). The package is structured to make adding new modules easy.
One possible application of the modules is writing secure administration
tools. Another application is in writing daemons and servers. Clients
and servers can encrypt the data being exchanged and mutually
authenticate themselves; daemons can encrypt private data for added
security. Python also provides a pleasant framework for prototyping and
experimentation with cryptographic algorithms; thanks to its
arbitrary-length integers, public key algorithms are easily implemented.
In lib/x509/rfc2818_hostname.c, ipv6 related structs are used, but
at least on FreeBSD, arpa/inet.h does not contains the necessary
structs. If netinet/in.h is present, we use it instead of arpa/inet.h.
Reviewed by wiz
packaged for wip by nros.
The Qore xmlsec module gives Qore programs the possibility to support
XML signature(xmldsig) and XML encryption(xmlenc) as defined by W3C.
packaged for wip by nros.
The ssh2 module provides Qore the possibility to communicate with sshd
servers via the ssh2 protocol; the underlying functionality is provided
by libssh2.
packaged for wip by nros.
ASN.1(Abstract Syntax Notation One) module for Qore provides an API to
dynamically create, parse and convert ASN.1 data structures to concrete
output formats (like DER).
2.008 2014/12/16
- work around recent OCSP verification errors for revoked.grc.com (badly signed
OCSP response, Firefox also complains about it) in test t/external/ocsp.t.
- util/analyze.pl - report more details about preferred cipher for specific TLS
versions
- New Features:
- donuts: - Added the ability to summarize information
about a zone in the output, such as the upcoming
entire zone expiry time, etc
- Added the ability to query live zones for
records to analyze. EG:
donuts live:good-a,badsign-a test.dnssec-tools.org
- Added a -V switch to dump records analyzed
- libval: - Add support for conditionally checking all RRSIGs
on an assertion even if one that validates is
already found.
- Look for zonecuts based on NS records, not SOA
- Added initial support for TSIG in order to enable
libval to query recursive name servers that
authorized recursive lookup for only those hosts
that used a particular TSIG key.
- Validator.pm - Store respondent name server information in result
structure.
- Owl - additional sensor modules
- additional data analysis on manager
- logging to the Owl sensors modules
- optimized sensor data organization
(requires software upgrades on both sensor and
manager at the same time)
- added -restart option to owl-sensord for
restarting sensor modules
- improvements to the installation guide
- rollerd - generalized zonegroup entry in rollecs to be lists of tags
- rndc option support added
- dnssec-check - Ported to Qt5
- dnssec-nodes - Ported to Qt5
- lookup - Ported to Qt5
- dnssec-system-tray
- Ported to Qt5
- Bug Fixes
- Fixed bugs in libval, rollerd, blinkenlights, Owl
sensor modules, and Owl manager
- Use rlimits to try and limit file descriptor use in
libsres so we don't run out of available sockets.
- Eliminate a few hardcoded paths in various perl modules
- Fix various compiler warnings
- Update autoconf and related files
upstream. Thanks wiz@ for advice.
-------------------------
2014-10-26 Werner Koch <wk@gnupg.org>
Release 0.9.0.
(.. ommitted ..)
Remove support form QT3 and GTK+-1.
* configure.ac: Remove old qt and gtk+-1 support.
-- This will remove pinentry-{gtk,qt} by next commit.
-- Touched files on this commit are Makefile.common and distinfo only
-------------------------
2014-10-26 Werner Koch <wk@gnupg.org>
Release 0.9.0.
gtk: Aboid segv for opaste keys.
* gtk+-2/gtksecentry.c (gtk_secure_entry_class_init): Disable paste
key bindings.
Remove support form QT3 and GTK+-1.
* configure.ac: Remove old qt and gtk+-1 support.
* Makefile.am: Ditto.
2014-10-26 Stanislav Ochotnicky <sochotnicky@redhat.com>
Check if we are on tty before initializing curses.
* pinentry/pinentry-curses.c (dialog_run): Check stant stdin and stout
are connected to ttys.
2014-10-26 Werner Koch <wk@gnupg.org>
gtk: Allow pasting using the mouse.
* gtk+-2/gtksecentry.h (_GtkSecureEntry): Add fields insert_pos,
real_changed, cand change_count.
(_GtkSecureEntryClass): Add field paste_clipboard.
* gtk+-2/gtksecentry.c (PASTE_CLIPBOARD): New.
(gtk_secure_entry_class_init): Set paste_clipboard and create
paste-clipboard signal.
(gtk_secure_entry_button_press): Call gtk_secure_entry_pase.
(begin_change, end_change, emit_changed): New.
(gtk_secure_entry_real_insert_text): Use emit_changed.
(gtk_secure_entry_real_delete_text): Ditto.
(paste_received, gtk_secure_entry_paste)
(gtk_secure_entry_paste_clipboard): New.
2014-10-24 Werner Koch <wk@gnupg.org>
gtk+-2: Make current focus visible again.
* gtk+-2/pinentry-gtk-2.c (grab_keyboard): Return false
(ungrab_keyboard): Ditto.
gtk+-2: Implement the SETREPEAT command.
* gtk+-2/pinentry-gtk-2.c (repeat_entry, error_label): New.
(button_clicked): Implement repeat check.
(changed_text_handler): Clear repeat field.
(create_window): Add repeat entry.
Add commands to allow implementing a "repeat passphrase" field.
* pinentry/pinentry.c (cmd_setrepeat): New.
(cmd_setrepeaterror): New.
(register_commands): Add new commands.
(cmd_getpin): Print "PIN_REPEATED" status.
Another commit follows for other files.
This is the last version pinentry-{qt,gtk} are available.
-----------------------------------------
2014-09-18 Werner Koch <wk@gnupg.org>
Release 0.8.4.
Add missing build support files and move them to build-aux.
Use generic autogen.sh script.
* autogen.rc: New.
* autogen.sh: New. Take from GnuPG.
* Makefile.am (EXTRA_DIST): Add autogen.rc.
(DISTCHECK_CONFIGURE_FLAGS): Disable qt4.
2014-08-12 Werner Koch <wk@gnupg.org>
common: Fix compiler warning.
* pinentry/pinentry.c (pinentry_utf8_to_local): Use cast for iconv arg.
(pinentry_local_to_utf8): Ditto.
New pinentry-tty version for dumb terminals.
* Makefile.am: Add pinentry-tty.
* NEWS: Add news about pinentry-tty.
* README: Update.
* configure.ac: Add support for this pinentry.
* tty/Makefile.am: New.
* tty/pinentry-tty.c: New.
2014-08-06 Andre Heinecke <aheinecke@intevation.de>
Check for MOC also if pinentry-qt is disabled.
* configure.ac: Call QT_PATH_MOC if pinentry_qt4 is not no.
Add fallbacks for SetForegroundWindow.
If that foreground window fails pinentry-qt now tries to
attach to the current foreground process and then tries
to set the foreground window again. If that fails it also
calls ShowWindow as a last resort.
* qt4/pinentrydialog.cpp (raiseWindow): Add fallbacks in
case SetForegroundWindow fails.
Use raiseWindow also for confirm dialogs.
This should fix the case that the dialog opened
in the foreground but a warning / confirm dialog
opened in the background.
* qt4/pinentryconfirm.cpp, qt4/pinentryconfirm.h (showEvent):
New overwrite base class method to call raiseWindow.
