Commit graph

7455 commits

Author SHA1 Message Date
wiz
4121303301 Update to 2.002:
2.002 2014/10/21
- fix check for (invalid) IPv4 when validating hostname against certificate. Do
  not use inet_aton any longer because it can cause DNS lookups for malformed
  IP. RT#99448, thanks to justincase[AT]yopmail[DOT]com.
- Update PublicSuffix with latest version from publicsuffix.org - lots of new
  top level domains.
- Add exception to PublicSuffix for s3.amazonaws.com - RT#99702, thanks to
  cpan[AT]cpanel[DOT]net.
2.001 2014/10/21
- Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security.
  Thanks to Heikki Vatiainen for suggesting.
- Update external tests with currently expected fingerprints of hosts.
- Some fixes to make it still work on 5.8.1.
2014-10-23 07:24:06 +00:00
wiedi
8697010eef Update spiped to 1.4.2
Changelog:
 spiped-1.4.2
 * Fix crash on platforms which support AESNI (i386, amd64) but do not
   automatically provide 16-byte alignment to large memory allocations
   (glibc, possibly others).
2014-10-21 17:05:54 +00:00
wiz
03080bec94 Update to 0.6.1:
0.6.1 - 2014-10-15
~~~~~~~~~~~~~~~~~~

* Updated Windows wheels to be compiled against OpenSSL 1.0.1j.
* Fixed an issue where OpenSSL 1.0.1j changed the errors returned by some
  functions.
* Added our license file to the ``cryptography-vectors`` package.
* Implemented DSA hash truncation support (per FIPS 186-3) in the OpenSSL
  backend. This works around an issue in 1.0.0, 1.0.0a, and 1.0.0b where
  truncation was not implemented.
2014-10-20 11:21:06 +00:00
jaapb
29bcb49ffc Added camlp4 dependency. 2014-10-20 11:10:56 +00:00
wiz
d3927e57be Update to 1.17:
Noteworthy changes in version 1.17 (2014-10-15) [C13/A13/R0]
-----------------------------------------------

 * New error codes for TLS protocol libraries.

 * New configure option --enable-build-timestamp.

 * New man page for gpg-error-config.
2014-10-20 10:13:16 +00:00
wiz
8f7ae2c4d8 Update to 2.000:
2.000 2014/10/15
- consider SSL3.0 as broken because of POODLE and disable it by default.
- Skip live tests without asking if environment NO_NETWORK_TESTING is set.
  Thanks to ntyni[AT]debian[DOT]org for suggestion.
- skip tests which require fork on non-default windows setups without proper
  fork. Thanks to SHAY for https://github.com/noxxi/p5-io-socket-ssl/pull/18
2014-10-20 08:58:14 +00:00
alnsn
bdc6025cdf Revbump after lang/lua51 update. 2014-10-19 22:27:43 +00:00
dholland
7b63447830 Don't hand-process $required_dirs and $required_files. This is provided
by the infrastructure. Tangentially related to PR 48555.
2014-10-16 04:51:08 +00:00
jperkin
0838186bb1 Add back manual page which somehow was removed yet got past install checks. 2014-10-15 19:55:53 +00:00
jperkin
5fbce38631 Update to openssl-1.0.1j.
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]

  *) SRTP Memory Leak.

     A flaw in the DTLS SRTP extension parsing code allows an attacker, who
     sends a carefully crafted handshake message, to cause OpenSSL to fail
     to free up to 64k of memory causing a memory leak. This could be
     exploited in a Denial Of Service attack. This issue affects OpenSSL
     1.0.1 server implementations for both SSL/TLS and DTLS regardless of
     whether SRTP is used or configured. Implementations of OpenSSL that
     have been compiled with OPENSSL_NO_SRTP defined are not affected.

     The fix was developed by the OpenSSL team.
     (CVE-2014-3513)
     [OpenSSL team]

  *) Session Ticket Memory Leak.

     When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
     integrity of that ticket is first verified. In the event of a session
     ticket integrity check failing, OpenSSL will fail to free memory
     causing a memory leak. By sending a large number of invalid session
     tickets an attacker could exploit this issue in a Denial Of Service
