The circular dependency that prompted splitting this package is no longer
an issue, as acme now depends on context instead of golang.org/x/net/context.
Thus, this package now contains what used to be go-crypto-acme and conflicts
with it.
Data::Password::passwdqc provides an object oriented Perl interface
to Openwall Project's passwdqc. It allows you to check password
strength and also lets you generate quality controllable random
password.
1.1.0:
Removed DES code as the license was found to be incorrect from the source
Added new DES code not based on the original
Fixed up some deprecation warnings
Changed tests from running unittest to py.test
Changed licence from GPL to MIT as code is not all my own
New features
* Import and export of ECC curves in compressed form.
* The initial counter for a cipher in CTR mode can be a byte string (in addition to an integer).
* Faster PBKDF2 for HMAC-based PRFs (at least 20x for short passwords, more for longer passwords). Thanks to Christian Heimes for pointing out the implementation was under-optimized.
* The salt for PBKDF2 can be either a string or bytes.
Resolved issues
* Without libgmp, modular exponentiation (since v3.4.8) crashed on 32-bit big-endian systems.
Breaks in compatibility
* Removed support for Python < 2.6.
This library is used to gain direct access to the functions exposed by Daniel
J. Bernstein's nacl library via libsodium. It has been constructed to maintain
extensive documentation on how to use nacl as well as being completely
portable. The file in libnacl/__init__.py can be pulled out and placed directly
in any project to give a single file binding to all of nacl.
What's new in Sudo 1.8.22
* Commands run in the background from a script run via sudo will
no longer receive SIGHUP when the parent exits and I/O logging
is enabled.
* A particularly offensive insult is now disabled by default.
* The description of "sudo -i" now correctly documents that
the "env_keep" and "env_check" sudoers options are applied to
the environment.
* Fixed a crash when the system's host name is not set.
* The sudoers2ldif script now handles #include and #includedir
directives.
* Fixed a bug where sudo would silently exit when the command was
not allowed by sudoers and the "passwd_tries" sudoers option
was set to a value less than one.
* Fixed a bug with the "listpw" and "verifypw" sudoers options and
multiple sudoers sources. If the option is set to "all", a
password should be required unless none of a user's sudoers
entries from any source require authentication.
* Fixed a bug with the "listpw" and "verifypw" sudoers options in
the LDAP and SSSD back-ends. If the option is set to "any", and
the entry contained multiple rules, only the first matching rule
was checked. If an entry contained more than one matching rule
and the first rule required authentication but a subsequent rule
did not, sudo would prompt for a password when it should not have.
* When running a command as the invoking user (not root), sudo
would execute the command with the same group vector it was
started with. Sudo now executes the command with a new group
vector based on the group database which is consistent with
how su(1) operates.
* Fixed a double free in the SSSD back-end that could occur when
ipa_hostname is present in sssd.conf and is set to an unqualified
host name.
* When I/O logging is enabled, sudo will now write to the terminal
even when it is a background process. Previously, sudo would
only write to the tty when it was the foreground process when
I/O logging was enabled. If the TOSTOP terminal flag is set,
sudo will suspend the command (and then itself) with the SIGTTOU
signal.
* A new "authfail_message" sudoers option that overrides the
default "N incorrect password attempt(s)".
* An empty sudoRunAsUser attribute in the LDAP and SSSD backends
will now match the invoking user. This is more consistent with
how an empty runas user in the sudoers file is treated.
* Documented that in check mode, visudo does not check the owner/mode
on files specified with the -f flag.
* It is now an error to specify the runas user as an empty string
on the command line. Previously, an empty runas user was treated
the same as an unspecified runas user.
* When "timestamp_type" option is set to "tty" and a terminal is
present, the time stamp record will now include the start time
of the session leader. When the "timestamp_type" option is set
to "ppid" or when no terminal is available, the start time of
the parent process is used instead. This significantly reduces
the likelihood of a time stamp record being re-used when a user
logs out and back in again.
* The sudoers time stamp file format is now documented in the new
sudoers_timestamp manual.
* The "timestamp_type" option now takes a "kernel" value on OpenBSD
systems. This causes the tty-based time stamp to be stored in
the kernel instead of on the file system. If no tty is present,
the time stamp is considered to be invalid.
* Visudo will now use the SUDO_EDITOR environment variable (if
present) in addition to VISUAL and EDITOR.
## 0.9.5 (February 26th, 2018)
IMPROVEMENTS:
- auth: Allow sending default_lease_ttl and max_lease_ttl values when enabling
auth methods.