* NEWS: Mention this.
2014-07-30 Andre Heinecke <aheinecke@intevation.de>
Set some accessibility information.
* qt4/main.cpp (qt_cmd_handler): Build buttons with accessibile
Description.
* qt4/pinentrydialog.cpp (setDescription, setError, setOkText)
(setCancelText, setQualityBar): Set an accessible description.
* qt4/pinentryconfirm.cpp (PinentryConfirm): Set message
box contents also as accessible values.
* NEWS: Mention it and the copy/paste change from last year.
2013-07-15 Andre Heinecke <aheinecke@intevation.de>
Lower paste length limit to 300.
This should be more then enough and avoids possible problems
with libassuan cmd line lenght or percent escaping etc.
* qt4/qsecurelineedit.cpp (insert): Lower paste limit
Limit paste length to 1023 characters.
* qt4/qsecurelineedit.cpp (insert): Check for a maximum
length before allocation the secmem string.
Fix contextmenu support for pasting.
MOC ignores preprocessor definitions so we can not conditionally
declare SLOTS. So we now move the ifdefs in the definition and
always declare the SLOTS.
* qt4/qsecurelinedit.cpp (cut, copy, paste): Do nothing if
QT_NO_CLIPBOARD is defined.
* qt4/qsecurelinedit.h: Always declare cut, copy and paste slots
Remove check for RTL extensions.
Our code does nothing RTL specific there anyway. And the
qt_use_rtl_extensions symbol has been removed.
* qt4/qsecurelinedit.cpp: Remove check for RTL extensions.
2013-07-12 Werner Koch <wk@gnupg.org>
Fix for commit fb38be9 to allow for "make distcheck".
* qt4/Makefile.am: Make correct use of BUILT_SOURCES.
2013-05-29 Andre Heinecke <aheinecke@intevation.de>
Add pinentry-qt4-clipboard option.
Enabling this option will make it possible to paste a
passphrase into pinentry-qt4. This defeats the secmem
mechanism but drastically increases usability for some
users.
* configure.ac: New option pinentry-qt4-clipboard.
* qt4/qsecurelineedit.cpp, qt4/qsecurelineedit.h: Activate
clipboard and context menu if PINENTRY_QT4_CLIPBOARD is defined.
Remove qt4 moc files and add moc to buildsystem.
This is neccessary to conditionally enable signals/slots
at build time.
* qt4/Makefile.am: Moc files automatically.
* qt4/pinentryconfirm.moc, qt4/pinentrydialog.moc,
qsecurelineedit.moc: Removed.
Changelog for this version:
pev 0.70 - December 26, 2013
! Missing full/English documentation.
! Missing valid XML and HTML output formats.
! pestr: no support for --net option when parsing unicode strings.
! pestr: unable to handle too big strings.
* libpe: rewritten, now using mmap. (Jardel Weyrich).
* pestr: added countries domains suffixes.
* readpe and peres: output enhancements (Jardel Weyrich).
+ pehash: sections and headers hash calculation (Jardel Weyrich).
+ pehash: ssdeep fuzzy hash calculation.
+ pehash: support for new digest hashes like sha512, ripemd160 and more.
+ peres: added new tool to analyze/extract PE resources (Marcelo Fleury).
+ pescan: cpl malware detection.
+ pescan: undocumented anti-disassembly fpu trick detection.
+ pesec: show and extract cerfiticates from digitally signed binaries (Jardel Weyrich).
- readpe can't show functions exported by ID only.
- readpe: fixed subsystem types (Dmitry Mostovenko).
ChangeLog for this version:
Wed, 12 Nov 2014 14:30:39 EDT (swebb)
-------------------------------------
* bb11176 - Instruct OpenSSL to allow MD5 when in FIPS-compliant mode.
Patch submitted by Reinhard Max.
Mon, 10 Nov 2014 11:03:29 EDT (swebb)
-------------------------------------
* bb11155 - Adjust the logic surrounding adjusting the PE section sizes
This fixes a crash with maliciously crafted yoda's crypter files and
also improves virus detections for PE files.
Thu, 6 Nov 2014 14:51:26 EDT (swebb)
-------------------------------------
* bb11088 - Merge in fixes for clamscan -a crash bug
Mon, 20 Oct 2014 11:33:18 EDT (swebb)
-------------------------------------
* Revert "bb#10731 - Allow to specificy a group for the socket of which
the user is not a member"
Thu, 31 Jul 2014 19:11:22 EDT (swebb)
-------------------------------------
* Add support for XDP PDF file format
Thu, Jul 31 11:50:23 EDT 2014 (swebb)
------------------------------------
* bb#10731 - Allow specification of a group for the milter socket of which
the user is not a member - patch submitted by Sebastian Andrzej Siewior
Fri, 25 Jul 2014 12:26:04 EDT (klin)
------------------------------------
* bb#10981 - applied LLVM 3.1-3.4 - patch submitted by Andreas Cadhalpun
Fri, 25 Jul 2014 12:06:13 (klin)
--------------------------------
* clambc: added diagnostic tools for bytecode IR
Tue, 8 Jul 2014 19:53:41 EDT (swebb)
------------------------------------
* mass cleanup of compiler warnings
Tue, 08 Jul 11:30:00 EDT 2014 (morgan)
------------------------------------
* 0.98.5 beta release
Mon, 07 Jul 09:00:00 EDT 2014 (swebb)
------------------------------------
* 0.98.5-beta1 release engineering
Thu, 03 Jul 22:14:40 EDT 2014 (swebb)
------------------------------------
* Call cl_initialize_crypto() in cl_init()
Thu, 03 Jul 16:28:10 EDT 2014 (swebb)
------------------------------------
* Finalize PDF parsing code for the preclassification feature
Wed, 25 Jun 16:26:33 EDT 2014 (swebb)
------------------------------------
* Finalize linking in libjson, a new optional dependency
Fri, 13 Jun 2014 16:11:15 EDT (smorgan)
---------------------------------------
* add timeout facility for file property scanning
Tue, 3 Jun 2014 13:31:50 EDT (smorgan)
--------------------------------------
* add callback for user processing of json string and json scan result
Wed, 7 May 2014 10:56:35 EDT (swebb)
------------------------------------
* PE file properties collection
Tue, 6 May 2014 15:26:30 EDT (klin)
-----------------------------------
* add api to read json to the bytecode api
Thu, 1 May 2014 16:59:01 EDT (klin)
-----------------------------------
* docx/pptx/xlsx file properties collection
Wed, 30 Apr 2014 16:38:55 EDT (swebb)
-------------------------------------
* pdf file properties collection
Tue, 22 Apr 2014 14:22:39 EDT (klin)
------------------------------------
* json api wrapper
Mon, 21 Apr 2014 18:30:28 EDT (klin)
------------------------------------
* doc/ppt/xls file properties collection
Wed, 16 Apr 18:14:45 2014 EDT (smorgan)
--------------------------------------
* Initial libjson-c configure/build support and json file properties work
* Version 3.2.20 (released 2014-11-10)
** libgnutls: Removed superfluous random generator refresh on every call
of gnutls_deinit(). That reduces load and usage of /dev/urandom.
** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
Reported by Sean Burford [GNUTLS-SA-2014-5].
** API and ABI modifications:
No changes since last version.
* Version 3.2.19 (released 2014-10-13)
** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
Reported by Joseph Peruski.
** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
handshake's hash buffer, in applications using the heartbeat extension
or DTLS. Reported by Joeri de Ruiter.
** libgnutls: fix issue in DTLS retransmission when session tickets
were in use; reported by Manuel Pégourié-Gonnard.
** libgnutls: Prevent abort() in library if getrusage() fails. Try to
detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.
** guile: new 'set-session-server-name!' procedure; see the manual for
details.
** API and ABI modifications:
No changes since last version.
Changes since 20141129:
+ bring over lint changes from src/crypto version of this utility
+ add a helper function to get an element from a cursor
+ added a small compile and test script, which uses BSD makefiles
+ change WARNS level in BSD Makefile from 6 to 5 - changes to make
WARNS=6 compile are way too intrusive and distracting to be useful
+ bump version to 20141204
Changes:
* The patch for SUPPORT-147 got integrated upstream.
* Regenerate enforcer/utils/Makefile.in diff
Upstream changes:
* SUPPORT-147: Zone updating via zone transfer can get stuck
* Crash on 'retransfer command when not using DNS adapters.
2.007 2014/11/26
- make getline/readline fall back to super class if class is not sslified yet,
i.e. behave the same as sysread, syswrite etc.
This fixes RT#100529
Noteworthy changes in version 1.3.2 (2014-11-25) [C19/A11/R3]
------------------------------------------------
* Fixed a buffer overflow in ksba_oid_to_str.
Noteworthy changes in version 1.3.1 (2014-09-18)
------------------------------------------------
* Fixed memory leak in CRL parsing.
* Build fixes for Windows, Android, and ppc64el.
Python-RSA is a pure-Python RSA implementation. It supports encryption
and decryption, signing and verifying signatures, and key generation
according to PKCS#1 version 1.5. It can be used as a Python library
as well as on the commandline.
This is a small but growing collection of ASN.1 data structures
expressed in Python terms using the pyasn1 data model.
It's thought to be useful to protocol developers and testers.
2.006 2014/11/22
- Make (hopefully) non-blocking work on windows by using EWOULDBLOCK instead of
EAGAIN. While this is the same on UNIX it is different on Windows and socket
operations return there (WSA)EWOULDBLOCK and not EAGAIN. Enable non-blocking
tests on Windows too.
- make PublicSuffix::_default_data thread safe
- update PublicSuffix with latest list from publicsuffix.org
code branch fro SoftHSMv2: ensure created pkcs8 file is not
group- or world-readable.
Rename patch-aa to patch-Makefile.in, and add a comment.
Bump PKGREVISION.
2.005 2014/11/15
- next try to fix t/protocol_version.t for OpenSSL w/o SSLv3 support
2.004 2014/11/15
- only test fix: fix t/protocol_version.t to deal with OpenSSL installations
which are compiled without SSLv3 support.
2.003 2014/11/14
- make SSLv3 available even if the SSL library disables it by default in
SSL_CTX_new (like done in LibreSSL). Default will stay to disable SSLv3,
so this will be only done when setting SSL_version explicitly.
- fix possible segmentation fault when trying to use an invalid certificate,
reported by Nick Andrew.
- Use only the ICANN part of the default public suffix list and not the
private domains. This makes existing exceptions for s3.amazonaws.com and
googleapis.com obsolete. Thanks to Gervase Markham from mozilla.org.
base for other systems. It allows the creation of users, which can
be authenticated by username, password, and optionally a YubiKey
OTP.
Aside from providing a user authentication backend, YubiAuth allows
storing and retrieving arbitrary key-value attributes for each user
as well as each YubiKey.
* Fix udev rules so they contain four digits.
* Only try to detach the kernel driver if it's attached. For libusb-1.0
* Let import config report errors properly.
NEO. There is a command line tool "ykneomgr" for interactive use.
It supports querying the YubiKey NEO for firmware version, operation
mode (OTP/CCID) and serial number. You may also mode switch the
device and manage applets (list, delete and install).
PolarSSL ChangeLog
= Version 1.2.12 released 2014-10-24
Security
* Remotely-triggerable memory leak when parsing some X.509 certificates
(server is not affected if it doesn't ask for a client certificate).
(Found using Codenomicon Defensics.)
Bugfix
* Fix potential bad read in parsing ServerHello (found by Adrien
Vialletelle).
* ssl_close_notify() could send more than one message in some circumstances
with non-blocking I/O.
* x509_crt_parse() did not increase total_failed on PEM error
* Fix compiler warnings on iOS (found by Sander Niemeijer).
* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
* ssl_read() could return non-application data records on server while
renegotation was pending, and on client when a HelloRequest was received.
* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
Changes
* X.509 certificates with more than one AttributeTypeAndValue per
RelativeDistinguishedName are not accepted any more.
* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
* Accept spaces at end of line or end of buffer in base64_decode().
* Add yk_get_key_vid_pid() to get the vendor and product id of a key.
* Add flags for ykinfo to print vendor and product id.
* Fix a bug in the osx backend where it would return an error opening
a composite device with two hid interfaces.
* Fix a bug with the 'urllist' parameter where urls would be forgotten.
* Manpages converted to asciidoc.
Version 2.16 (released 2014-06-10)
* Fix a crashbug with the new parameter 'urllist'
Version 2.15 (released 2014-04-30)
* Added new parameter 'urllist'
* Added pam_yubico(8) man page.
* Fix memory leak.
* Bump yubico-c-client version requirement to 2.12.
Version 5.07, 2014.11.01, urgency: MEDIUM:
* New features
- Several SMTP server protocol negotiation improvements.
- Added UTF-8 byte order marks to stunnel.conf templates.
- DH parameters are no longer generated by "make cert".
The hardcoded DH parameters are sufficiently secure,
and modern TLS implementations will use ECDH anyway.
- Updated manual for the "options" configuration file option.
- Added support for systemd 209 or later.
- New --disable-systemd ./configure option.
- setuid/setgid commented out in stunnel.conf-sample.
* Bugfixes
- Added support for UTF-8 byte order mark in stunnel.conf.
- Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
- Non-blocking mode set on inetd and systemd descriptors.
- shfolder.h replaced with shlobj.h for compatibility
with modern Microsoft compilers.
Version 5.06, 2014.10.15, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
- The insecure SSLv2 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv2".
- The insecure SSLv3 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv3".
- Default sslVersion changed to "all" (also in FIPS mode)
to autonegotiate the highest supported TLS version.
* New features
- Added missing SSL options to match OpenSSL 1.0.1j.
- New "-options" commandline option to display the list
of supported SSL options.
* Bugfixes
- Fixed FORK threading build regression bug.
- Fixed missing periodic Win32 GUI log updates.
Version 5.05, 2014.10.10, urgency: MEDIUM:
* New features
- Asynchronous communication with the GUI thread for faster
logging on Win32.
- systemd socket activation (thx to Mark Theunissen).
- The parameter of "options" can now be prefixed with "-"
to clear an SSL option, for example:
"options = -LEGACY_SERVER_CONNECT".
- Improved "transparent = destination" manual page (thx to
Vadim Penzin).
* Bugfixes
- Fixed POLLIN|POLLHUP condition handling error resulting
in prematurely closed (truncated) connection.
- Fixed a null pointer dereference regression bug in the
"transparent = destination" functionality (thx to
Vadim Penzin). This bug was introduced in stunnel 5.00.
