| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
2.050 2017/08/18
- removed unecessary settings of SSL_version and SSL_cipher_list from tests
- protocol_version.t can now deal when TLS 1.0 and/or TLS 1.1 are not supported
as is the case with openssl versions in latest Debian (buster)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.6.1.
Release date: 2017-08-27 07:40 UTC
Changelog:
* Fix Bug #21237: Use --skip-verify in decrypt() method
* Update list of hash algorithm names
* Add option to ignore signature verification errors on decrypt.
|
|
If pcre2 is installed, configure finds pcre2-config in /usr/pkg/bin,
even though it is not include via bl3, resulting in a build failure.
There's no reason to avoid moving to pcre2, and it's easier than
making clamav not find it.
|
|
* Version 3.5.15 (released 2017-08-21)
** libgnutls: Disable hardware acceleration on aarch64/ilp32 mode. There is
no assembler code included for this CPU mode.
** certtool: Keys with provable RSA and DSA parameters are now only exported
in PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt.
This removes the need for a non-standard key format.
** API and ABI modifications:
No changes since last version.
* Version 3.5.14 (released 2017-07-04)
** libgnutls: Handle specially HSMs which request explicit authentication.
There are HSMs which return CKR_USER_NOT_LOGGED_IN on the first private key
operation. Detect that state and try to login.
** libgnutls: the GNUTLS_PKCS11_OBJ_FLAG_LOGIN will force a login on HSMs.
That is, even in tokens which do not have a CKF_LOGIN_REQUIRED flag
a login will be forced. This improves operation on certain Safenet HSMs.
** libgnutls: do not set leading zeros when copying integers on HSMs.
PKCS#11 defines integers as unsigned having most significant byte
first, e.g., 32768 = 0x80 0x00. This is interpreted literraly by
some HSMs which do not accept an integer with a leading zero. This
improves operation with certain Atos HSMs.
** libgnutls: Fixed issue discovering certain OCSP signers, and improved the
discovery of OCSP signer in the case where the Subject Public Key
identifier field matches. Resolves gitlab issue #223.
** gnutls-cli: ensure OCSP responses are saved with --save-ocsp even if
certificate verification fails.
** API and ABI modifications:
No changes since last version.
|
|
Improved ASN.1 types instantiation performance
Improved BER/CER/DER decoder performance by not unconditionally casting substrate into str/bytes.
Fixed exponential index size growth bug when building ambiguous NamedTypes tree
Fixed constructed types decoding failure at BER codec if running in schema-less mode
Fixed crash on prettyPrint'ing a SEQUENCE with no defined components
Fixed SetOf ordering at CER/DER encoder
Fixed crash on conditional binascii module import
Fix to TagSet hash value build
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Noteworthy changes in version 2.2.0 (2017-08-28)
------------------------------------------------
This is the new long term stable branch. This branch will only see
bug fixes and no new features.
* gpg: Reverted change in 2.1.23 so that --no-auto-key-retrieve is
again the default.
* Fixed a few minor bugs.
|
|
|
|
Please readd with comments and upstream them if they are.
Bump PKGREVISION.
Fix RELRO build.
|
|
Noteworthy changes in version 0.9.10 (2016-11-19)
-------------------------------------------------
* Addded basic support for TOFU information.
* Removed key-ID from some listings in favor of using the
fingerprint.
* Fixed deletion of X.509 keys.
* Allow for saving to an alternate file name if the file already
exists.
* Fixed several problems with key edit functions.
* Fixed drag-and-drop.
Noteworthy changes in version 0.9.9 (2015-09-09)
------------------------------------------------
* Fixed build problem in 0.9.8 if Libgpgme < 1.6.1 is used.
Noteworthy changes in version 0.9.8 (2015-09-09)
------------------------------------------------
* Does start with the clipboard view after a key has been created.
* Limit the size of dialogs by truncating too long user ids.
* Make the window frame's close button work as expected.
* With a decent version of libgpgme the key algorithm and size is
shown using the GnuPG 2.1 format.
|
|
|
|
Drop historic patches; adapt one to upstream changes
and add bug report URL.
Noteworthy changes in version 1.9.0 (2017-03-28)
------------------------------------------------
* Clarified meaning of the 'expire' parameter of gpgme_op_createkey
and gpgme_op_createsubkey. New flag to force a key without an
expiration date.
* New function gpgme_op_keylist_from_data_start to list keys from
data objects without importing them.
