pkgsrc and in NetBSD-1.6.x) and OpenSSL 0.9.7 (in NetBSD-2.0), by
creating a new yes/no variable USE_OLD_DES_API that flags whether the
package wants to use the old DES API. If USE_OLD_DES_API is "yes",
then:
* For OpenSSL 0.9.6, symlink ${BUILDLINK_DIR}/include/openssl/des_old.h
to ${SSLBASE}/include/openssl/des.h.
* For NetBSD 2.0's "special" installation of OpenSSL 0.9.7, symlink
${BUILDLINK_DIR}/include/openssl/des_old.h to /usr/include/des.h,
and transform "-lcrypto" into "-ldes -lcrypto". This makes it
behave like stock OpenSSL 0.9.7 where the old DES functions are
part of libcrypto.
Software that wants to use the old DES API should be taught to do it
in a way that works with a stock installation of OpenSSL 0.9.7 -- by
including <openssl/des_old.h> and linking against "-lcrypto". Software
that wants to use the new DES API should simply depend on openssl>=0.9.7.
This change has no impact on existing packages as the new code is
active only when USE_OLD_DES_API == "yes".
This is mainly a maintenance release to support new options in dirmngr
(to be released soon):
* [gpgsm] New option --prefer-system-dirmngr.
* Minor cleanups and debugging aids.
It can't be fixed easily because the pflkm package uses different versioning
(dates instead of 3.5, 3.6, etc). So just disable it for now until I've
found a better way to handle this.
Approved by wiz.
Changes:
o Added a configure check for systems with a 2-argument version of
timespecsub (like BSD/OS).
o Added stub struct defintions to sudo.h to quiet compiler warnings
on some systems.
o In sudoers Defaults lines, tuples like "lecture" may now be used
without a value, restoring their old boolean-like nature.
o Invalid values for a tuple are now handled correctly.
0.xx releases. Full changelog:
hashcash-1.13 - 16-Oct-2004 - Adam Back <adam@cypherspace.org>
* fix bug where grace period not applied to double-spend db.
I think this could allow people to double-spend in the time
period after the resulting premature purging and before
expiry (which is the grace period)
* add new feature where -e <period> can be used with -p to
override the expiry given at spend time (that is stored in
the double-spend db). Inspired by question from Atom
Smasher <atom@suspicious.org>.
* clean up some memory leaks
* add hashcash_free function (DLL scenario caller can't rely
on having same deallocator to call as library compiled with)
* lots more function documentation in hashcash.h for
library/DLL users, renamed all exported library functions to
start with hashcash_ prefix.
* added hashcash_version function.
* added callback function to allow user quit (returns
HASHCASH_USER_ABORT) and to give progress feedback.
* added option -P which uses the callback to show progress.
* added -O core option to allow user selection of core.
* added small parameter to hashcash (to request small stamps
rather than slightly larger fast to generate stamps), and -Z
option to turn this on. (In fact it is not implemented yet
but want to avoid changing library interface later).
hashcash-1.12 - 03-Oct-2004 - Adam Back <adam@cypherspace.org>
* make a HASHCASH.DLL on windows using MINGW.
hashcash-1.11 - 02-Oct-2004 - Adam Back <adam@cypherspace.org>
* _really_ fix trailing ascii(32) (spaces). I have no idea
how I decided the 1.10 code fixed it. Must have messed up
the test I was using to check it worked.
hashcash-1.10 - 01-Oct-2004 - Adam Back <adam@cypherspace.org>
* remove trailing ascii(32) (spaces) which padding somehow
leaves
hashcash-1.09 - 17-Sep-2004 - Adam Back <adam@cypherspace.org>
* fix missing space between resource name and width with -cv
reported by Panta Admin.
* apply cumulative patch of 3 patches from Jonathan Morton.
hashcash-1.08 - 12-Sep-2004 - Adam Back <adam@cypherspace.org>
* fix bug reported by Panta Admin <admin@panta-rhei.dyndns.org>
must have introduced in recent version where with pipe
prints stamp twice.
* attempt to work around MINGW problem with signals -- somehow
it is changing it's mind about whether the MMX core can run
from the first call to the 2nd call. But the test result
is cached so it is hard to see how this happens. Not clear
if this work-around will work as don't have a 486 to test
on. (Work around is make single gIsMMXpresent shared
between the two mmx cores, should at least result in signal
call being used fewer times (max 1 time). Also pass 1 to
longjmp.)