     attack.
     (CVE-2014-3567)
     [Steve Henson]

  *) Build option no-ssl3 is incomplete.

     When OpenSSL is configured with "no-ssl3" as a build option, servers
     could accept and complete a SSL 3.0 handshake, and clients could be
     configured to send them.
     (CVE-2014-3568)
     [Akamai and the OpenSSL team]

  *) Add support for TLS_FALLBACK_SCSV.
     Client applications doing fallback retries should call
     SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
     (CVE-2014-3566)
     [Adam Langley, Bodo Moeller]

  *) Add additional DigestInfo checks.

     Reencode DigestInto in DER and check against the original when
     verifying RSA signature: this will reject any improperly encoded
     DigestInfo structures.

     Note: this is a precautionary measure and no attacks are currently known.

     [Steve Henson]
2014-10-15 19:04:40 +00:00
wiz
e4bd95945d Update to 1.1.10: locale improvements. 2014-10-12 14:48:20 +00:00
wiz
6d4ce84257 Update to 1.999:
1.999 2014/10/09
- make sure we don't use version 0.30 of IO::Socket::IP
- make sure that PeerHost is checked on all places where PeerAddr is
  checked, because these are synonyms and IO::Socket::IP prefers PeerHost
  while others prefer PeerAddr. Also accept PeerService additionally to
  PeerPort.
  See https://github.com/noxxi/p5-io-socket-ssl/issues/16 for details.
- add ability to use client certificates and to overwrite hostname with
  util/analyze-ssl.pl.
2014-10-12 14:37:15 +00:00
wiz
f68a3efa69 Remove unneeded patch. 2014-10-10 22:54:44 +00:00
adam
21a3135604 Changes 3.2.18:
** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.

** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid.

** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original.
2014-10-10 11:40:15 +00:00
adam
fd4c956f99 Changes 4.2:
- Added sanity checks in the decoding of time when
  ASN1_DECODE_FLAG_STRICT_DER is used.
- Fixes in the decoding of OCTET STRING when close to the end
  of the structure.
2014-10-10 11:38:54 +00:00
jaapb
8a0210c406 Updated package to latest version 1.9. Package now uses ocaml.mk.
Changes include:
 - More fixes to build in Windows with zlib (mingw and msvc).
 - Build .cmxs with C bindings (Closes: #1303)
 - Use advapi32 on Windows (Close: #1055)
 - Allow to define --zlib-include and --zlib-libdir if zlib is not installed in
   the standard location.
 - Added SHA-3 hash function.
2014-10-09 22:28:12 +00:00
jaapb
70cc9c8a0d Updated package to latest version, 0.4.7. Package now uses ocaml.mk.
Changes:
* Add support for TLS1.1 and TLS1.2 (thanks Thomas Calderon).
* Add function to initialize Diffie-Hellman and elliptic curve parameters
  (thanks Thomas Calderon and Edwin Török).
* Add set_client_SNI_hostname to specify client-side SNI hostname (thanks
  Mauricio Fernandez).
* Fix double leave of blocking section in ocaml_ssl_accept (thanks Edwin Török).
* Check for errors in SSL_connect/SSL_accept (thanks Jérôme Vouillon).
* Clear the error queue before calling SSL_read and similar functions;
  SSL_get_error does not work reliably otherwise (thanks Jérôme Vouillon).
* Allow static linking on Mingw64 (thanks schadinger).
2014-10-09 21:06:57 +00:00
jaapb
1e2c6eff15 Revbump for ocaml 4.02.0.
(Some packages omitted because they will be updated to new versions)
2014-10-09 19:14:03 +00:00
wiz
cda18437be Remove pkgviews: don't set PKG_INSTALLATION_TYPES in Makefiles. 2014-10-09 14:05:50 +00:00
wiz
e8647fedbb Remove SVR4_PKGNAME, per discussion on tech-pkg. 2014-10-09 13:44:32 +00:00
taca
cca9af1e2d Add fix for CVE-2014-2653 from
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513.

Bump PKGREVISION.
2014-10-08 15:50:22 +00:00
adam
243c29c4cc Revbump after updating libwebp and icu 2014-10-07 16:47:10 +00:00
wiz
b6f4dd15f4 Update to 0.6:
0.6 - 2014-09-29
~~~~~~~~~~~~~~~~