- Fixed startup thread synchronization with Win32 GUI.
- Fixed erroneously closed stdin/stdout/stderr if specified
as the -fd commandline option parameter.
- A number of minor Win32 GUI bugfixes and improvements.
- Merged most of the Windows CE patches (thx to Pierre Delaage).
- Fixed incorrect CreateService() error message on Win32.
- Implemented a workaround for defective Cygwin file
descriptor passing breaking the libwrap support:
http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
Version 5.04, 2014.09.21, urgency: LOW:
* New features
- Support for local mode ("exec" option) on Win32.
- Support for UTF-8 config file and log file.
- Win32 UTF-16 build (thx to Pierre Delaage for support).
- Support for Unicode file names on Win32.
- A more explicit service description provided for the
Windows SCM (thx to Pierre Delaage).
- TCP/IP dependency added for NT service in order to prevent
initialization failure at boot time.
- FIPS canister updated to version 2.0.8 in the Win32 binary
build.
* Bugfixes
- load_icon_default() modified to return copies of default icons
instead of the original resources to prevent the resources
from being destroyed.
- Partially merged Windows CE patches (thx to Pierre Delaage).
- Fixed typos in stunnel.init.in and vc.mak.
- Fixed incorrect memory allocation statistics update in
str_realloc().
- Missing REMOTE_PORT environmental variable is provided to
processes spawned with "exec" on Unix platforms.
- Taskbar icon is no longer disabled for NT service.
- Fixed taskbar icon initialization when commandline options are
specified.
- Reportedly more compatible values used for the dwDesiredAccess
parameter of the CreateFile() function (thx to Pierre Delaage).
- A number of minor Win32 GUI bugfixes and improvements.
Secret Sharing Scheme, into the packages collection.
In simple terms, this package provides a library for implementing the
sharing of secrets and two tools for simple use-cases of the
algorithm. The library implements what is known as Shamir's method
for secret sharing in the Galois Field 2^8. In slightly simpler words,
this is N-of-M secret-sharing byte-by-byte. Essentially this allows
us to split a secret S into any M shares S1..SM such that any N of
those shares can be used to reconstruct S but any less than N shares
yields no information whatsoever.
there's no need to byte-swap values read from a local file.
This would cause some IXFRs to mysteriously and consistently fail
until manual intervention is done, because the wrong (byte-swapped)
SOA serial# was being stuffed into the IXFR requests.
Ref. https://issues.opendnssec.org/browse/SUPPORT-147.
Also fix the rc.d script to not insist that the components must be
running to allow "stop" to proceed, so that "restart" or "stop" can
be done if one or both of the processes have exited or crashed.
Bump PKGREVISION.
library wind-down function is both called on dlclose() and exit().
Should avoid segfault when trying to call the atexit function after
dlclose() which unmaps the library. Fixes PR pkg/49333, thanks to
joerg@ for the suggested fix.
Also, the IRIX and NetBSD tool name to get at nawk is just "awk",
flagged by pkglint.
Bump PKGREVISION.
Upstream changes:
5.93 Sun Oct 26 06:00:48 MST 2014
- corrected alignment problem in SHA struct (src/sha.h)
-- thanks to H. Merijn Brand and J. Hietaniemi for
analysis and suggested patch
- provided workaround in t/methods.t for unreliable -T test
-- Some Perl 5.8's mistake text for binary
2.002 2014/10/21
- fix check for (invalid) IPv4 when validating hostname against certificate. Do
not use inet_aton any longer because it can cause DNS lookups for malformed
IP. RT#99448, thanks to justincase[AT]yopmail[DOT]com.
- Update PublicSuffix with latest version from publicsuffix.org - lots of new
top level domains.
- Add exception to PublicSuffix for s3.amazonaws.com - RT#99702, thanks to
cpan[AT]cpanel[DOT]net.
2.001 2014/10/21
- Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security.
Thanks to Heikki Vatiainen for suggesting.
- Update external tests with currently expected fingerprints of hosts.
- Some fixes to make it still work on 5.8.1.
Changelog:
spiped-1.4.2
* Fix crash on platforms which support AESNI (i386, amd64) but do not
automatically provide 16-byte alignment to large memory allocations
(glibc, possibly others).
0.6.1 - 2014-10-15
~~~~~~~~~~~~~~~~~~
* Updated Windows wheels to be compiled against OpenSSL 1.0.1j.
* Fixed an issue where OpenSSL 1.0.1j changed the errors returned by some
functions.
* Added our license file to the ``cryptography-vectors`` package.
* Implemented DSA hash truncation support (per FIPS 186-3) in the OpenSSL
backend. This works around an issue in 1.0.0, 1.0.0a, and 1.0.0b where
truncation was not implemented.
Noteworthy changes in version 1.17 (2014-10-15) [C13/A13/R0]
-----------------------------------------------
* New error codes for TLS protocol libraries.
* New configure option --enable-build-timestamp.
* New man page for gpg-error-config.
2.000 2014/10/15
- consider SSL3.0 as broken because of POODLE and disable it by default.
- Skip live tests without asking if environment NO_NETWORK_TESTING is set.
Thanks to ntyni[AT]debian[DOT]org for suggestion.
- skip tests which require fork on non-default windows setups without proper
fork. Thanks to SHAY for https://github.com/noxxi/p5-io-socket-ssl/pull/18
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
*) SRTP Memory Leak.
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.
The fix was developed by the OpenSSL team.
(CVE-2014-3513)
[OpenSSL team]
*) Session Ticket Memory Leak.
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)
[Steve Henson]
*) Build option no-ssl3 is incomplete.
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)
[Akamai and the OpenSSL team]
*) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
(CVE-2014-3566)
[Adam Langley, Bodo Moeller]
*) Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original when
verifying RSA signature: this will reject any improperly encoded
DigestInfo structures.
Note: this is a precautionary measure and no attacks are currently known.
[Steve Henson]
1.999 2014/10/09
- make sure we don't use version 0.30 of IO::Socket::IP
- make sure that PeerHost is checked on all places where PeerAddr is
checked, because these are synonyms and IO::Socket::IP prefers PeerHost
while others prefer PeerAddr. Also accept PeerService additionally to
PeerPort.
See https://github.com/noxxi/p5-io-socket-ssl/issues/16 for details.
- add ability to use client certificates and to overwrite hostname with
util/analyze-ssl.pl.
** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.
** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid.
** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original.
- Added sanity checks in the decoding of time when
ASN1_DECODE_FLAG_STRICT_DER is used.
- Fixes in the decoding of OCTET STRING when close to the end
of the structure.
Changes include:
- More fixes to build in Windows with zlib (mingw and msvc).
- Build .cmxs with C bindings (Closes: #1303)
- Use advapi32 on Windows (Close: #1055)
- Allow to define --zlib-include and --zlib-libdir if zlib is not installed in
the standard location.
- Added SHA-3 hash function.
Changes:
* Add support for TLS1.1 and TLS1.2 (thanks Thomas Calderon).
* Add function to initialize Diffie-Hellman and elliptic curve parameters
(thanks Thomas Calderon and Edwin Török).
* Add set_client_SNI_hostname to specify client-side SNI hostname (thanks
Mauricio Fernandez).
* Fix double leave of blocking section in ocaml_ssl_accept (thanks Edwin Török).
