mbed TLS (formerly known as PolarSSL) makes it trivially easy for
developers to include cryptographic and SSL/TLS capabilities in
their (embedded) products, facilitating this functionality with a
minimal coding footprint.
This contains major version 3 of the library, which is not backwards
compatible to version 2.
= Mbed TLS 2.28.1 branch released 2022-07-11
Default behavior changes
* mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305
for IV lengths other than 12. The library was silently overwriting this
length with 12, but did not inform the caller about it. Fixes#4301.
Features
* When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto
feature requirements in the file named by the new macro
MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h.
Furthermore you may name an additional file to include after the main
file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
Security
* Zeroize dynamically-allocated buffers used by the PSA Crypto key storage
module before freeing them. These buffers contain secret key material, and
could thus potentially leak the key through freed heap.
* Fix a potential heap buffer overread in TLS 1.2 server-side when
MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
is selected. This may result in an application crash or potentially an
information leak.
* Fix a buffer overread in DTLS ClientHello parsing in servers with
MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
after the end of the SSL input buffer. The buffer overread only happens
when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
and possibly up to 571 bytes with a custom cookie check function.
Reported by the Cybeats PSI Team.
Bugfix
* Fix a memory leak if mbedtls_ssl_config_defaults() is called twice.
* Fix several bugs (warnings, compiler and linker errors, test failures)
in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled.
* Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was
enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the
client would fail to check that the curve selected by the server for
ECDHE was indeed one that was offered. As a result, the client would
accept any curve that it supported, even if that curve was not allowed
according to its configuration. Fixes#5291.
* Fix unit tests that used 0 as the file UID. This failed on some
implementations of PSA ITS. Fixes#3838.
* Fix API violation in mbedtls_md_process() test by adding a call to
mbedtls_md_starts(). Fixes#2227.
* Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests
to catch bad uses of time.h.
* Fix the library search path when building a shared library with CMake
on Windows.
* Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
potentially leading to corrupted alert messages being sent in case
the function needs to be re-called after initially returning
MBEDTLS_SSL_WANT_WRITE. Fixes#1916.
* In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of
MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C,
DTLS handshakes using CID would crash due to a null pointer dereference.
Fix this. Fixes#3998.
* Fix incorrect documentation of mbedtls_x509_crt_profile. The previous
documentation stated that the `allowed_pks` field applies to signatures
only, but in fact it does apply to the public key type of the end entity
certificate, too. Fixes#1992.
* Fix PSA cipher multipart operations using ARC4. Previously, an IV was
required but discarded. Now, an IV is rejected, as it should be.
* Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is
not NULL and val_len is zero.
* psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when
applicable. Fixes#5735.
* Fix a bug in the x25519 example program where the removal of
MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. Fixes#4901 and
#3191.
* Encode X.509 dates before 1/1/2000 as UTCTime rather than
GeneralizedTime. Fixes#5465.
* Fix order value of curve x448.
* Fix string representation of DNs when outputting values containing commas
and other special characters, conforming to RFC 1779. Fixes#769.
* Silence a warning from GCC 12 in the selftest program. Fixes#5974.
* Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0.
* Fix resource leaks in mbedtls_pk_parse_public_key() in low
memory conditions.
* Fix server connection identifier setting for outgoing encrypted records
on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with
connection identifier, the Mbed TLS client now properly sends the server
connection identifier in encrypted record headers. Fix#5872.
* Fix a null pointer dereference when performing some operations on zero
represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing
by 2, and mbedtls_mpi_write_string() in base 2).
* Fix record sizes larger than 16384 being sometimes accepted despite being
non-compliant. This could not lead to a buffer overflow. In particular,
application data size was already checked correctly.
Changes
* Assume source files are in UTF-8 when using MSVC with CMake.
= mbed TLS 2.28.0 branch released 2021-12-17
API changes
* Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
different order. This only affects applications that define such
structures directly or serialize them.
Requirement changes
* Sign-magnitude and one's complement representations for signed integers are
not supported. Two's complement is the only supported representation.
Removals
* Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES,
which allowed SHA-1 in the default TLS configuration for certificate
signing. It was intended to facilitate the transition in environments
with SHA-1 certificates. SHA-1 is considered a weak message digest and
its use constitutes a security risk.