- secret/database: Add list functionality to `database/config` endpoint
- physical/consul: Allow setting a specific service address
- replication: When bootstrapping a new secondary, if the initial cluster
connection fails, Vault will attempt to roll back state so that
bootstrapping can be tried again, rather than having to recreate the
downstream cluster. This will still require fetching a new secondary
activation token.
BUG FIXES:
- auth/aws: Update libraries to fix regression verifying PKCS#7 identity
documents
- listener: Revert to Go 1.9 for now to allow certificates with non-DNS names
in their DNS SANs to be used for Vault's TLS connections
- replication: Fix issue with a performance secondary/DR primary node losing
its DR primary status when performing an update-primary operation
- replication: Fix issue where performance secondaries could be unable to
automatically connect to a performance primary after that performance
primary has been promoted to a DR primary from a DR secondary
- ui: Fix behavior when a value contains a `.`
## 0.9.4 (February 20th, 2018)
SECURITY:
- Role Tags used with the EC2 style of AWS auth were being improperly parsed;
as a result they were not being used to properly restrict values.
Implementations following our suggestion of using these as defense-in-depth
rather than the only source of restriction should not have significant
impact.
FEATURES:
- ChaCha20-Poly1305 support in `transit`: You can now encrypt and decrypt
with ChaCha20-Poly1305 in `transit`. Key derivation and convergent
encryption is also supported.
- Okta Push support in Okta Auth Backend: If a user account has MFA
required within Okta, an Okta Push MFA flow can be used to successfully
finish authentication.
- PKI Improvements: Custom OID subject alternate names can now be set,
subject to allow restrictions that support globbing. Additionally, Country,
Locality, Province, Street Address, and Postal Code can now be set in
certificate subjects.
- Manta Storage: Joyent Triton Manta can now be used for Vault storage
- Google Cloud Spanner Storage: Google Cloud Spanner can now be used for
Vault storage
IMPROVEMENTS:
- auth/centrify: Add CLI helper
- audit: Always log failure metrics, even if zero, to ensure the values appear
on dashboards
- cli: Disable color when output is not a TTY
- cli: Add `-format` flag to all subcommands
- cli: Do not display deprecation warnings when the format is not table
- core: If over a predefined lease count (256k), log a warning not more than
once a minute. Too many leases can be problematic for many of the storage
backends and often this number of leases is indicative of a need for
workflow improvements.
- secret/nomad: Have generated ACL tokens cap out at 64 characters
- secret/pki: Country, Locality, Province, Street Address, and Postal Code can
now be set on certificates
- secret/pki: UTF-8 Other Names can now be set in Subject Alternate Names in
issued certs; allowed values can be set per role and support globbing
- secret/pki: Add a flag to make the common name optional on certs
- secret/pki: Ensure only DNS-compatible names go into DNS SANs; additionally,
properly handle IDNA transformations for these DNS names
- secret/ssh: Add `valid-principles` flag to CLI for CA mode
- storage/manta: Add Manta storage
- ui (Enterprise): Support for ChaCha20-Poly1305 keys in the transit engine.
BUG FIXES:
- api/renewer: Honor increment value in renew auth calls
- auth/approle: Fix inability to use limited-use-count secret IDs on
replication performance secondaries
- auth/approle: Cleanup of secret ID accessors during tidy and removal of
dangling accessor entries
- auth/aws-ec2: Avoid masking of role tag response
- auth/cert: Verify DNS SANs in the authenticating certificate
- auth/okta: Return configured durations as seconds, not nanoseconds
- auth/okta: Get all okta groups for a user vs. default 200 limit
- auth/token: Token creation via the CLI no longer forces periodic token
creation. Passing an explicit zero value for the period no longer create
periodic tokens.
- command: Fix interpreted formatting directives when printing raw fields
- command: Correctly format output when using -field and -format flags at the
same time
- command/rekey: Re-add lost `stored-shares` parameter
- command/ssh: Create and reuse the api client
- command/status: Fix panic when status returns 500 from leadership lookup
- identity: Fix race when creating entities
- plugin/gRPC: Fixed an issue with list requests and raw responses coming from
plugins using gRPC transport
- plugin/gRPC: Fix panic when special paths are not set
- secret/pki: Verify a name is a valid hostname before adding to DNS SANs
- secret/transit: Fix auditing when reading a key after it has been backed up
or restored
- secret/transit: Fix storage/memory consistency when persistence fails
- storage/consul: Validate that service names are RFC 1123 compliant
- storage/etcd3: Fix memory ballooning with standby instances
- storage/etcd3: Fix large lists (like token loading at startup) not being
handled
- storage/postgresql: Fix compatibility with versions using custom string
version tags
- storage/zookeeper: Update vendoring to fix freezing issues
- ui (Enterprise): Decoding the replication token should no longer error and
prevent enabling of a secondary replication cluster via the ui.