* give up entirely on conditional make. One Makefile, no
funky stuff. Prints info about what you need to do to
compile on your platform and goes ahead and compiles with
generic anyway. Make new gnu (generic) target for gcc, and
normal generic with no gcc specific flags.
hashcash-1.07 - 11-Sep-2004 - Adam Back <adam@cypherspace.org>
* patch from J H Wilson <jhw@ieee.org> to initialize a bunch
of variables (actually I had to back some of these out to
get to compile on non gnu compilers -- some of those
structure initializations are gnu extensions I think.)
* also J H Wilson one of patch changes was to avoid mmx
assembler code clobbering ebx register which is needed for
fPIC support.
* better randomness on windows using the CAPI rng
CryptGenRandom. Still compiles using MINGW ... whee!
* made a separate GNUmakefile for gnu make (it takes that one
first over Makefile) and a Makefile which is the same but no
ifdef stuff which confuses some other makes, and no gnu
specific compile options (for x86 anyway).
* add gettimeofday timer into entropy to improve randomness on
systems which do not have /dev/urandom, and are not windows
hashcash-1.06 - 10-Sep-2004 - Adam Back <adam@cypherspace.org>
* patch from Justin Guyett <justin@soze.net> to fix unsigned
error which would have made libfastmint do something odd if
no minter worked.
* Makefile changes to compile under MINGW (gnu for windows
portability layer which produces win32 exes). new target
mingw-exe
* #ifdefs to avoid locking on MINGW (seems no lock support!)
* #ifdefs to use longjmp instead of siglongjmp, signal instead
of sigaction on MINGW
* #ifdef to use chsize instead of ftruncate on MINGW
hashcash-1.05 - 08-Sep-2004 - Adam Back <adam@cypherspace.org>
* and another issue (last I promise!) with case comparison.
1.04 change was good; however flaw in 1.02 means 1.04 minted
stamps (resource not canonicalized to lowercase) can falsely
fail to verify with 1.02 - 1.00 as those versions presume
canonicalized stamp. So we go back to making -C have effect
on minting also. With no -C canonicalize to lowercase, with
-C use resource as-is.
* get rid of -W flag reserved for posix, use -M in it's place.
hashcash-1.04 - 07-Sep-2004 - Adam Back <adam@cypherspace.org>
* fixed issue with case comparisons -- presumed resources were
in lower case at minting -- better to just ignore case
during comparison. Then will accept stamps containing upper
case or mixed-case resource names.
* integrate fastmint_benchtest as -sv option to hashcash.
* introduce COPT as well as CFLAGS as optimization subset of
flags passed with CFLAGS to nested make -- suits RPM
hashcash-1.03 - 07-Sep-2004 - Adam Back <adam@cypherspace.org>
* remove TARGET_ARCH again, let's keep things simple. Just
use CFLAGS period.
* figured out what GENTOO ebuild is doing, changed ebuild file
* remove recursion from hashcash_fastmint
* start using TARGET_ARCH in Makefile, hope it's portable;
it's an attempt to be more GENTOO ebuild friendly
* Makefile change: when PACKAGE is defined build default
target, otherwise echo the target info as before
* removed a bunch of old code replaced by fastmint, got rid of
CHROMATIX define
* fix following errors reported by Atom Smasher <atom@suspicious.org>
* fix width measuring bug with v0 stamps
* fix resource read from stdin bug
* use GNU getopt source always -- getopt
on BSD behaves differently (the getopt source is
smart -- it comments itself out on machines with
GNU_LIBRARY so using it always is not a problem)
* bug: should send the time estimate to
stderr, and the stamp to stdout
* -z width flag not properly error checked
to enforce UTCTIME restrictions (only valid widths
6, 10 or 12 digits)
* update LICENSE to note you end up with some GNU GPL taint
from getopt on systems without POSIX getopt which probably
forces you to use GPL as I link against it. Unless someone
wants to re-write the getopt or can point me at a public
domain replacement. In particular this includes BSD and
MACH (OSX) and as before windows.