* Remove the partial support for running unit tests via Greentea on Mbed OS,
which had been unmaintained since 2018.
Features
* The identifier of the CID TLS extension can be configured by defining
MBEDTLS_TLS_EXT_CID at compile time.
* Warn if errors from certain functions are ignored. This is currently
supported on GCC-like compilers and on MSVC and can be configured through
the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
(where supported) for critical functions where ignoring the return
value is almost always a bug. Enable the new configuration option
MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
is currently implemented in the AES, DES and md modules, and will be
extended to other modules in the future.
* Add missing PSA macros declared by PSA Crypto API 1.0.0:
PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL.
* Add new API mbedtls_ct_memcmp for constant time buffer comparison.
* Add PSA API definition for ARIA.
Security
* Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection.
* In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
from the output buffer. This fixes a potential policy bypass or decryption
oracle vulnerability if the output buffer is in memory that is shared with
an untrusted application.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
(out of memory). After that, calling mbedtls_ssl_session_free()
and mbedtls_ssl_free() would cause an internal session buffer to
be free()'d twice.
Bugfix
* Stop using reserved identifiers as local variables. Fixes#4630.
* The GNU makefiles invoke python3 in preference to python except on Windows.
The check was accidentally not performed when cross-compiling for Windows
on Linux. Fix this. Fixes#4774.
* Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
* Fix a parameter set but unused in psa_crypto_cipher.c. Fixes#4935.
* Don't use the obsolete header path sys/fcntl.h in unit tests.
These header files cause compilation errors in musl.
Fixes#4969.
* Fix missing constraints on x86_64 and aarch64 assembly code
for bignum multiplication that broke some bignum operations with
(at least) Clang 12.
Fixes#4116, #4786, #4917, #4962.
* Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
* Failures of alternative implementations of AES or DES single-block
functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT,
MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored.
This does not concern the implementation provided with Mbed TLS,
where this function cannot fail, or full-module replacements with
MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
* Some failures of HMAC operations were ignored. These failures could only
happen with an alternative implementation of the underlying hash module.
* Fix the error returned by psa_generate_key() for a public key. Fixes#4551.
* Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
MBEDTLS_ERROR_STRERROR_DUMMY is enabled.
* Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
This algorithm now accepts only the same salt length for verification
that it produces when signing, as documented. Use the new algorithm
PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes#4946.
* The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
for algorithm values that fully encode the hashing step, as per the PSA
Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
all algorithms that can be used with psa_{sign,verify}_hash(), including
these two.
* Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
not to list other shared libraries they need.
* Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
exceeds 2^32. Fixes#4884.
* Fix an uninitialized variable warning in test_suite_ssl.function with GCC
version 11.
* Fix the build when no SHA2 module is included. Fixes#4930.
* Fix the build when only the bignum module is included. Fixes#4929.
* Fix a potential invalid pointer dereference and infinite loop bugs in
pkcs12 functions when the password is empty. Fix the documentation to
better describe the inputs to these functions and their possible values.
Fixes#5136.
* The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
operations psa_mac_compute() and psa_mac_sign_setup().
* The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
operations psa_mac_verify() and psa_mac_verify_setup().
Changes
* Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be
disabled by default.
* Improve the performance of base64 constant-flow code. The result is still
slower than the original non-constant-flow implementation, but much faster
than the previous constant-flow implementation. Fixes#4814.
* Indicate in the error returned if the nonce length used with
ChaCha20-Poly1305 is invalid, and not just unsupported.
* The mbedcrypto library includes a new source code module constant_time.c,
containing various functions meant to resist timing side channel attacks.
This module does not have a separate configuration option, and functions
from this module will be included in the build as required. Currently
most of the interface of this module is private and may change at any
time.
= mbed TLS 2.27.0 branch released 2021-07-07
API changes
* Update AEAD output size macros to bring them in line with the PSA Crypto
API version 1.0 spec. This version of the spec parameterizes them on the
key type used, as well as the key bit-size in the case of
PSA_AEAD_TAG_LENGTH.
The old versions of these macros were renamed and deprecated as follows:
- PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG
- PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG
- PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG
- PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG
- PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG
- PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG
* Implement one-shot cipher functions, psa_cipher_encrypt and
psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
specification.
