| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
The following changes have been made between John 1.7.5.1 and 1.7.6:
* Generic crypt(3) support (enabled with "--format=crypt") has been added for
auditing password hash types supported by the system but not yet supported by
John's own optimized cryptographic routines (such as "SHA-crypt" and SunMD5).
* Optional parallelization of the above has been implemented by means of OpenMP
along with glibc's crypt_r(3) or Solaris' MT-safe crypt(3C).
* Optional parallelization of John's own optimized code for the OpenBSD-style
Blowfish-based crypt(3) (bcrypt) hashes with OpenMP has been added.
* A more suitable version of 32-bit x86 assembly code for Blowfish is now
chosen on Core i7 and similar CPUs (when they happen to run a 32-bit build).
* More optimal DES S-box expressions for PowerPC with AltiVec (making use of
the conditional select operation) contributed by Dumplinger Boy (Dango-Chu)
have been integrated.
* The bitslice DES C source code has been reworked to allow for the use of
arbitrary SIMD intrinsics, which was previously only implemented for AltiVec
as a special case.
* Support for SSE2 and MMX intrinsics with bitslice DES (as an alternative to
the supplied assembly code) has been added (currently only enabled for SSE2 on
x86-64 when compiling with GCC 4.4+).
* Support for mixed-type longer virtual vectors (such as SSE2+MMX, SSE2+ALU,
AltiVec+ALU, and other combinations) with bitslice DES has been added (not
enabled by default yet, primarily intended for easy benchmarks on future CPUs,
with future compiler versions, with even more SIMD instruction sets, and with
different DES S-box expressions that might be available in the future).
* The obsolete 32-bit SPARC assembly implementation of DES has been dropped.
* The loader will now detect password hashes specified on a line on their own,
not only as part of an /etc/passwd or PWDUMP format file.
* When run in "--stdin" mode and reading candidate passwords from a terminal
(to be typed by the user), John will no longer mess with the terminal settings.
* John will now restore terminal settings not only on normal termination or
interrupt, but also when forcibly interrupted with two Ctrl-C keypresses.
The following changes have been made between John 1.7.5 and 1.7.5.1:
* A new numeric variable has been added to the word mangling rules engine:
"p" for position of the character last found with the "/" or "%" commands.
The following changes have been made between John 1.7.4.2 and 1.7.5:
* Support for the use of "--format" along with "--show" or "--make-charset" has
been added.
* The choice of .rec and .log filenames for custom session names has been made
more intuitive.
* Support for "\r" (character lists with repeats) and "\p0" (reference to the
immediately preceding character list/range) has been added to the word mangling
rules preprocessor.
* The undefined and undocumented behavior of some subtle word mangling rules
preprocessor constructs has been changed to arguably be more sensible.
* Some bugs were fixed, most notably JtR crashing on no password hashes loaded
(bug introduced in 1.7.4.2).
The following changes have been made between John 1.7.4 and 1.7.4.2:
* Major performance improvements for processing of very large password files
or sets of files, especially with salt-less or same-salt hashes, achieved
primarily through introduction of two additional hash table sizes (64K and 1M
entries), changes to the loader, and smarter processing of successful guesses
(to accommodate getting thousands of hashes successfully cracked per second).
* Many default buffer and hash table sizes have been increased and thresholds
for the use of hash tables lowered, meaning that John will now tend to use
more memory to achieve better speed (unless it is told not to with the
"--save-memory" option).
* Some previously missed common website passwords found on public lists of
"top N passwords" have been added to the bundled common passwords list.
* Some bugs introduced in 1.7.4 and affecting wordlist mode's elimination of
consecutive duplicate candidate passwords have been fixed.
The following changes have been made between John 1.7.3.4 and 1.7.4:
* Support for back-references and "parallel" ranges has been added to the
word mangling rules preprocessor.
* The notion of numeric variables (to be used for character positions
and substring lengths along with numeric constants supported previously)
has been introduced into the rules engine. Two pre-defined variables
("l" for initial or updated word's length and "m" for initial or
memorized word's last character position) and 11 user-defined variables
("a" through "k") have been added. Additionally, there's a new numeric
constant: "z" for "infinite" position or length.
* New rule commands have been added: "A" (append, insert, or prefix with a
string), "X" (extract a substring from memory and insert), "v" (subtract
and assign to a numeric variable).
* New rule reject flags have been added: ":" (no-op, for use along with the
"parallel" ranges feature of the preprocessor) and "p" (reject unless word
pair commands are allowed, for sharing of the same ruleset between "single
crack" and wordlist modes).
* Processing of word mangling rules has been made significantly faster in
multiple ways (caching of the current length, less copying of data, code
and data placement changes for better branch prediction and L1 cache usage,
compiler-friendly use of local variables, code micro-optimizations,
removal of no-op rule commands in an initial pass).