* New function gpgme_op_set_uid_flag to flag a key as primary.
* New function gpgme_op_decrypt_ext to run decryption with special
flags. This can for example be used to unwrap keys (remove only
the encryption layer).
* New encryption flags to wrap a key (adding an encryption layer to
an OpenPGP message) or to create anonymously encrypted messages.
* Support for adduid and revuid operations in the C++ bindings.
* Support for smartcard key generation in the C++ bindings.
* Several new functions for the Python binding.
* Many smaller bug fixes.
* Interface changes relative to the 1.8.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgme_op_createkey CHANGED: Meaning of 'expire' parameter.
gpgme_op_createsubkey CHANGED: Meaning of 'expire' parameter.
GPGME_CREATE_NOEXPIRE NEW.
gpgme_key_t EXTENDED: New field 'origin'.
gpgme_key_t EXTENDED: New field 'last_update'.
gpgme_subkey_t EXTENDED: New field 'is_de_vs'.
gpgme_user_id_t EXTENDED: New field 'origin'.
gpgme_user_id_t EXTENDED: New field 'last_update'.
gpgme_op_keylist_from_data_start NEW.
gpgme_op_set_uid_flag_start NEW.
gpgme_op_set_uid_flag NEW.
gpgme_op_decrypt_ext_start NEW.
gpgme_op_decrypt_ext NEW.
GPGME_ENCRYPT_THROW_KEYIDS NEW.
GPGME_ENCRYPT_WRAP NEW.
GPGME_DECRYPT_VERIFY NEW.
GPGME_DECRYPT_UNWRAP NEW.
gpgme_data_rewind UN-DEPRECATE.
cpp: Context::revUid(const Key&, const char*) NEW.
cpp: Context::startRevUid(const Key&, const char*) NEW.
cpp: Context::addUid(const Key&, const char*) NEW.
cpp: Context::startAddUid(const Key&, const char*) NEW.
cpp: Key::UserID::revoke() NEW.
cpp: Key::addUid() NEW.
cpp: Key::isDeVs NEW.
cpp: GpgGenCardKeyInteractor NEW.
cpp: Subkey::keyGrip NEW.
cpp: Subkey::isDeVs NEW.
cpp: Data::toKeys NEW.
cpp: Context::setDecryptFlags NEW.
cpp: Context::decrypt EXTENDED: Flags added.
cpp: Context::startDecrypt EXTENDED: Flags added.
cpp: Context::decryptAndVerify EXTENDED: Flags added.
cpp: Context::startCombinedDecryptionAndVerification EXTENDED: Flags.
cpp: Context::encryptFlags EXTENDED: New flags.
qt: CryptoConfig::stringValueList() NEW.
py: Context.__init__ EXTENDED: New keyword arg home_dir.
py: Context.home_dir NEW.
py: Context.keylist EXTENDED: New keyword arg mode.
py: Context.keylist EXTENDED: New keyword arg source.
py: Context.create_key NEW.
py: Context.create_subkey NEW.
py: Context.key_add_uid NEW.
py: Context.key_revoke_uid NEW.
py: Context.key_sign NEW.
py: Context.key_tofu_policy NEW.
py: core.pubkey_algo_string NEW.
py: core.addrspec_from_uid NEW.
[c=C29/A18/R0 cpp=C10/A4/R0 qt=C9/A2/R0]
|
|
Bug fixes:
- Mitigate a local side-channel attack on Curve25519 dubbed "May
the Fourth be With You". [CVE-2017-0379] [also in 1.7.9]
- Add more extra bytes to the pool after reading a seed file.
- Add the OID SHA384WithECDSA from RFC-7427 to SHA-384.
- Fix build problems with the Jitter RNG
- Fix assembler code build problems on Rasbian (ARMv8/AArch32-CE).
|
|
|
|
|
|
desired.
|
|
|
|
|
|
platforms may want to follow suit. Prompted by NetBSD/pkgsrc#12.
|
|
|
|
Pkgsrc changes:
* version number, checksum
* Comment out WRKSRC manipulation, not needed for 2.12.