Requirement changes
* The library now uses the %zu format specifier with the printf() family of
functions, so requires a toolchain that supports it. This change does not
affect the maintained LTS branches, so when contributing changes please
bear this in mind and do not add them to backported code.
Features
* Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
signature with a specific salt length. This function allows to validate
test cases provided in the NIST's CAVP test suite. Contributed by Cédric
Meuter in PR #3183.
* Added support for built-in driver keys through the PSA opaque crypto
driver interface. Refer to the documentation of
MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
* Implement psa_sign_message() and psa_verify_message().
* The new function mbedtls_mpi_random() generates a random value in a
given range uniformly.
* Implement psa_mac_compute() and psa_mac_verify() as defined in the
PSA Cryptograpy API 1.0.0 specification.
* MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
curves and no longer needs to be configured explicitly to save RAM.
Security
* Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
private keys and of blinding values for DHM and elliptic curves (ECP)
computations. Reported by FlorianF89 in #4245.
* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
An adversary who is capable of very precise timing measurements could
learn partial information about the leading bits of the nonce used for the
signature, allowing the recovery of the private key after observing a
large number of signature operations. This completes a partial fix in
Mbed TLS 2.20.0.
* It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
too small, leading to buffer overflows in ECC operations. Fail the build
in such a case.
* An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) could recover an RSA private key after observing the victim
performing a single private-key operation. Found and reported by
Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
* An adversary with access to precise enough timing information (typically, a
co-located process) could recover a Curve25519 or Curve448 static ECDH key
after inputting a chosen public key and observing the victim performing the
corresponding private-key operation. Found and reported by Leila Batina,
Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.
Bugfix
* Add printf function attributes to mbedtls_debug_print_msg to ensure we
get printf format specifier warnings.
* Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
lead to seed file corruption in the case where the path to the seed file is
equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
Krasnoshchok in #3616.
* PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
in line with version 1.0.0 of the specification. Fix#4162.
* PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
to create is not valid, bringing them in line with version 1.0.0 of the
specification. Fix#4271.
* Fix some cases in the bignum module where the library constructed an
unintended representation of the value 0 which was not processed
correctly by some bignum operations. This could happen when
mbedtls_mpi_read_string() was called on "-0", or when
mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
the arguments being negative and the other being 0. Fixes#4643.
* Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
zero. Fixes#1792
* Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
defined. Fixes#4217.
* Fix an incorrect error code when parsing a PKCS#8 private key.
* In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8.
* In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
defined to specific values. If the code is used in a context
where these are already defined, this can result in a compilation
error. Instead, assume that if they are defined, the values will
be adequate to build Mbed TLS.
* The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
was disabled. Fix the dependency. Fixes#4472.
* Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes#4499.
* With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
nonetheless, resulting in undefined reference errors when building a
shared library. Reported by Guillermo Garcia M. in #4411.
* Fix test suite code on platforms where int32_t is not int, such as
Arm Cortex-M. Fixes#4530.
* Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
directive in a header and a missing initialization in the self-test.
* Fix a missing initialization in the Camellia self-test, affecting
MBEDTLS_CAMELLIA_ALT implementations.
* Restore the ability to configure PSA via Mbed TLS options to support RSA
key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
Fixes#4512.
* Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
(when the encrypt-then-MAC extension is not in use) with some ALT
implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
the affected side to wrongly reject valid messages. Fixes#4118.
* Remove outdated check-config.h check that prevented implementing the
timing module on Mbed OS. Fixes#4633.
* Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
about missing inputs.
* Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes#4465.
* Fix a resource leak in a test suite with an alternative AES
implementation. Fixes#4176.
* Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
could notably be triggered by setting the TLS debug level to 3 or above
and using a Montgomery curve for the key exchange. Reported by lhuang04
in #4578. Fixes#4608.
* psa_verify_hash() was relying on implementation-specific behavior of
mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
implementations. This reliance is now removed. Fixes#3990.
* Disallow inputs of length different from the corresponding hash when
signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
* Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
could not be triggered by code that constructed A with one of the
mbedtls_mpi_read_xxx functions (including in particular TLS code) since
those always built an mpi object with at least one limb.
Credit to OSS-Fuzz. Fixes#4641.
* Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
applications that call mbedtls_mpi_gcd() directly. Fixes#4642.
* The PSA API no longer allows the creation or destruction of keys with a
read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
can now only be used as intended, for keys that cannot be modified through
normal use of the API.
* When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
in all the right places. Include it from crypto_platform.h, which is
the natural place. Fixes#4649.
* mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
restartable variants now always honor the specified hash length if
nonzero. Before, for RSA, hash_len was ignored in favor of the length of
the specified hash algorithm.
* Fix which alert is sent in some cases to conform to the
applicable RFC: on an invalid Finished message value, an
invalid max_fragment_length extension, or an
unsupported extension used by the server.
* Correct (change from 12 to 13 bytes) the value of the macro describing the
maximum nonce length returned by psa_aead_generate_nonce().
Changes
* Add extra printf compiler warning flags to builds.
* Fix memsan build false positive in x509_crt.c with Clang 11
* Fix the setting of the read timeout in the DTLS sample programs.
* Remove the AES sample application programs/aes/aescrypt2 which shows
bad cryptographic practice. Fix#1906.
* Alternative implementations of CMAC may now opt to not support 3DES as a
CMAC block cipher, and still pass the CMAC self test.
* Remove configs/config-psa-crypto.h, which was identical to the default
configuration except for having some extra cryptographic mechanisms
enabled and for unintended differences. This configuration was primarily
intended to demonstrate the PSA API, and lost most of its usefulness when
MBEDTLS_PSA_CRYPTO_C became enabled by default.
* When building the test suites with GNU make, invoke python3 or python, not
python2, which is no longer supported upstream.
* When using session cache based session resumption on the server,
double-check that custom session cache implementations return
sessions which are consistent with the negotiated ciphersuite
and compression method.
* Fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
When that flag is on, standard GNU C printf format specifiers
should be used.
* Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
during ECC operations at a negligible performance cost.
* mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
when their input has length 0. Note that this is an implementation detail
and can change at any time, so this change should be transparent, but it
may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
now writing an empty string where it previously wrote one or more
zero digits when operating from values constructed with an mpi_read
function and some mpi operations.
* Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
is also applied when loading a key from storage.
v1.6.0 (2022-08-10)
When writing gzip files, the timestamp and name of the original file is omitted (equivalent to using gzip --no-name (or -n) on the command line). This allows files to be written in a reproducible manner.
v63.4.3
Misc
* Update to pypa/distutils@b65aa40 including more robust support for library/include dir handling in msvccompiler (pypa/distutils-153) and test suite improvements.
This release introduces an new "XWAYLAND" extension: i
This extension exists to serve one purpose: reliably identifying
Xwayland. Previous attempts at doing so included querying root window
properties, output names or input device names. All these attempts are
somewhat unreliable. Instead, let's use an extension - where that
extension is present we have an Xwayland server.
Clients should never need to do anything but check whether the extension
exists through XQueryExtension/XListExtensions.
The DRI3 protocol was bumped to 1.3 and has a new DRI3SetDRMDeviceInUse request:
This request provides a hint to the server about the device
in use by this window. This is used to provide
DRI3GetSupportedModifiers with a hint of what device to
return modifiers for in the window_modifiers return value.
Using this hint allows for device-specific modifiers to
be returned by DRI3GetSupportedModifiers, for example
when an application is renderoffloaded and eligible for
direct scanout.
The remaining commits are the usual combination of housekeeping and
maintenance.
Alan Coopersmith (5):
DBE spec: define j in DBEGetVisualInfo reply encoding
DBE spec: make titles more consistent in Encoding section
gitlab CI: enable commit & merge request checks
gitlab CI: enable gitlab's builtin static analysis
Build xz tarballs instead of bzip2
Austin Shafer (1):
DRI3: Add DRI3SetDRMDeviceInUse
Jon Turney (1):
Win32: Fix collision over 'ControlMask'
Olivier Fourdan (1):
xorgproto 2022.2
Peter Hutterer (1):
Add the XWAYLAND extension
The package changed with the addition of its libepoll-shim dependency.
Otherwise, we can get:
ERROR: libepoll-shim>=0.0.20210418 is not installed; can't buildlink files.
