All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
This is required to work around a crash in pam-p11 on NetBSD 9.0
Changes since last version in pkgsrc:
New in 0.4.10; 2019-04-03; Michał Trojnara
* Added EC signing through EVP API (Bryan Hunt)
* Added an empty EC private key required by OpenSSL 1.1.1 (Doug Engert)
* Stored additional certificate attributes (FdLSifu, Michał Trojnara)
* Engine allowed to use private keys without a PIN (Michał Trojnara)
* Lazy binding used as a workaround for buggy modules (Michał Trojnara)
* MinGW build fixes and documentation (Michał Trojnara)
* LibreSSL 2.8.3 build fixes (patchMonkey156)
* Error handling fixes (Michał Trojnara)
New in 0.4.9; 2018-09-03; Michał Trojnara
* Fixed EVP_PKEY ENGINE reference count with the EC EVP_PKEY_METHOD
(Michał Trojnara, Anderson Sasaki)
* Fixed a leak of RSA object in pkcs11_store_key() (lbonn)
* Added atfork checks for RSA and EC_KEY methods (Michał Trojnara)
New in 0.4.8; 2018-08-05; Michał Trojnara
* RSA key generation on the token (n3wtron)
* PSS signature support (Doug Engert, Michał Trojnara)
* RSA-OAEP and RSA-PKCS encryption support (Mouse, Michał Trojnara)
* Engine no longer set as default for all methods (Anderson Sasaki)
* Added PKCS11_remove_key and PKCS11_remove_certificate (n3wtron)
* Added PKCS11_find_next_token interface (Frank Morgner)
* Added support for OpenSSL 1.1.1 beta (Michał Trojnara)
* Removed support for OpenSSL 0.9.8 (Michał Trojnara)
* Case insensitive PKCS#11 URI scheme (Anderson Sasaki)
* Testing framework improvements (Anderson Sasaki)
* Coverity scanning and defect fixes (Frank Morgner)
* Backward compatibility for new error handling introduced
in libp11 0.4.7 (Michał Trojnara)
* Memory leak fixes (Frank Morgner, Doug Engert)
* Added an integer overflow protection (Eric Sesterhenn, Michał Trojnara)
* Several bugfixes (Michał Trojnara, Emmanuel Deloget, Anderson Sasaki)
New in 0.4.7; 2017-07-03; Michał Trojnara
* Added OpenSSL-style engine error reporting (Michał Trojnara)
* Added the FORCE_LOGIN engine ctrl command (Michał Trojnara)
* Implemented the QUIET engine ctrl command (Michał Trojnara)
* Modified CKU_CONTEXT_SPECIFIC PIN requests to be based
on the CKA_ALWAYS_AUTHENTICATE attribute rather than the
CKR_USER_NOT_LOGGED_IN error (Michał Trojnara)
* Fixed printing hex values (Michał Trojnara)
* Fixed build error with OPENSSL_NO_EC (Kai Kang)
New in 0.4.6; 2017-04-23; Michał Trojnara
* Updated ex_data on EVP_PKEYs after enumerating keys (Matt Hauck)
* Token/key labels added into PIN prompts (Matt Hauck)
New in 0.4.5; 2017-03-29; Michał Trojnara
* Prevented destroying existing keys/certs at login (Michał Trojnara)
* Fixed synchronization of PKCS#11 module calls (Matt Hauck)
* Added LibreSSL compatibility (Bernard Spil)
* Added SET_USER_INTERFACE and SET_CALLBACK_DATA engine ctrl commands
for certificate and CKU_CONTEXT_SPECIFIC PINs (Michał Trojnara)
* Fixed error handling in RSA key generation (Michał Trojnara)
Changes since libp11-0.2.8 from the NEWS file:
New in 0.4.4; 2017-01-26; Michal Trojnara
* Fixed a state reset caused by re-login on LOAD_CERT_CTRL engine ctrl;
fixes#141 (Michal Trojnara)
* "?" and "&" allowed as URI separators; fixes#142 (Michal Trojnara)
* engine: Unified private/public key and certificate enumeration
to be performed without login if possible (Michal Trojnara)
New in 0.4.3; 2016-12-04; Michal Trojnara
* Use UI to get CKU_CONTEXT_SPECIFIC PINs (Michal Trojnara)
* Added graceful handling of alien (non-PKCS#11) keys (Michal Trojnara)
* Added symbol versioning (Nikos Mavrogiannopoulos)
* Soname tied with with the OpenSSL soname (Nikos Mavrogiannopoulos)
* Added MSYS2, Cygwin, and MinGW/MSYS support (Pawel Witas)
* Workaround implemented for a deadlock in PKCS#11 modules that
internally use OpenSSL engines (Michal Trojnara, Pawel Witas)
* Fixed an EVP_PKEY reference count leak (David Woodhouse)
* Fixed OpenSSL 1.1.x crash in public RSA methods (Doug Engert,
Michal Trojnara)
* Fixed OpenSSL 1.1.x builds (Nikos Mavrogiannopoulos, Michal Trojnara)
* Fixed retrieving PIN values from certificate URIs (Andrei Korikov)
* Fixed symlink installation (Alon Bar-Lev)
New in 0.4.2; 2016-09-25; Michal Trojnara
* Fixed a 0.4.0 regression bug causing the engine finish function to