* Check for errors in SSL_connect/SSL_accept (thanks Jérôme Vouillon).
* Clear the error queue before calling SSL_read and similar functions;
SSL_get_error does not work reliably otherwise (thanks Jérôme Vouillon).
* Allow static linking on Mingw64 (thanks schadinger).
0.6 - 2014-09-29
~~~~~~~~~~~~~~~~
* Added
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` to
ease loading private keys, and
:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key` to
support loading public keys.
* Removed the, deprecated in 0.4, support for the ``salt_length`` argument to
the :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1`
constructor. The ``salt_length`` should be passed to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` instead.
* Fix compilation on OS X Yosemite.
* Deprecated ``elliptic_curve_private_key_from_numbers`` and
``elliptic_curve_public_key_from_numbers`` in favor of
``load_elliptic_curve_private_numbers`` and
``load_elliptic_curve_public_numbers`` on
:class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`.
* Added
:class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePrivateKeyWithNumbers`
and
:class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicKeyWithNumbers`
support.
* Work around three GCM related bugs in CommonCrypto and OpenSSL.
* On the CommonCrypto backend adding AAD but not subsequently calling update
would return null tag bytes.
* One the CommonCrypto backend a call to update without an empty add AAD call
would return null ciphertext bytes.
* On the OpenSSL backend with certain versions adding AAD only would give
invalid tag bytes.
* Support loading EC private keys from PEM.
While here, add rpath to pkgconfig file.
* Version 1.0.0
- The API and ABI are now stable. New features will be added, but
backward-compatibility is guaranteed through all the 1.x.y releases.
- crypto_sign() properly works with overlapping regions again. Thanks
to @pysiak for reporting this regression introduced in version 0.6.1.
- The test suite has been extended.
* Version 0.7.1 (1.0 RC2)
- This is the second release candidate of Sodium 1.0. Minor
compilation, readability and portability changes have been made and the
test suite was improved, but the API is the same as the previous release
candidate.
* Version 0.7.0 (1.0 RC1)
- Allocating memory to store sensitive data can now be done using
sodium_malloc() and sodium_allocarray(). These functions add guard
pages around the protected data to make it less likely to be
accessible in a heartbleed-like scenario. In addition, the protection
for memory regions allocated that way can be changed using
sodium_mprotect_noaccess(), sodium_mprotect_readonly() and
sodium_mprotect_readwrite().
- ed25519 keys can be converted to curve25519 keys with
crypto_sign_ed25519_pk_to_curve25519() and
crypto_sign_ed25519_sk_to_curve25519(). This allows using the same
keys for signature and encryption.
- The seed and the public key can be extracted from an ed25519 key
using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk().
- aes256 was removed. A timing-attack resistant implementation might
be added later, but not before version 1.0 is tagged.
- The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was
removed. Use crypto_pwhash_scryptsalsa208sha256_*.
- The compatibility layer for implementation-specific functions was
removed.
- Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed.
- crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains
the prefix produced by crypto_pwhash_scryptsalsa208sha256_str()
* Version 0.6.1
- Important bug fix: when crypto_sign_open() was given a signed
message too short to even contain a signature, it was putting an
unlimited amount of zeros into the target buffer instead of
immediately returning -1. The bug was introduced in version 0.5.0.
- New API: crypto_sign_detached() and crypto_sign_verify_detached()
to produce and verify ed25519 signatures without having to duplicate
the message.
- New ./configure switch: --enable-minimal, to create a smaller
library, with only the functions required for the high-level API.
Mainly useful for the JavaScript target and embedded systems.
- All the symbols are now exported by the Emscripten build script.
- The pkg-config .pc file is now always installed even if the
pkg-config tool is not available during the installation.
* Version 0.6.0
- The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_*
- The ChaCha20Poly1305 AEAD construction has been implemented, as
crypto_aead_chacha20poly1305_*
- The _easy API does not require any heap allocations any more and
does not have any overhead over the NaCl API. With the password
hashing function being an obvious exception, the library doesn't
allocate and will not allocate heap memory ever.
- crypto_box and crypto_secretbox have a new _detached API to store
the authentication tag and the encrypted message separately.
- crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed
crypto_pwhash_scryptsalsa208sha256*().
- The low-level crypto_pwhash_scryptsalsa208sha256_ll() function
allows setting individual parameters of the scrypt function.
- New macros and functions for recommended crypto_pwhash_* parameters
have been added.
- Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair()
has been introduced to deterministically generate a key pair from a seed.
- crypto_onetimeauth() now provides a streaming interface.
- crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic()
have been added to use a non-zero initial block counter.
- On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which
doesn't require the Crypt API.
- The high bit in curve25519 is masked instead of processing the key as
a 256-bit value.
- The curve25519 ref implementation was replaced by the latest ref10
implementation from Supercop.
- sodium_mlock() now prevents memory from being included in coredumps
on Linux 3.4+
* Version 0.5.0
- sodium_mlock()/sodium_munlock() have been introduced to lock pages
in memory before storing sensitive data, and to zero them before
unlocking them.
- High-level wrappers for crypto_box and crypto_secretbox
(crypto_box_easy and crypto_secretbox_easy) can be used to avoid
dealing with the specific memory layout regular functions depend on.
- crypto_pwhash_scryptsalsa208sha256* functions have been added
to derive a key from a password, and for password storage.
- Salsa20 and ed25519 implementations now support overlapping
inputs/keys/outputs (changes imported from supercop-20140505).
- New build scripts for Visual Studio, Emscripten, different Android
architectures and msys2 are available.
- The poly1305-53 implementation has been replaced with Floodyberry's
poly1305-donna32 and poly1305-donna64 implementations.
- sodium_hex2bin() has been added to complement sodium_bin2hex().
- On OpenBSD and Bitrig, arc4random() is used instead of reading
/dev/urandom.
- crypto_auth_hmac_sha512() has been implemented.
- sha256 and sha512 now have a streaming interface.
- hmacsha256, hmacsha512 and hmacsha512256 now support keys of
arbitrary length, and have a streaming interface.
- crypto_verify_64() has been implemented.
- first-class Visual Studio build system, thanks to @evoskuil
- CPU features are now detected at runtime.
24 September 2014
- make hotplug using libudev (default) more robust
- add ReiserFS file system support (for configuration files)
- add musl libC support (increase the thread stack)
- Some other minor improvements and bug corrections
Noteworthy changes in version 1.16 (2014-09-18) [C12/A12/R2]
-----------------------------------------------
* Support building for iOS.
* Fixed a prototype mismatch.
* Fix es_fclose for streams opened with "samethread".
* Use pkg-config to find curl, instead of libcurl.m4.
* ykclient: Added --cai parameter to specify GnuTLS-compatible CA Info.
* libykclient: Added ykclient_set_ca_info function.
Used when curl is linked with GnuTLS, used to set CA Info.
* libykclient: Added ykclient_set_url_bases function.
Uses a more reasonable/extensible URL string syntax. The old
ykclient_set_url_templates is hereby deprecated.
* Added shared library versioning script.
* Valgrind is used for selftests.
* Fix URLs for opensource.y.com -> developers.y.com move.
* Whitelist firmware version 3.3 and detect new PIDs.
Version 1.15.2 (released 2014-07-30)
* Whitelist firmware version 2.5
* Read key when importing configuration.