* Added
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` to
  ease loading private keys, and
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key` to
  support loading public keys.
* Removed the, deprecated in 0.4, support for the ``salt_length`` argument to
  the :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1`
  constructor. The ``salt_length`` should be passed to
  :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` instead.
* Fix compilation on OS X Yosemite.
* Deprecated ``elliptic_curve_private_key_from_numbers`` and
  ``elliptic_curve_public_key_from_numbers`` in favor of
  ``load_elliptic_curve_private_numbers`` and
  ``load_elliptic_curve_public_numbers`` on
  :class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`.
* Added
  :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePrivateKeyWithNumbers`
  and
  :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicKeyWithNumbers`
  support.
* Work around three GCM related bugs in CommonCrypto and OpenSSL.

  * On the CommonCrypto backend adding AAD but not subsequently calling update
    would return null tag bytes.

  * One the CommonCrypto backend a call to update without an empty add AAD call
    would return null ciphertext bytes.

  * On the OpenSSL backend with certain versions adding AAD only would give
    invalid tag bytes.

* Support loading EC private keys from PEM.
2014-10-05 14:53:10 +00:00
wiz
cb128bb1e5 Update to 1.0.0, from maintainer csosstudy in PR 49251.
While here, add rpath to pkgconfig file.

* Version 1.0.0
 - The API and ABI are now stable. New features will be added, but
backward-compatibility is guaranteed through all the 1.x.y releases.
 - crypto_sign() properly works with overlapping regions again. Thanks
to @pysiak for reporting this regression introduced in version 0.6.1.
 - The test suite has been extended.

* Version 0.7.1 (1.0 RC2)
 - This is the second release candidate of Sodium 1.0. Minor
compilation, readability and portability changes have been made and the
test suite was improved, but the API is the same as the previous release
candidate.

* Version 0.7.0 (1.0 RC1)
 - Allocating memory to store sensitive data can now be done using
sodium_malloc() and sodium_allocarray(). These functions add guard
pages around the protected data to make it less likely to be
accessible in a heartbleed-like scenario. In addition, the protection
for memory regions allocated that way can be changed using
sodium_mprotect_noaccess(), sodium_mprotect_readonly() and
sodium_mprotect_readwrite().
 - ed25519 keys can be converted to curve25519 keys with
crypto_sign_ed25519_pk_to_curve25519() and
crypto_sign_ed25519_sk_to_curve25519(). This allows using the same
keys for signature and encryption.
 - The seed and the public key can be extracted from an ed25519 key
using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk().
 - aes256 was removed. A timing-attack resistant implementation might
be added later, but not before version 1.0 is tagged.
 - The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was
removed. Use crypto_pwhash_scryptsalsa208sha256_*.
 - The compatibility layer for implementation-specific functions was
removed.
 - Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed.
 - crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains
the prefix produced by crypto_pwhash_scryptsalsa208sha256_str()

* Version 0.6.1
 - Important bug fix: when crypto_sign_open() was given a signed
message too short to even contain a signature, it was putting an
unlimited amount of zeros into the target buffer instead of
immediately returning -1. The bug was introduced in version 0.5.0.
 - New API: crypto_sign_detached() and crypto_sign_verify_detached()
to produce and verify ed25519 signatures without having to duplicate
the message.
 - New ./configure switch: --enable-minimal, to create a smaller
library, with only the functions required for the high-level API.
Mainly useful for the JavaScript target and embedded systems.
 - All the symbols are now exported by the Emscripten build script.
 - The pkg-config .pc file is now always installed even if the
pkg-config tool is not available during the installation.

* Version 0.6.0
 - The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_*
 - The ChaCha20Poly1305 AEAD construction has been implemented, as
crypto_aead_chacha20poly1305_*
 - The _easy API does not require any heap allocations any more and
does not have any overhead over the NaCl API. With the password
hashing function being an obvious exception, the library doesn't
allocate and will not allocate heap memory ever.
 - crypto_box and crypto_secretbox have a new _detached API to store
the authentication tag and the encrypted message separately.
 - crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed
crypto_pwhash_scryptsalsa208sha256*().
 - The low-level crypto_pwhash_scryptsalsa208sha256_ll() function
allows setting individual parameters of the scrypt function.
 - New macros and functions for recommended crypto_pwhash_* parameters
have been added.
 - Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair()
has been introduced to deterministically generate a key pair from a seed.
 - crypto_onetimeauth() now provides a streaming interface.
 - crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic()
have been added to use a non-zero initial block counter.
 - On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which
doesn't require the Crypt API.
 - The high bit in curve25519 is masked instead of processing the key as
a 256-bit value.
 - The curve25519 ref implementation was replaced by the latest ref10
implementation from Supercop.
 - sodium_mlock() now prevents memory from being included in coredumps
on Linux 3.4+