- plugin/gRPC: Add connection info to the request object
* Change file is inconsistent: no information about this release available
* Homepage and repository are dead: tarball reached and archived on
ftp.NetBSD.org thands to OpenPKG repository
* Configurations files are installed in VARBASE because CSPHOME must be
writable since CA tree is built in this directory
* Fix deprecated use of unescaped '{'
* Clean Makefile
version 2.2.5:
* gpg: Allow the use of the "cv25519" and "ed25519" short names in
addition to the canonical curve names in --batch --gen-key.
* gpg: Make sure to print all secret keys with option --list-only
and --decrypt.
* gpg: Fix the use of future-default with --quick-add-key for
signing keys.
* gpg: Select a secret key by checking availability under gpg-agent.
* gpg: Fix reversed prompt texts for --only-sign-text-ids.
* gpg,gpgsm: Fix detection of bogus keybox blobs on 32 bit systems.
* gpgsm: Fix regression since 2.1 in --export-secret-key-raw which
got $d mod (q-1)$ wrong. Note that most tools automatically fixup
that parameter anyway.
* ssh: Fix a regression in getting the client'd PID on *BSD and
macOS.
* scd: Support the KDF Data Object of the OpenPGP card 3.3.
* scd: Fix a regression in the internal CCID driver for certain card
readers.
* scd: Fix a problem on NetBSD killing scdaemon on gpg-agent
shutdown.
* dirmngr: Improve returned error description on failure of DNS
resolving.
* wks: Implement command --install-key for gpg-wks-server.
* Add option STATIC=1 to the Speedo build system to allow a build
with statically linked versions of the core GnuPG libraries. Also
use --enable-wks-tools by default by Speedo builds for Unix.
0.29.0:
- Fix building on Windows (all tests fix on Win32 and Win64 on all
supported combinations of versions of OpenSSL and Python)
- Fixes of some small bugs
0.77 Feb 15, 2018
- Fix regression broking password authentication (bug report
by Russell Shingleton).
0.76 Feb 8, 2018
- Allow passing "file_from" and "from0" options into "rsync"
(bug report and patch by Slaven Rezic, fixes #rt124357)
- Document how to manipulate port forwardings.
- Rename sample directory to examples (fixes #rt122042
reported by Karen Etheridge).
0.75_02 Jul 18, 2017
- Add support for "master_pty_force" and "get_master_pty_log"
features.
- Add support for "subsystem" feature.
0.75_01 Mar 3, 2017
- Use an opaque digest as the last part of the multiplexing
socket path in order to reduce its size (bug report by
Sombrerero_Loco at PerlMonks).
- Improve ctl_path/ctl_dir handling catching more errors
earlier.
- Add support for stdin_keep_open feature (bug report by
fwalters at PerlMonks).
**** 1.04 February 15, 2018
Feature
Cryptographic library access re-engineered using PerlXS
directly instead of CPAN Crypt::OpenSSL::(DSA|EDSA|RSA)
distributions which have fallen into disrepair.
2.056 2018/02/19
- Intercept - fix creation of serial number: base it on binary digest instead of
treating hex fingerprint as binary. Allow use of own serial numbers again.
- t/io-socket-ip.t - skip test if no IPv6 support on system RT#124464
- update PublicSuffix
2.055 2018/02/15
- use SNI also if hostname was given all-uppercase
- Utils::CERT_create - don't add authority key for issuer since Chrome does
not like this
- Intercept:
- change behavior of code based cache to better support synchronizing
within multiprocess/threaded setups
- don't use counter for serial number but somehow base it on original
certificate in order to avoid conflicts with reuse of serial numbers
after restart
- RT#124431 - better support platforms w/o IPv6
- RT#124306 - spelling fixes in documentation
2.054 2018/01/22
- added missing test certificates to MANIFEST
2.053 2018/01/21
- small behavior fixes
- if SSL_fingerprint is used and matches don't check for OCSP
- Utils::CERT_create - small fixes to properly specific purpose, ability to
use predefined complex purpose but disable some features
- update PublicSuffix
- updates for documentation, especially regarding pitfalls with forking or using
non-blocking sockets. Spelling fixes.
- test fixes and improvements
- stability improvements for live tests
- regenerate certificate in certs/ and make sure they are limited to the
correct purpose. Checkin program used to generate certificates.