* Fix formatting error in information about what is written to key.
* Check return codes when doinf NDEF writes.
* Signer Engine: Print secondary server address when logging notify reply
errors.
* Build: Fixed various OpenBSD compatibility issues.
* OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and
signer, and <SocketFile> for the signer.
* New tool: ods-getconf: to retrieve a configuration value from conf.xml
given an expression.
Bugfixes:
* OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup
can't be written zone is still added to database, solved it by checking the
zonelist.xml.backup is writable before adding zones, and add error message
when add zone failed.
* OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone
the first time due to RFC 1982 serial arethmetic.
* OPENDNSSEC-619: memory leak when signer failed, solved it by add
ldns_rr_free(signature) in libhsm.c
* OPENDNSSEC-627: Signer Engine: Unable to update serial after restart
when the backup files has been removed.
* OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed
from debug to info.
* OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone.
* libhsm: Fixed a few other memory leaks.
* simple-dnskey-mailer.sh: Fix syntax error.
Note: this commit is part of reorganizing some of the recently
imported R packages, which are being reimported into more appropriate
categories (and removed from math) as a result of a recent discussion
on tech-pkg and privately with wiz@. See the thread starting with:
http://mail-index.netbsd.org/tech-pkg/2014/09/05/msg013558.html
The digest package provides a function 'digest()' for the creation of
hash digests of arbitrary R objects (using the md5, sha-1, sha-256 and
crc32 algorithms) permitting easy comparison of R language objects, as
well as a function 'hmac()' to create hash-based message
authentication code.
Note: this commit is part of reorganizing some of the recently
imported R packages, which are being reimported into more appropriate
categories (and removed from math) as a result of a recent discussion
on tech-pkg and privately with wiz@. See the thread starting with:
http://mail-index.netbsd.org/tech-pkg/2014/09/05/msg013558.html
Quoted from http://jessekornblum.livejournal.com/295883.html:
This is an important update, which corrects a bug in the signature
generation code. Any ssdeep hashes created with version 2.10 should be
recomputed. The signatures are not wrong per se though, they are just not
as good as they should be"
Noteworthy changes in version 1.15 (2014-09-11) [C12/A12/R1]
-----------------------------------------------
* This releases fixes problems with the use of off_t and ssize_t by
the estream functions introduced with 1.14. Although this is
technically an ABI break on some platforms, we take this as a
simple bug fix for 1.14. The new functions are very unlikely in
use by any code and thus no breakage should happen. The 1.14
tarball will be removed from the archive.
* Add type gpgrt_off_t which is guaranteed to be 64 bit.
* Add type gpgrt_ssize_t to make use on Windows easier. On Unix
platforms this is an alias for ssize_t.
Noteworthy changes in version 1.14 (2014-09-08) [C12/A12/R0]
-----------------------------------------------
* Added gpgrt_lock_trylock.
* Added the estream library under the name gpgrt and a set of macros
to use them with their "es_" names.
* Interface changes relative to the 1.13 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_KEY_DISABLED NEW.
gpgrt_init NEW macro.
gpgrt_check_version NEW.
gpgrt_lock_trylock NEW.
gpgrt_set_syscall_clamp NEW.
gpgrt_set_alloc_func NEW.
gpgrt_stream_t NEW.
gpgrt_cookie_io_functions_t NEW.
gpgrt_syshd_t NEW.
GPGRT_SYSHD_NONE NEW.
GPGRT_SYSHD_FD NEW.
GPGRT_SYSHD_SOCK NEW.
GPGRT_SYSHD_RVID NEW.
GPGRT_SYSHD_HANDLE NEW.
gpgrt_stdin NEW macro.
gpgrt_stdout NEW macro.
gpgrt_stderr NEW macro.
gpgrt_fopen NEW.
gpgrt_mopen NEW.
gpgrt_fopenmem NEW.
gpgrt_fopenmem_init NEW.
gpgrt_fdopen NEW.
gpgrt_fdopen_nc NEW.
gpgrt_sysopen NEW.
gpgrt_sysopen_nc NEW.
gpgrt_fpopen NEW.
gpgrt_fpopen_nc NEW.
gpgrt_freopen NEW.
gpgrt_fopencookie NEW.
gpgrt_fclose NEW.
gpgrt_fclose_snatch NEW.
gpgrt_onclose NEW.
gpgrt_fileno NEW.
gpgrt_fileno_unlocked NEW.
gpgrt_syshd NEW.
gpgrt_syshd_unlocked NEW.
gpgrt_flockfile NEW.
gpgrt_ftrylockfile NEW.
gpgrt_funlockfile NEW.
gpgrt_feof NEW.
gpgrt_feof_unlocked NEW.
gpgrt_ferror NEW.
gpgrt_ferror_unlocked NEW.
gpgrt_clearerr NEW.
gpgrt_clearerr_unlocked NEW.
gpgrt_fflush NEW.
gpgrt_fseek NEW.
gpgrt_fseeko NEW.
gpgrt_ftell NEW.
gpgrt_ftello NEW.
gpgrt_rewind NEW.
gpgrt_getc NEW macro.
gpgrt_getc_unlocked NEW macro.
gpgrt_fgetc NEW.
gpgrt_fputc NEW.
gpgrt_ungetc NEW.
gpgrt_read NEW.
gpgrt_write NEW.
gpgrt_write_sanitized NEW.
gpgrt_write_hexstring NEW.
gpgrt_fread NEW.
gpgrt_fwrite NEW.
gpgrt_fgets NEW.
gpgrt_putc NEW macro.
gpgrt_putc_unlocked NEW macro.
gpgrt_fputs NEW.
gpgrt_fputs_unlocked NEW.
gpgrt_getline NEW.
gpgrt_read_line NEW.
gpgrt_free NEW.
gpgrt_fprintf NEW.
gpgrt_fprintf_unlocked NEW.
gpgrt_printf NEW.
gpgrt_printf_unlocked NEW.
gpgrt_vfprintf NEW.
gpgrt_vfprintf_unlocked NEW.
gpgrt_setvbuf NEW.
gpgrt_setbuf NEW.
gpgrt_set_binary NEW.
gpgrt_tmpfile NEW.
gpgrt_opaque_set NEW.
gpgrt_opaque_get NEW.
gpgrt_fname_set NEW.
gpgrt_fname_get NEW.
gpgrt_asprintf NEW.
gpgrt_vasprintf NEW.
gpgrt_bsprintf NEW.
gpgrt_vbsprintf NEW.
gpgrt_snprintf NEW.
gpgrt_vsnprintf NEW.
1.998 2014/09/07
- make client authentication work at the server side when SNI is in by use
having CA path and other settings in all SSL contexts instead of only the main
one. Based on code from lundstrom[DOT]jerry[AT]gmail[DOT]com,
https://github.com/noxxi/p5-io-socket-ssl/pull/15
* Relaxed the license for many source files to cut-down BSD.
* Relaxed the license for John the Ripper as a whole from GPLv2 (exact
version) to GPLv2 or newer with optional OpenSSL and unRAR exceptions.
* Enhanced the support for DES-based tripcodes by making use of the
bitslice DES implementation and supporting OpenMP parallelization.
* Implemented bitmaps for fast initial comparison of computed hashes
against those loaded for cracking.
This provides a substantial performance improvement when cracking large
numbers of fast hashes.