* apply patch from Jonathan Morton <chromi@chromatix.demon.co.uk>
with following fixes:
* fix bug in mmx assembler code exposed by integration
* add generic target in Makefile
* increase benchmark work factor to improve accuracy of
results (as not used at run-time)
* new hashcash_quickbench()
* changes to hashcash_quickbench() to give faster timing on
linux x86 which has low resolution clock() (1/100th sec vs
1usec on OSX). (It was taking ~ 0.6sec on linux x86, code
takes 0.1 sec now which is less noticeable)
* related to above studiously avoided calling hc_per_sec()
which invokes hashcash_quickbench() -- seems a shame to burn
1/10th sec in default mint creation path if user typically
doesn't care about the info about how long it took. Now you
have to give -s or -v to get speed info when minting.
* fix case sensitivity bug reported by Atom Smasher
<atom@suspicious.org>
* add CPL option back to LICENSE file
* add make targets for different processors
* remove 2nd call of hashcash_benchtest (supposed to call
hc_per_second which caches not hashcash_per_second)
* enable static selection of fastmint cores, disable run
time benchtest
* applied fastmint fix patch from Jonathan Morton
<chromi@chromatix.demon.co.uk> and re-enabled fastmint
(remove -DCHROMATIX in Makefile to disable)
hashcash-1.02 - 11-Aug-2004 - Adam Back <adam@cypherspace.org>
* minor documentation stuff (put back ref to sha1-hashcash in
hashcash.pod manpage)
* add back requests to LICENSE file
hashcash-1.01 - 08-Aug-2004 - Adam Back <adam@cypherspace.org>
* fold in patches from by Hubert Chan
<hubert@uhoreg.ca> and Justin Guyett <justin@soze.net> to
clean up some stuff and fix minor bugs.
* another couple of minor bug fixes.
hashcash-1.00 - 07-Aug-2004 - Adam Back <adam@cypherspace.org>
* increment version number, 1.x to reflect move to version 1
stamp format
* explicit bits field in token (helps people who want to
prevalidate header and parse, and who want to know what the
intended bits were vs how lucky the sender got); new stamp
size definition is min( counted_bits, explicit bits field )
* no : in resource field to make easier to parse eg with cut,
awk etc
* new extension field
* reclaimed -x to use for passing eXtension data (old -x no longer
available, use -X, which has string fixed to X-Hashcash)
* put /dev/urandom macro for MAC from
Jonathan Morton <chromi@chromatix.demon.co.uk> so we use
/dev/urandom on MAC
* copy in and adjust Makefile for Jonathan Morton's optimized
minter (need to integrate)
* copy in Jonathan Morton's COMPACT option (method B vs method A
from fips-180-1, uses less registers) for libsha1.c
* copy in next rev of minter breaks 4megahashes/sec barrier on
3.06Ghz P4 -- disabled at present until some stuff gets
fixed and we figure out rpm/deb package portability
* added back v0 read support (but still only generates v1)
* pr5: first attempt at integrating libfastmint (some bug in
my integration code, broken so far)
* (pr6: libfastmint integ still not working)
* pr6: made X-Hashcash header accepatance case insensitive
* pr7: also reject tokens with count_bits < claimed_bits
(as previous logic of setting bits = min( count_bits, claimed_bits)
necessary to avoid people getting lucky
* use clock() instead of wall time
* expand max stamp size out to cope with 10KB extension fields
* update man page and usage with v1 stuff
* and release as 1.00 ready for Hubert Chan <hubert@uhoreg.ca>
to package for the imminent debian release
hashcash-0.33 - 13-Apr-2004 - Adam Back <adam@cypherspace.org>
* allow wild card without @ sign if there is no @ sign in
pattern
New in 2.2.0:
MIME traversal now includes MIME container parts (e.g. multipart/*,
message/*), making them visible to banned rules. This version
preserves original zip archives for virus scanners if the archive
contains any zero-length members. New short types 'dll' and 'empty'
makes blocking recent viruses more flexible, including their
unsuccessful propagation attempts. It recognizes standard Unix
archives and unpacks Debian binary packages. The LDAP modules were
rewritten. The handling of double errors was improved. This version
supports mail size limits and Mail::ClamAV 0.12. A new AV entry
'check-jpeg' can test JPEG images for validity.