1.4.4 (2022-06-14)
Fixes
* Compilation no longer fails against SQLite3 versions < 3.29.0. This issue
was introduced in v1.4.3. [#324] (Thank you, @r6e!)
1.4.3 (2022-05-25)
Enhancements
* Disable non-standard support for double-quoted string literals via the
:strict option. [#317] (Thank you, @casperisfine!)
* Column type names are now explicitly downcased on platforms where they may
have been in shoutcaps. [#315] (Thank you, @petergoldstein!)
* Support File or Pathname arguments to Database.new. [#283] (Thank you,
@yb66!)
* Support building on MSVC. [#285] (Thank you, @jmarrec!)
5.59.0 (2022-08-01)
* Set :allow_eager association option to false for instance specific
associations without eager loaders (jeremyevans)
* Add require_valid_schema plugin for checking that model classes have
schema parsed as expected (jeremyevans)
* Model classes created from aliased expressions and literal strings no
longer use the simple table optimization (jeremyevans)
* Model code that does not swallow connection errors will now also not
swallow disconnect errors (jeremyevans) (#1892)
* Add is_json and is_not_json methods to the pg_json_ops extension, for the
PostgreSQL 15+ IS [NOT] JSON operator (jeremyevans)
* Support :security_invoker view option on PostgreSQL 15+, for views where
access uses permissions of user instead of owner (jeremyevans)
* Support :nulls_distinct index option on PostgreSQL 15+, for NULLS [NOT]
DISTINCT (jeremyevans)
* Support sequel-postgres-pr driver in the postgres adapter (jeremyevans)
pkgsrc change: Update HOMEPAGE to GitHUb.
Here are quote from changes of two minor release, for full change, please
refer: <https://github.com/ged/ruby-pg/blob/master/History.rdoc>.
1.4.0 (2022-06-20)
Added:
* Add PG::Connection#hostaddr, present since PostgreSQL-12. #453
* Add PG::Connection.conninfo_parse to wrap PQconninfoParse. #453
Bugfixes:
* Try IPv6 and IPv4 addresses, if DNS resolves to both. #452
* Re-add block-call semantics to PG::Connection.new accidently removed in pg-1.3.0. #454
* Handle client error after all data consumed in #copy_data for output. #455
* Avoid spurious keyword argument warning on Ruby 2.7. #456
* Change connection setup to respect connect_timeout parameter. #459
* Fix indefinite hang in case of connection error on Windows #458
* Set connection attribute of PG::Error in various places where it was missing. #461
* Fix transaction leak on early break/return. #463
* Update Windows fat binary gem to OpenSSL-1.1.1o and PostgreSQL-14.4.
Enhancements:
* Don't flush at each put_copy_data call, but flush at get_result. #462
1.3.0 (2022-01-20)
Install Enhancements:
* Print some install help if libpq wasn't found. #396 This should help to
pick the necessary package without googling.
* Update Windows fat binary gem to OpenSSL-1.1.1m and PostgreSQL-14.1.
* Add binary Windows gems for Ruby 3.0 and 3.1.
* Make the library path of libpq available in ruby as
PG::POSTGRESQL_LIB_PATH and add it to the search paths on Windows similar
to rpath on Unix systems. #373
* Fall back to pkg-config if pg_config is not found. #380
* Add option to extconf.rb to disable nogvl-wrapping of libpq functions. All
methods (except PG::Connection.ping) are nonblocking now, so that GVL
unlock is in theory no longer necessary. However it can have some
advantage in concurrency, so that GVL unlock is still enabled by
default. Use:
gem inst pg – –disable-gvl-unlock
API Enhancements:
* Add full compatibility to Fiber.scheduler introduced in Ruby-3.0. #397
* Add support for pipeline mode of PostgreSQL-14. #401
* Allow specification of multiple hosts in PostgreSQL URI. #387
* Add new method conn.backend_key - used to implement our own cancel method.
Type cast enhancements:
* Add PG::BasicTypeMapForQueries::BinaryData for encoding of bytea columns. #348
* Reduce time to build coder maps and permit to reuse them for several type
maps per PG::BasicTypeRegistry::CoderMapsBundle.new(conn) . #376
* Make BasicTypeRegistry a class and use a global default instance of
it. Now a local type registry can be instanciated and given to the type
map, to avoid changing shared global states.