* With 32-bit x86 builds and at least MMX enabled, the "two hashes at a
time" code for bcrypt is now enabled for GCC 4.2 and newer.
This is faster bcrypt cracking on some old and new computers running
32-bit operating systems or VMs for whatever reason.
* Revised the incremental mode to let the current character counts grow
for each character position independently, with the aim to improve
efficiency in terms of successful guesses per candidate passwords tested.
* Revised the pre-defined incremental modes, as well as external mode
filters that are used to generate .chr files.
* Added makechr, a script to (re-)generate .chr files.
* Enhanced the status reporting to include four distinct speed metrics
(g/s, p/s, c/s, and C/s).
* Added the "--fork=N" and "--node=MIN[-MAX]/TOTAL" options for trivial
parallel and distributed processing.
spiped-1.4.1
* Fix build on OS X, and improve strict POSIX compliance.
* Improved zeroing of sensitive cryptographic data.
spiped-1.4.0
* Add automatic detection of compiler support (at compile-time) and CPU
support (at run-time) for x86 "AES New Instructions"; and when available,
use these to improve cryptographic performance.
* Add support for -g option, which makes {spiped, spipe} require perfect
forward secrecy by dropping connections if the peer endpoint is detected to
be running using the -f option.
0.50 - 2014-03-14
- Version 0.49 implicitly required Moose; switch to a technique that
does not
- Modernize CHANGES
0.49 - 2014-03-13
- Restore context-sensitive (array/arrayref) behavior of multiple array
methods from 0.46.
- Fix MANIFEST/.gitignore inconsistency
0.48 - 2014-03-10
- Switch from --always-trust to --trust-model=always
0.47 - 2014-03-10
- No changes from 0.47_02
0.47_02 - 2014-02-14
- Remove a stray 'use Data::Dumper::Concise' added in 0.47_01
0.47_01 - 2014-01-27
- Switch from Any::Moose to Moo
- Accept "gpg (GnuPG/MacGPG2)" as a valid gpg version
- Typo fixes in documentation
1.997 2014/07/12
- thanks to return code 1 from Net::SSLeay::library_init if the library needed
initialization and 0 if not we can now clearly distinguish if initialization
was needed and do not need any work-arounds for perlcc by the user.
1.996 2014/07/12
- move initialization of OpenSSL-internals out of INIT again because this
breaks if module is used with require. Since there is no right place to
work in all circumstances just document the work-arounds needed for
perlcc. RT#97166
1.995 2014/07/11
- RT#95452 - move initialization and creation of OpenSSL-internals into INIT
section, so they get executed after compilation and perlcc is happy.
- refresh option for peer_certificate, so that it checks if the certificate
changed in the mean time (on renegotiation)
- fix fingerprint checking - now applies only to topmost certificate
- IO::Socket::SSL::Utils - accept extensions within CERT_create
- documentations fixes thanks to frioux
- fix documentation bug RT#96765, thanks to Salvatore Bonaccorso.
1.994 2014/06/22
- IO::Socket::SSL can now be used as dual-use socket, e.g. start plain, upgrade
to SSL and downgrade again all with the same object. See documentation of
SSL_startHandshake and chapter Advanced Usage.
- try to apply SSL_ca* even if verify_mode is 0, but don't complain if this
fails. This is needed if one wants to explicitly verify OCSP lookups even if
verification is otherwise off, because otherwise the signature check would
fail. This is mostly useful for testing.
- reorder documentation of attributes for new, so that the more important ones
are at the top.
1.993 2014/06/13
- major rewrite of documentation, now in separate file
- rework error handling to distinguish between SSL errors and internal errors
(like missing capabilities).
- fix handling of default_ca if given during the run of the program (Debian#750646)
- util/analyze-ssl.pl - fix hostname check if SNI does not work
1.66 2014-08-21
Fixed compile problem with perl prior to 5.8.8, similar to
RT#76267. Reported by Graham Knop.
Fixed a problem with Socket::IPPROTO_TCP on early perls.
After discussions with the community and the original author Sampo
Kellomaki, the license conditions have been changed to "Perl Artisitic
License 2.0".
1.65 2014-07-14
Added note to doc to make it clear that X509_get_subjectAltNames returns a
packed binary IP address for type 7 - GEN_IPADD.
Improvements to SSL_OCSP_response_verify to compile under non c99
compilers. Requested by MERIJNB.
Port to Android, contributed by Brian Fraser. Includes Android specific
version of RSA_generate_key.
Added LibreSSL support, patch provided by Alexander Bluhm. Thanks!
Patch that fixes the support for SSL_set_info_callback and adds
SSL_CTX_set_info_callback and SSL_set_state. Support for these functions is
necessary to either detect renegotiation or to enforce
renegotiation. Contributed by Steffen Ullrich. Thanks!
Fixed a problem with SSL_set_state not available on some early OpenSSLs,
patched by Steffen Ullrich. Thanks!
Removed arbitrary size limits from calls to tcp_read_all in tcpcat() and
http_cat().
Removed unnecessary Debian_SPANTS.txt from MANIFEST. Again.
1.64 2014-06-11
Fixes for test ocsp.t. Test now does not fail if HTTP::Tiny is not
installed.
Fixed repository in META.yml.
Fixed a problem with SSL_get_peer_cert_chain: if the SSL handshake
results in an anonymous authentication, like ADH-DES-CBC3-SHA,
get_peer_cert_chain will not return an empty list, but instead return the
SSL object. Reported and fixed by Steffen
Ullrich. Thanks.
Fixed a problem where patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3009244da47b989c4cc59ba02cf81a4e9d8f8431
caused a failed test in t/local/33_x509_create_cert.t.
0.28 2013-11-21
- Removed silly micro-optimization that was responsible for generating a
warning in Perl versions prior to 5.18.
0.27 2013-10-06
- Merged pull request from David Steinbrunner: specifying meta-spec
so metadata can be seen/used.
- Fixed t/05-kwalitee.t to work with latest revisions on Test::Kwalitee.
Noteworthy changes in version 1.5.1 (2014-07-30) [C24/A13/R0]
-------------------------------------------------------------
* Fixed possible overflow in gpgsm and uiserver engines.
[CVE-2014-3564]
* Added support for GnuPG 2.1's --with-secret option.
* Interface changes relative to the 1.5.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPGME_KEYLIST_MODE_WITH_SECRET NEW.
Noteworthy changes in version 1.5.0 (2014-05-21) [C23/A12/R0]
-------------------------------------------------------------
* On Unices the engine file names are not not anymore hardwired but
located via the envvar PATH. All options to set the name of the
engines for the configure run are removed.
* If GPGME finds the gpgconf binary it defaults to using gpg2 or
whatever gpgconf tells as name for the OpenPGP engine. If gpgconf
is not found, GPGME looks for an engine named "gpg".
* New feature to use the gpgme I/O subsystem to run arbitrary
commands.
* New flag to use encryption without the default compression step.
* New function to access "gpg-conf --list-dirs"
* New configure option --enable-fixed-path for use by Android.
* Support ECC algorithms.
* Interface changes relative to the 1.4.3 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_get_dirinfo NEW.
gpgme_op_spawn_start NEW.
gpgme_op_spawn NEW.
GPGME_PROTOCOL_SPAWN NEW.
GPGME_SPAWN_DETACHED NEW.