remove any configured engine parameters; fixes#104 (Michal Trojnara)
New in 0.4.1; 2016-09-17; Michal Trojnara
* Use enginesdir provided by libcrypto.pc if available (David Woodhouse)
* Certificate cache destroyed on login/logout (David Woodhouse)
* Fixed accessing certificates marked as CKA_PRIVATE (David Woodhouse)
* Directly included libp11 code into the engine (Matt Hauck)
* Fixed handling simultaneous make jobs (Derek Straka)
* Reverted an old hack that broke engine initialization (Michal Trojnara)
* Fixed loading of multiple keys due to unneeded re-logging (Matt Hauck)
* Makefile fixes and improvements (Nikos Mavrogiannopoulos)
* Fixed several certificate selection bugs (Michal Trojnara)
* The signed message digest is truncated if it is too long for the
signing curve (David von Oheimb)
* Workaround for broken PKCS#11 modules not returning CKA_EC_POINT
in the ASN1_OCTET_STRING format (Michal Trojnara)
* OpenSSL 1.1.0 build fixes (Michal Trojnara)
New in 0.4.0; 2016-03-28; Michal Trojnara
* Merged engine_pkcs11 (Michal Trojnara)
* Added ECDSA support for OpenSSL < 1.0.2 (Michal Trojnara)
* Added ECDH key derivation support (Doug Engert and Michal Trojnara)
* Added support for RSA_NO_PADDING RSA private key decryption, used
by OpenSSL for various features including OAEP (Michal Trojnara)
* Added support for the ANSI X9.31 (RSA_X931_PADDING) RSA padding
(Michal Trojnara)
* Added support for RSA encryption (not only signing) (Michal Trojnara)
* Added CKA_ALWAYS_AUTHENTICATE support (Michal Trojnara)
* Fixed double locking the global engine lock (Michal Trojnara)
* Fixed incorrect errors reported on signing/encryption/decryption
(Michal Trojnara)
* Fixed deadlocks in keys and certificates listing (Brian Hinz)
* Use PKCS11_MODULE_PATH environment variable (Doug Engert)
* Added support for building against OpenSSL 1.1.0-dev (Doug Engert)
* Returned EVP_PKEY objects are no longer "const" (Michal Trojnara)
* Fixed building against OpenSSL 0.9.8 (Michal Trojnara)
* Removed support for OpenSSL 0.9.7 (Michal Trojnara)
New in 0.3.1; 2016-01-22; Michal Trojnara
* Added PKCS11_is_logged_in to the API (Mikhail Denisenko)
* Added PKCS11_enumerate_public_keys to the API (Michal Trojnara)
* Fixed EVP_PKEY handling of public keys (Michal Trojnara)
* Added thread safety based on OpenSSL dynamic locks (Michal Trojnara)
* A private index is allocated for ex_data access (RSA and ECDSA classes)
instead of using the reserved index zero (app_data) (Michal Trojnara)
* Fixes in reinitialization after fork; addresses #39
(Michal Trojnara)
* Improved searching for dlopen() (Christoph Moench-Tegeder)
* MSVC build fixes (Michal Trojnara)
* Fixed memory leaks in pkcs11_get_evp_key_rsa() (Michal Trojnara)
New in 0.3.0; 2015-10-09; Nikos Mavrogiannopoulos
* Added small test suite based on softhsm (run on make check)
* Memory leak fixes (Christian Heimes)
* On module initialization tell the module to that the OS locking
primitives are OK to use (Mike Gerow)
* Transparently handle applications that fork. That is call C_Initialize()
and reopen any handles if a fork is detected.
* Eliminated any hard coded limits for certificate size (Doug Engert)
* Added support for ECDSA (Doug Engert)
* Allow RSA_NO_PADDING padding mode in PKCS11_private_encrypt
(Stephane Adenot)
* Eliminated several hard-coded limits in parameter sizes.
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
Packaging changes:
- adapt to non-standardly-named github WRKSRC
- bootstrap automake (this is a git snapshot, not "make distribution"
output)
Upstream changes:
New in 0.2.8; 2011-04-15; Martin Paljak
* Bumped soname for PKCS11_token struct size changes (Martin Paljak).
* Display the number of available slots (Ludovic Rousseau).
* Add openssl libcrypto to pkg-config private libs list (Kalev Lember).
* Fix building examples with --no-add-needed which is the default in Fedora
(Kalev Lember).
* Expose more token flags in PKCS11_token structure (Kalev Lember).
* Check that private data is not NULL in pkcs11_release_slot (Robin Bryce,
ticket #137).
New in 0.2.7; 2009-10-20; Andreas Jellinghaus
* If CKR_CRYPTOKI_ALREADY_INITIALIZED is returned from C_Initialize(): ignore.
(Needed for unloaded/reloaded engines e.g. in wpa_supplicant.) By David Smith.
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.