* Version 0.5.0
 - sodium_mlock()/sodium_munlock() have been introduced to lock pages
in memory before storing sensitive data, and to zero them before
unlocking them.
 - High-level wrappers for crypto_box and crypto_secretbox
(crypto_box_easy and crypto_secretbox_easy) can be used to avoid
dealing with the specific memory layout regular functions depend on.
 - crypto_pwhash_scryptsalsa208sha256* functions have been added
to derive a key from a password, and for password storage.
 - Salsa20 and ed25519 implementations now support overlapping
inputs/keys/outputs (changes imported from supercop-20140505).
 - New build scripts for Visual Studio, Emscripten, different Android
architectures and msys2 are available.
 - The poly1305-53 implementation has been replaced with Floodyberry's
poly1305-donna32 and poly1305-donna64 implementations.
 - sodium_hex2bin() has been added to complement sodium_bin2hex().
 - On OpenBSD and Bitrig, arc4random() is used instead of reading
/dev/urandom.
 - crypto_auth_hmac_sha512() has been implemented.
 - sha256 and sha512 now have a streaming interface.
 - hmacsha256, hmacsha512 and hmacsha512256 now support keys of
arbitrary length, and have a streaming interface.
 - crypto_verify_64() has been implemented.
 - first-class Visual Studio build system, thanks to @evoskuil
 - CPU features are now detected at runtime.
2014-10-04 12:59:02 +00:00
wiz
af2c45de2a Add -DUSE_STRERROR to BSD case.
From David Shao in PR 49250 for DragonFly BSD. Also tested on NetBSD-7.99.1.
2014-10-01 22:58:17 +00:00
gdt
0989c0c515 pcsc-lite-1.8.12: Ludovic Rousseau
24 September 2014
- make hotplug using libudev (default) more robust
- add ReiserFS file system support (for configuration files)
- add musl libC support (increase the thread stack)
- Some other minor improvements and bug corrections
2014-10-01 16:27:03 +00:00
gdt
1e925dac41 1.4.18 - 13 September 2014, Ludovic Rousseau
- Add support of
      . Cherry Cherry TC 1100
      . Cherry Smart Card Reader USB
      . Cherry Smartcard Keyboard G87-1xx44
      . FujitsuTechnologySolutions GmbH Keyboard KB SCR2
      . Lenovo Lenovo USB Smartcard Keyboard
      . Yubico Yubikey NEO OTP+U2F+CCID
      . Yubico Yubikey NEO U2F+CCID
      . eID_R6 001 X8
    - fix support of Omnikey CardMan 3121
    - reduce memory consumed when configured with --enable-embedded
    - prepare the port to UEFI

http://ludovicrousseau.blogspot.fr/2014/09/new-version-of-libccid-1418.html
2014-10-01 16:24:57 +00:00
fhajny
032befbb8e Add security/php-ssh2 2014-10-01 12:14:02 +00:00
fhajny
55f1efdebe Import security/php-ssh2 (based on wip/php-ssh2).
Provides bindings to the functions of libssh2 which implements
the SSH2 protocol.
2014-10-01 12:13:23 +00:00
wiz
f2fc5e9e0c Update to 1.16:
Noteworthy changes in version 1.16 (2014-09-18) [C12/A12/R2]
-----------------------------------------------

 * Support building for iOS.

 * Fixed a prototype mismatch.

 * Fix es_fclose for streams opened with "samethread".
2014-10-01 11:54:52 +00:00
pettai
c9b493bfbd Version 1.0.4k (released 2014-09-18)
* yhsm-db-import, yhsm-db-export: Fix syntax error.

Version 1.0.4j (released 2014-09-16)

* yhsm-yubikey-ksm: Fix syntax error.