GPGME_SPAWN_ALLOW_SET_FG NEW.
GPGME_ENCRYPT_NO_COMPRESS NEW.
GPGME_PK_ECC NEW.
GPGME_MD_SHA224 NEW.
gpgme_subkey_t EXTENDED: New field curve.
GPGME_STATUS_PLAINTEXT_LENGTH NEW.
GPGME_STATUS_MOUNTPOINT NEW.
GPGME_STATUS_PINENTRY_LAUNCHED NEW.
GPGME_STATUS_ATTRIBUTE NEW.
GPGME_STATUS_BEGIN_SIGNING NEW.
GPGME_STATUS_KEY_NOT_CREATED NEW.
** libgnutls: initialize parameters variable on PKCS 8 decryption.
** libgnutls: Explicitly set the exponent in PKCS 11 key generation.
That improves compatibility with certain PKCS 11 modules. Contributed by
Wolfgang Meyer zu Bergsten.
** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
algorithms.
** libgnutls: when checking the hostname of a certificate with multiple CNs
ensure that the "most specific" CN is being used.
** libgnutls: In DTLS ignore only errors that relate to unexpected packets
and decryption failures.
** API and ABI modifications:
No changes since last version.
0.5.4 - 2014-08-20
~~~~~~~~~~~~~~~~~~
* Added several functions to the OpenSSL bindings to support new
functionality in pyOpenSSL.
* Fixed a redefined constant causing compilation failure with Solaris 11.2.
Noteworthy changes in version 1.4.4 (2014-07-30) [C22/A11/R1]
-------------------------------------------------------------
Backported from 1.5.1:
* Fixed possible overflow in gpgsm and uiserver engines.
[CVE-2014-3564]
* Fixed possibled segv in gpgme_op_card_edit.
* Fixed minor memleaks and possible zombie processes.
* Fixed prototype inconsistencies and void pointer arithmetic.
Noteworthy changes in version 1.4.3 (2013-08-12) [C22/A11/R0]
-------------------------------------------------------------
* The default engine names are now taken from the output of gpgconf.
If gpgconf is not found the use of gpg 1 is assumed.
* Under Windows the default engines names are first searched in the
installation directory of the gpgme DLL.
* New function gpgme_data_identify to detect the type of a message.
* Interface changes relative to the 1.4.2 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_signers_count NEW.
gpgme_data_type_t NEW.
gpgme_data_identify NEW.
Noteworthy changes in version 1.4.2 (2013-05-28)
------------------------------------------------
* Allow symmetric encryption with gpgme_op_encrypt_sign.
* Fixed mismatching off_t definitions on Windows.
* Interface changes relative to the 1.4.1 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_off_t NEW.
gpgme_size_t NEW.
GPGME_PROTOCOL_OPENPGP NEW alias.
Noteworthy changes in version 1.6.2 (2014-08-21) [C20/A0/R2]
------------------------------------------------
* Map deprecated RSA algo number to the RSA algo number for better
backward compatibility.
* Support a 0x40 compression prefix for EdDSA.
* Improve ARM hardware feature detection and building.
* Fix powerpc-apple-darwin detection
* Fix building for the x32 ABI platform.
* Support building using the latest mingw-w64 toolchain.
* Fix some possible NULL deref bugs.
& building with /usr/vac/bin/cc, add the necessary checks to Makefile
to use the correct profile depending on what CC/ABI is set to.
Patch from Sevan Janiyan in PR 49131, but moved a few lines to not
affect Darwin.
packaged for wip by zecrazytux.
Haskell package providing efficient cryptographic hash implementations
for strict and lazy bytestrings.
For now, CRC32 and Adler32 are supported; they are
implemented as FFI bindings to efficient code from zlib.
Noteworthy changes in version 2.0.26 (2014-08-12)
-------------------------------------------------
* gpg: Fix a regression in 2.0.24 if a subkey id is given
to --recv-keys et al.
* gpg: Cap attribute packets at 16MB.
* gpgsm: Auto-create the ".gnupg" home directory in the same
way gpg does.
* scdaemon: Allow for certificates > 1024 when using PC/SC.
NaCl (pronounced "salt") is a new easy-to-use high-speed software
library for network communication, encryption, decryption, signatures,
etc. NaCl's goal is to provide all of the core operations needed
to build higher-level cryptographic tools.
Of course, other libraries already exist for these core operations.
NaCl advances the state of the art by improving security, by improving
usability, and by improving speed.
Version 5.03, 2014.08.07, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1i.
See https://www.openssl.org/news/secadv_20140806.txt
* New features
- FIPS autoconfiguration cleanup.
- FIPS canister updated to version 2.0.6.
- Improved SNI diagnostic logging.
* Bugfixes
- Compilation fixes for old versions of OpenSSL.
- Fixed whitespace handling in the stunnel.init script.
Version 5.02, 2014.06.09, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1h.
See https://www.openssl.org/news/secadv_20140605.txt
* New features
- Major rewrite of the protocol.c interface: it is now possible to add
protocol negotiations at multiple connection phases, protocols can
individually decide whether the remote connection will be
established before or after SSL/TLS is negotiated.
- Heap memory blocks are wiped before release. This only works for
block allocated by stunnel, and not by OpenSSL or other libraries.
- The safe_memcmp() function implemented with execution time not
dependent on the compared data.
- Updated the stunnel.conf and stunnel.init templates.
- Added a client-mode example to the manual.
* Bugfixes
- Fixed "failover = rr" broken since version 5.00.
- Fixed "taskbar = no" broken since version 5.00.
- Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option.
Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
SRP code can be overrun an internal buffer. Add sanity check that
g, A, B < N to SRP code.
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for discovering this issue.
(CVE-2014-3512)
[Steve Henson]
*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a
higher protocol version, by modifying the client's TLS records.
Thanks to David Benjamin and Adam Langley (Google) for discovering and
researching this issue.
(CVE-2014-3511)
[David Benjamin]
*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
to a denial of service attack. A malicious server can crash the client
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
Thanks to Felix Gröbert (Google) for discovering and researching this
issue.
(CVE-2014-3510)
[Emilia Käsper]
*) By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3507)
[Adam Langley]
*) An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3506)
[Adam Langley]
*) An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This
can be exploited through a Denial of Service attack.
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
this issue.
(CVE-2014-3505)
[Adam Langley]
*) If a multithreaded client connects to a malicious server using a resumed
session and the server sends an ec point format extension it could write
up to 255 bytes to freed memory.
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue.
(CVE-2014-3509)
[Gabor Tyukasz]
*) A malicious server can crash an OpenSSL client with a null pointer
dereference (read) by specifying an SRP ciphersuite even though it was not
properly negotiated with the client. This can be exploited through a
Denial of Service attack.
Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
discovering and researching this issue.
(CVE-2014-5139)
[Steve Henson]
*) A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information
from the stack. Applications may be affected if they echo pretty printing
output to the attacker.
Thanks to Ivan Fratric (Google) for discovering this issue.
(CVE-2014-3508)
[Emilia Käsper, and Steve Henson]
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
bogus results, with non-infinity inputs mapped to infinity too.)
[Bodo Moeller]
---
4.0
---
* Removed ``keyring_path`` parameter from ``load_keyring``. See release notes
for 3.0.3 for more details.
* Issue #22: Removed support for loading the config from the current
directory. The config file must now be located in the platform-specific
config location.