Upstream changes:
2.12 2017.04.22
- Fix inefficiency in CTR, revealed by profiling with Devel::NYTProf
- Avoid warnings in Host from strange/invalid known_host entries
- Improve documentation of newer features
2.11 2017.04.16
- Packet bugfix: Introduced in 2.07, when ETM Mac is used, sometimes
not enough incoming bytes were available to fully read stored MAC
- DSA key bugfix: verify would fail if r/s had highest bit set
2.10 2017.03.23
- Add curve25519-sha256 alias for curve25519-sha256@libssh.org key exchange
- Bugfix for when unsupported key types are encountered
- Add support for '-' syntax in options, including wildcards
- Add wildcard support for '+' syntax in options
|
|
add dependency on the recently added p5-Crypt-Curve25519 package.
Bump PKGREVISION.
|
|
|
|
Curve25519 is a state-of-the-art Diffie-Hellman function suitable
for a wide variety of applications.
Given a user's 32-byte secret key, Curve25519 computes the user's
32-byte public key. Given the user's 32-byte secret key and another
user's 32-byte public key, Curve25519 computes a 32-byte secret
shared by the two users. This secret can then be used to authenticate
and encrypt messages between the two users.
|
|
|
|
Curve25519 is a state-of-the-art Diffie-Hellman function suitable
for a wide variety of applications.
Given a user's 32-byte secret key, Curve25519 computes the user's
32-byte public key. Given the user's 32-byte secret key and another
user's 32-byte public key, Curve25519 computes a 32-byte secret
shared by the two users. This secret can then be used to authenticate
and encrypt messages between the two users.
|
|
|
|
|
|
- Make tests works with erlang R20
- Fix Travis-CI compilation
|
|
Version 1.0.15
- Fix Hex packaging
Version 1.0.14
- Improve ECDH curve handling (thanks to user pitchum)
- Fix bug in handling protocol_options option
|
|
- Corrected so-name version
release 4.11:
- Introduced the ASN1_TIME_ENCODING_ERROR error code to indicate
an invalid encoding in the DER time fields.
- Introduced flag ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME. This flag
allows decoding errors in time fields even when in strict DER mode.
That is introduced in order to allow toleration of invalid times in
X.509 certificates (which are common) even though strict DER adherence
is enforced in other fields.
- Added safety check in asn1_find_node(). That prevents a crash
when a very long variable name is provided by the developer.
Note that this to be exploited requires controlling the ASN.1
definitions used by the developer, i.e., the 'name' parameter of
asn1_write_value() or asn1_read_value(). The library is
not designed to protect against malicious manipulation of the
developer assigned variable names.
|
|
- Move PKGREVISION (unchanged) to Makefiles.
- Fix used-by annotation.
- Add PATCHDIR so clamav-doc has consistent distinfo/patches (even
though clamav-doc just copies files that aren't patched).
|
|
DEPRECATIONS/CHANGES:
- PKI Root Generation: Calling `pki/root/generate` when a CA cert/key already
exists will now return a `204` instead of overwriting an existing root. If
you want to recreate the root, first run a delete operation on `pki/root`
(requires `sudo` capability), then generate it again.
FEATURES:
- Oracle Secret Backend: There is now an external plugin to support leased
credentials for Oracle databases (distributed separately).
- GCP IAM Auth Backend: There is now an authentication backend that allows
using GCP IAM credentials to retrieve Vault tokens. This is available as
both a plugin and built-in to Vault.
- PingID Push Support for Path-Baased MFA (Enterprise): PingID Push can
now be used for MFA with the new path-based MFA introduced in Vault
Enterprise 0.8.
- Permitted DNS Domains Support in PKI: The `pki` backend now supports
specifying permitted DNS domains for CA certificates, allowing you to
narrowly scope the set of domains for which a CA can issue or sign child
certificates.
- Plugin Backend Reload Endpoint: Plugin backends can now be triggered to
reload using the `sys/plugins/reload/backend` endpoint and providing either
the plugin name or the mounts to reload.
- Self-Reloading Plugins: The plugin system will now attempt to reload a
crashed or stopped plugin, once per request.
IMPROVEMENTS:
- auth/approle: Allow array input for policies in addition to comma-delimited
strings
- auth/aws: Allow using root credentials for IAM authentication
- plugins: Send logs through Vault's logger rather than stdout
- secret/pki: Add `pki/root` delete operation
- secret/pki: Don't overwrite an existing root cert/key when calling generate
BUG FIXES:
- aws: Don't prefer a nil HTTP client over an existing one
- core: If there is an error when checking for create/update existence, return
500 instead of 400
- secret/database: Avoid creating usernames that are too long for legacy MySQL
|
|
|