Version 1.0.4i (released 2014-09-16)

* yhsm-yubikey-ksm: Add --daemon.
* yhsm-yubikey-ksm: Add --db-url to specify SQL database path to AEAD store.
* yhsm-db-import, yhsm-db-export: New tools to do database import/export.
* Documentation cleanup.
2014-09-27 20:22:01 +00:00
pettai
f613eee8da Version 1.12 (released 2014-06-11)
* Rewrote man pages using Asciidoc.
2014-09-27 20:17:17 +00:00
pettai
aadd43ba26 Version 2.12 (released 2013-10-18)
* Use pkg-config to find curl, instead of libcurl.m4.
* ykclient: Added --cai parameter to specify GnuTLS-compatible CA Info.
* libykclient: Added ykclient_set_ca_info function.
  Used when curl is linked with GnuTLS, used to set CA Info.
* libykclient: Added ykclient_set_url_bases function.
  Uses a more reasonable/extensible URL string syntax.  The old
  ykclient_set_url_templates is hereby deprecated.
* Added shared library versioning script.
* Valgrind is used for selftests.
2014-09-27 19:56:31 +00:00
pettai
f95403a118 Version 1.15.3 (released 2014-09-04)
* Fix URLs for opensource.y.com -> developers.y.com move.
* Whitelist firmware version 3.3 and detect new PIDs.

Version 1.15.2 (released 2014-07-30)

* Whitelist firmware version 2.5
* Read key when importing configuration.
* Fix formatting error in information about what is written to key.
* Check return codes when doinf NDEF writes.
2014-09-27 19:46:51 +00:00
pettai
e092a16ae0 OpenDNSSEC 1.4.6 - 2014-07-21
* Signer Engine: Print secondary server address when logging notify reply
  errors.
* Build: Fixed various OpenBSD compatibility issues.
* OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and
  signer, and <SocketFile> for the signer.
* New tool: ods-getconf: to retrieve a configuration value from conf.xml
  given an expression.

Bugfixes:
* OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup
  can't be written zone is still added to database, solved it by checking the
  zonelist.xml.backup is writable before adding zones, and add error message
  when add zone failed.
* OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone
  the first time due to RFC 1982 serial arethmetic.
* OPENDNSSEC-619: memory leak when signer failed, solved it by add
  ldns_rr_free(signature) in libhsm.c
* OPENDNSSEC-627: Signer Engine: Unable to update serial after restart
  when the backup files has been removed.
* OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed
  from debug to info.
* OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone.
* libhsm: Fixed a few other memory leaks.
* simple-dnskey-mailer.sh: Fix syntax error.
2014-09-27 19:41:06 +00:00
jperkin
e50f5b7803 Use tr to handle differences between unzip implementations. 2014-09-27 10:11:20 +00:00
mspo
023dacb349 switch dep to shells/bash instead of explicit bash2; in response to shellshock 2014-09-27 01:34:58 +00:00
jperkin
6d7ac38577 Requires OpenSSL and BerkeleyDB. 2014-09-25 19:27:18 +00:00
jperkin
722dd8cc5e Requires OpenSSL. 2014-09-25 19:18:01 +00:00
jperkin
09017913a1 Pass correct location to OpenSSL. 2014-09-25 19:15:27 +00:00
jperkin
c387062dec Pass correct location of OpenSSL. 2014-09-25 19:13:23 +00:00
jperkin
365067f066 Requires USE_TOOLS+=flex. 2014-09-25 19:12:03 +00:00
jperkin
56d6f6bf37 Pass correct location to OpenSSL. 2014-09-25 19:09:26 +00:00
jperkin
6e4bd99dcd Requires OpenSSL. 2014-09-25 18:46:06 +00:00
jperkin
272f531956 Fix broken patch files. 2014-09-24 12:33:44 +00:00
joerg
34f706b81a Sync PLIST with reality adding various man pages. Bump revision. 2014-09-23 19:39:50 +00:00
joerg
13511a661f Don't forcefully build only a static library. Bump revision. 2014-09-23 15:11:54 +00:00
fhajny
63b98807e5 Provide a catman page where mdoc pages are not supported. PKGREVISION++ 2014-09-23 14:26:35 +00:00
joerg
1b8d2cede6 Clean up RCS IDs in patches and PLIST to avoid permanent rebuilds. 2014-09-22 11:55:37 +00:00
brook
f6a1f767e0 Move math/R-digest to security/R-digest and fix dependencies.
Note: this commit is part of reorganizing some of the recently
imported R packages, which are being reimported into more appropriate
categories (and removed from math) as a result of a recent discussion
on tech-pkg and privately with wiz@.  See the thread starting with:

  http://mail-index.netbsd.org/tech-pkg/2014/09/05/msg013558.html
2014-09-20 03:34:56 +00:00