* The default rulesets for "single crack" and wordlist modes have been
revised to make use of the new features, for speed, to produce fewer
duplicates, and to attempt additional kinds of candidate passwords (such
as for years 2010 through 2019 with "year-based" rules).
* The idle priority emulation code has been optimized for lower overhead when
there appears to be no other demand for CPU time.
* The default for the Idle setting has been changed from N to Y.
The following changes have been made between John 1.7.3.1 and 1.7.3.4:
* "make check" has been implemented (for Unix-like systems only).
* The "--test" option will now take an optional argument - the duration of each
benchmark in seconds.
* Section .note.GNU-stack has been added to all assembly files to avoid the
stack area unnecessarily being made executable on Linux systems that use this
mechanism.
* Some very minor bugs that did not affect normal operation have been fixed.
* Some unimportant compiler warnings have been fixed, a source code comment has
been made more verbose and more complete.
|
|
* Version 2.10.4 (released 2010-12-06)
** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz.
** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures.
This makes us comply with RFC3279. Reported by Michael Rommel.
** libgnutls: Reverted default behavior for verification and
introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default
V1 trusted CAs are allowed, unless the new flag is specified.
** minitasn1: Updated to Libtasn1 2.9.
** API and ABI modifications:
No changes since last version.
|
|
* Noteworthy changes in release 2.9 (2010-12-06) [stable]
- tests: Link to gnulib to avoid build error related to 'rpl_ftello' on Solaris.
Reported by Dagobert Michelsen.
- doc: Fix bug reporting address to point at help-libtasn1@gnu.org.
- doc: Fix Returns: documentation in Texinfo. Reported by Jeffrey Walton.
- build: Update gnulib files.
|
|
Security fix
v1.35 2010.12.06
- if verify_mode is not VERIFY_NONE and the ca_file/ca_path cannot be
verified as valid it will no longer fall back to VERIFY_NONE but throw
an error. Thanks to Salvatore Bonaccorso and Daniel Kahn Gillmor for
pointing out the problem, see also
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
|
|
distfile anymore. Add DIST_SUBDIR to force re-download of the tarball, which
content has been modified.
While here, switch DEPENDS to py-crypto instead of py-amkCrypto.
Bump PKG_REVISION.
|
|
|
|
pkgsrc changes:
- add a patch to fix an hardcoded interpreter path
- add a patch to actually find gmp library.
- add CONFLICTS with py-amkCrypto, both have files in common.
upstream changes:
2.3
===
* Fix NameError when attempting to use deprecated getRandomNumber()
function.
* _slowmath: Compute RSA u parameter when it's not given to
RSA.construct. This makes _slowmath behave the same as _fastmath in
this regard.
* Make RSA.generate raise a more user-friendly exception message when
the user tries to generate a bogus-length key.
2.2
===
* Deprecated Crypto.Util.number.getRandomNumber(), which had confusing
semantics. It's been replaced by getRandomNBitInteger and
getRandomInteger. (Thanks: Lorenz Quack)
* Better isPrime() and getPrime() implementations that do a real
Rabin-Miller probabilistic primality test (not the phony test we did
before with fixed bases). (Thanks: Lorenz Quack)
* getStrongPrime() implementation for generating RSA primes.
(Thanks: Lorenz Quack)
* Support for importing and exporting RSA keys in DER and PEM format
(Thanks: Legrandin)
* Fix PyCrypto when floor division (python -Qnew) is enabled.
* When building using gcc, use -std=c99 for compilation. This should
fix building on FreeBSD and NetBSD.
|
|
http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt
|
|
OpenSSL version 0.9.8q released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 0.9.8q of our open source toolkit for SSL/TLS. This new
OpenSSL version is a security and bugfix release. For a complete
list of changes, please see
http://www.openssl.org/source/exp/CHANGES.
The most significant changes are:
o Fix for security issue CVE-2010-4180
o Fix for CVE-2010-4252
|
|
|
|
|
|
0.50 Nov 21, 2010
- shell_quote in t/1_run.t was escaping '_' (bug report by
Andreas J. König)
- some typos corrected
- initial implementation of scp_cat
|
|
v1.34 2010.11.01
- schema http for certificate verification changed to
wildcards_in_cn=1, because according to rfc2818 this is valid and
also seen in the wild
- if upgrading socket from inet to ssl fails due to handshake problems
the socket gets downgraded, but is still open.
See https://rt.cpan.org/Ticket/Display.html?id=61466
- deprecate kill_socket, just use close()
|
|
2010-09-30 Gisle Aas <gisle@ActiveState.com>
Release 2.51
Florian Ragwitz (1):
Fix compilation with c++ compilers
Gisle Aas (1):
Fix repository specification in META.yml
2010-09-25 Gisle Aas <gisle@ActiveState.com>
Release 2.50
Chris 'BinGOs' Williams (1):
Amended tests to work with perl core.