* Allow PG::BasicTypeMapForQueries to take a Proc as callback for undefined types.
Other Enhancements:
* Convert all PG classes implemented in C to TypedData objects. #349
* Support ObjectSpace.memsize_of(obj) on all classes implemented in C. #393
* Make all PG objects implemented in C memory moveable and therefore
GC.compact friendly. #349
* Update errorcodes and error classes to PostgreSQL-14.0.
* Add PG::CONNECTION_* constants for conn.status of newer PostgreSQL versions.
* Add better support for logical replication. #339
* Change conn.socket_io to read+write mode and to a BasicSocket object
instead of IO.
* Use rb_io_wait() and the conn.socket_io object if available for better
compatibility to Fiber.scheduler . Fall back to rb_wait_for_single_fd() on
ruby < 3.0.
* On Windows use a specialized wait function as a workaround for very poor
performance of rb_io_wait(). #416
Bugfixes:
* Release GVL while calling PQping which is a blocking method, but it didn't
release GVL so far.
* Fix Connection#transaction to no longer block on interrupts, for instance
when pressing Ctrl-C and cancel a running query. #390
* Avoid casting of OIDs to fix compat with Redshift database. #369
* Call conn.block before each conn.get_result call to avoid possible
blocking in case of a slow network and multiple query results.
* Sporadic Errno::ENOTSOCK when using conn.socket_io on Windows #398
Deprecated:
* Add deprecation warning to PG::BasicTypeRegistry.register_type and siblings.
Removed:
* Remove support of ruby-2.2, 2.3 and 2.4. Minimum is ruby-2.5 now.
* Remove support for PostgreSQL-9.2. Minimum is PostgreSQL-9.3 now.
* Remove constant PG::REVISION, which was broken since pg-1.1.4.
Repository:
* Replace Hoe by Bundler for gem packaging
* Add Github Actions CI and testing of source and binary gems.
No matter whether lintpkgsrc is built in batch mode, its PREFIX must
always be the actual prefix, not the hardcoded /usr/pkg, as there may
also be bulk builds with --prefix=/opt/pkg. Same for mk.conf.
Both gcc and binutils ship an ansidecl.h. Until now this hasn't been a
problem, but the recent binutils 2.39 update ships an ansidecl.h that removes
things like "PTR" which GCC depends on, and it seems as though the binutils
version is being chosen ahead of the in-tree GCC version so the build breaks.
Avoiding buildink3 ensures the headers aren't visible, and the builds are
now progressing further.
Previously, evaluating the conditions was a wild mixture of concepts
taken from bmake's cond.c, without attention to detail. For example, in
the condition 'exists(VAR:Mpattern)', the ':Mpattern' doesn't make any
sense, still lintpkgsrc parsed it as a modifier.
Instead of evaluating the ':M' modifier only in conditions, a better
idea is to have a general subroutine that expands an arbitrary strings,
taking care of all kinds of modifiers.
While the previous code was conceptually wrong, the number of practical
difference is small. Still, it's better to be precise and accurate,
there are enough places with bad heuristics in the rest of the
lintpkgsrc code.
Version 1.3.1
-------------
- Fixed segfault on macOS 12.5 in forked processes.
Note that, as a workaround, Activity Monitor will show the title of the
parent.
1.5.0
Added
- Add support for extension modules built for wasm32-unknown-emscripten with Pyodide.
Changed
- Locate cdylib artifacts by handling messages from cargo instead of searching target dir (fixes build on MSYS2).
- No longer guess cross-compile environment using `HOST_GNU_TYPE` / `BUILD_GNU_TYPE` sysconfig variables.
Fixed
- Fix RustBin build without wheel.
- Fix RustBin setuptools install
0.20.0 (2022-06-05)
- Added ipv4 digit lenghts validation
- Fixes error with international URLs that have more than 2 hyphens
0.19.0 (2022-05-04)
- Dropped py34 support
- Improve IPv6 validation
0.103.7 (2022-07-26)
ClamAV 0.103.7 is a critical patch release with the following fixes:
* Upgrade the vendored UnRAR library to version 6.1.7.
* Fix logical signature "Intermediates" feature.
* Relax constraints on slightly malformed zip archives that contain
overlapping file entries.