New in 2.1.2:
This release fixes (hard) blacklisting and whitelisting on static
lookup tables, which was failing to match any sender. The 'neutral'
sender notification, which was joining the Subject and the Message-ID
header fields in some situations, has been fixed. The signal and
error handling in code sections holding BDB locks is now more
thorough. A new %e macro is provided that evaluates to a best guess
of the originator IP address collected from the Received trace.
New in 2.1.1:
The default use of $banned_filename_re, which was lost in 2.1.0,
was added back. A fix was made for inappropriate log entry in SQL
whitelisting, complaining about unexpected wb field value. Missing
import of &ca was added to the amavisd-new-courier.patch. A default
directory is now provided with delivery method "bsmtp", if not
specified. The Mail::SpamAssassin::Plugin::Hashcash module is
pre-loaded with SA 3.0.0, and Mail::SpamAssassin::SpamCopURI with
URI::* is loaded for older SA versions. Small enhancements were
made to amavisd-nanny.
New in 2.1.0:
The use of BerkeleyDB is now optional. The configuration files were
cleaned up, and a small new amavisd-nanny utility that shows the
status of all child processes and checks for vanished or stale
processes was included. Two important bugfixes were made in the
ACL and SQL lookup code along with numerous other fixes and small
improvements. Users of 2.0 should upgrade to this release.
Noteworthy changes since the last release:
- Replace GNU LD version script with Libtool -export-symbols-regex,
from Joe Orton <joe at manyfish.co.uk>.
- Copy libtasn1 has been updated to version 0.2.11.
- Corrected the write of CRL distribution points.
- It is now possible to generate PKCS#12 structures without private
keys using "certtool --to-p12", suggested by Fabian Fagerholm
<fabbe at paniq.net>.
SSL/TLS, X509, RSA, Hasing (SHA1, MD5), Ciphers (Blowfish, 3DES, AES).
Uses QT conventions and plugin mechanism, and provides the crypto
services for applications such as PSI (Jabber client).
Just as for pl2, changes are about environment sanitizing, meaning there
are possible security issues with current versions.
Changes:
550) The CDPATH variable is now stripped from the environment passed
to the program to be executed.
551) Fix temp file generation on systems where the _PATH_VARTMP macro
lacks a trailing slash.
552) The KRB5CCNAME environment variable is preserved during sudo
execution for password lookups that use GSSAPI.
hpn-patch kerberos PAM (only Linux)
The hpn-patch option uses the patch available in:
http://www.psc.edu/networking/projects/hpn-ssh/ to enable high performance
connections.
Also use VARBASE intead of hardcoding /var.
Bump PKGREVISION.
various bugfixes and improvements to the documentation and software.
o Detection for new emf exploits added.
o A critical bug fixed in scan-mail.pl.
o Detection of JPG exploits has been added.
o A file descriptor leak has been fixed in f-protd.
o A minor bug in f-protd related to CPU hogging under certain
conditions has been fixed.
o A log level has been added (further information can be found in
the man pages).
o install-f-prot.pl will automatically run check-updates.pl
(Note, if you are manually installing from tar.gz this is
not automated and you will have out of date virus signature
files - in which case, make sure you run check-updates.pl
manually).
(The comment on that dependency says that >=5.6.1 is required because
the software has not been tested with perl<5.6.1, so this dependency
was probably overly conservative anyway...)
update include:
* The configuration file (shared with nss_ldap.so and sudo) has
been moved to ${PKG_SYSCONFDIR}/ldap.conf. Any secrets file is
found in ${PKG_SYSCONFDIR}/ldap.secret.
* Use the pkg.install framework to copy the config file from the
example directory to the real location.
* Use libtool to build and install the PAM module.
Changes from version 150 include:
* preliminary SASL bind support
* include password policy schema file
* preliminary support for
draft-behera-ldap-password-policy-07.txt
* support for service-based authorization
(based on patch from Manon Goo)
* add ignore_authinfo_unavail flag
* pam_filter works again
* fix from Thorsten Kukuk (SuSE) to handle scope-less
nss_base_passwd configuration
* AD password change fix
* fix from Thorsten Kukuk (SuSE) to handle aborted password changes
* support for multiple service search descriptors from Symas
* support non-experimental password change exop
* patch from Howard Chu to use linker grouping on Solaris