- adjust tests since certificates have changed and some tests used
certificates intended for client authentication as server certificates,
which now no longer works
This switch is meant to be used by packages requiring an implementation of the
former libusb (as in devel/libusb). The original implementation can be
chosen by setting LIBUSB_TYPE to "native".
The alternative implementation libusb-compat (as in devel/libusb-compat) wraps
libusb1 (in devel/libusb1). This implementation can be chosen by setting
LIBUSB_TYPE to "compat". On NetBSD, it has the advantage of not requiring root
privileges to locate and use USB devices without a kernel driver.
This second part switches packages using libusb to this framework. It does not
change compilation options or dependencies at this point.
Compile-tested on most packages affected and available on NetBSD/amd64.
0.28.0:
- Mainly port to Python 3 (supporting 2.6, 2.7, 3.3, 3.4, 3.5, 3.6)
- Some lame efforts to make setup.py build --openssl work better (needs
more real testing on Mac OS X)
- Fix licence: it is MIT, not BSD
- Fix and add tests for SWIG/_aes.i module
- Improve somehow situation on Mac OS X (some testing, improve setup.py,
testsuite should fully pass)
- Bundle-in unittest2 for Python 2.6 (dealing with the need for
specific version of unittest2 package was too complicated)
- Remove all PGP modules
Release 1.12.0:
Enhanced AsyncSSH logging framework to provide detailed logging of events in the connection, channel, key exchange, authentication, sftp, and scp modules. Both high-level information logs and more detailed debug logs are available, and debug logging supports multiple debug levels with different amounts of verboseness. Logger objects are also available on various AsyncSSH classes to allow applications to report their own log events in a manner that can be tied back to a specific SSH connection or channel.
Added support for begin_auth() to be a coroutine, so asynchronous operations can be performed within it to load state needed to perform SSH authentication.
Adjusted key usage flags set on generated X.509 certificates to be more RFC compliant and work around an issue with OpenSSL validation of self-signed non-CA certificates.
Updated key and certificate comment handling to be less sensitive to the encoding of non-ASCII characters. The get_comment() and set_comment() functions now take an optional encoding paramter, defaulting to UTF-8 but allowing for others encodings. There’s also a get_comment_bytes() function to get the comment data as bytes without performing Unicode decoding.
Updated AsyncSSH to be compatible with beta release of Python 3.7.
Updated code to address warnings reported by the latest version of pylint.
Cleaned up various formatting issues in Sphinx documentation.
Significantly reduced time it takes to run unit tests by decreasing the rounds of bcrypt encryption used when unit testing encrypted OpenSSH private keys.
Added support for testing against uvloop in Travis CI.
Added support for the BoarSSL / Twrch test framework.
Header files now include the ritual mantras that make them compatible with C++.
Better Makefile behaviour with Clang (FreeBSD compatibility).
Worked around a bug of GCC 4.8 and 4.9 in 32-bit x86 mode.
Incoming application data after initiating closure is now properly ignored.
Some instances of (critical) Certificate Policies extensions are now ignored (when it is safe to do so).
Fixed some behavioural bugs with regards to renegotiation (all were failing safe).
Added encoded OID for hash functions in the public API, to help with using RSA signatures in non-SSL contexts.
Fixed bug in AES/CBC decryption on x86 with AES-NI opcode (this was breaking decryption with AES/CBC cipher suites and TLS 1.0 only).
Added an explicit stack buffer initialisation (some provably harmless accesses to uninitialised data were performed, Valgrind was not happy).
Fixed bug in the search tree for the cache of SSL sessions (occasional lock-ups).
Fixed bug in modular reduction in the special field for P-256 (this was infrequently breaking ECDSA signatures).
Added support for exporting keying material (RFC 5705).
Added new general-purpose API for AEAD implementations (in non-SSL contexts) and an AES/GCM implementation that follows that API.
Added a function to forget saved session parameter in the LRU cache.
Added a new ChaCha20 implementation that uses SSE2 on x86 architectures (both 32-bit and 64-bit).
3.4.11:
Resolved issues
* GH-121. the record list was still not correct due to PEP3147
and __pycache__ directories.
3.4.10:
Resolved issues
* When creating ElGamal keys, the generator wasn't a square residue:
ElGamal encryption done with those keys cannot be secure under
the DDH assumption.
3.4.9:
New features
* More meaningful error messages while importing an ECC key.
Resolved issues
* GH-123 and #125. The SSE2 command line switch was not always passed on 32-bit x86 platforms.
* GH-121. The record list (--record) was not always correctly filled for the
pycryptodomex package.