Florian Ragwitz (3):
Attach context pointers using sv magic
Add failing test for thread cloning
Clone MD5 contexts on thread cloning
get_md5_ctx should never return anything but a valid pointer
Gisle Aas (1):
perl-5.6 no longer supported
Jesse Vincent (1):
Preserve utf8ness of argument [RT#44927]
|
|
0.16 Wed Sep 29 08:11:42 2010
- fixed crc64 support for non-xs case, #61490, #61491
|
|
|
|
This switches to the gnome-2.32 release branch.
(compile-tested only; the old version didn't build anymore)
|
|
This switches to the gnome-2.32 release branch.
|
|
|
|
|
|
LibTomCrypt is a fairly comprehensive, modular and portable
cryptographic toolkit that provides developers with a vast array of
well known published block ciphers, one-way hash functions, chaining
modes, pseudo-random number generators, public key cryptography and a
plethora of other routines. LibTomCrypt has been designed from the
ground up to be very simple to use. It has a modular and standard API
that allows new ciphers, hashes and PRNGs to be added or removed
without change to the overall end application. It features easy to
use functions and a complete user manual which has many source snippet
examples.
* Block Ciphers
* Blowfish
* XTEA
* RC5
* RC6
* SAFER+
* Rijndael (aka AES)
* Twofish
* SAFER (K64, SK64, K128, SK128)
* RC2
* DES, 3DES
* CAST5
* Noekeon
* Skipjack
* Anubis (with optional tweak as proposed by the developers)
* Khazad
* KASUMI
* SEED
* Chaining Modes
* ECB
* CBC
* OFB
* CFB
* CTR
* IEEE LRW mode
* F8 Chaining Mode
* One-Way Hash Functions
* MD2
* MD4
* MD5
* SHA-1
* SHA-224/256/384/512
* TIGER-192
* RIPE-MD 128/160/256/320
* WHIRLPOOL
* Message Authentication
* FIPS-198 HMAC (supports all hashes)
* CMAC, also known as OMAC1 (supports all ciphers)
* PMAC Authentication
* F9-MAC
* Pelican MAC
* Message Encrypt+Authenticate Modes
* EAX Mode
* OCB Mode
* CCM Mode (NIST spec)
* GCM Mode (IEEE spec)
* Pseudo-Random Number Generators
* Yarrow (based algorithm)
* RC4
* Support for /dev/random, /dev/urandom and the Win32 CSP RNG
* Fortuna
* SOBER-128
* Public Key Algorithms
* RSA (using PKCS #1 v1.5 and v2.1)
* ECC (EC-DSA X9.62 signatures, X9.63 EC-DH)
o With fast Fixed Point ECC support as well
o X9.63 import/export of public keys
* DSA (Users make their own groups)
* The math routines are pluggable which means you can use your own
math provider if you want.
* Other standards
* PKCS #1 (v1.5 and v2.1 padding)
* PKCS #5
* ASN.1 DER
|
|
change: New functions to fix a leak in dirmngr
|
|
changes: bugfixes
|
|
change: 3 error codes added
|
|
|
|
OpenSSL version 0.9.8p released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 0.9.8p of our open source toolkit for SSL/TLS. This new
OpenSSL version is a security and bugfix release which addresses
CVE-2010-3864. For a complete list of changes,
please see http://www.openssl.org/source/exp/CHANGES.
|
|
This switches to the gnome-2.32 release branch.
|
|
* fix for BUG-424: build fails on Darwin
|
|
|
|
Bump ABI_DEPENDS (and recursive bump).
|
|
|
|
|
|
|
|
|
|
The PBC (Pairing-Based Cryptography) library is a free C library built
on the GMP library that performs the mathematical operations
underlying pairing-based cryptosystems.
It provides routines such as elliptic curve generation, elliptic curve
arithmetic and pairing computation.
The API is abstract enough that the PBC library can be used even if
the programmer possesses only an elementary understanding of pairings.
There is no need to learn about elliptic curves or much of number
theory. (The minimum requirement is some knowledge of cyclic groups
and properties of the pairing.)
Boneh-Lynn-Shacham short signatures
Hess identity-based signatures
Joux tripartite Diffie-Hellman
Paterson identity-based signatures
Yuan-Li identity-based authenticated key agreement
Zhang-Kim identity-based blind/ring signatures
Zhang-Safavi-Naini-Susilo signatures
|
|
Bug Fixes
* amavisd failed to start when spam scanning was disabled either
by @bypass_spam_checks_maps=(1) or by @spam_scanners=(), giving:
Can't locate object method "new" via package "Amavis::SpamControl"
As a workaround one could use a @spam_scanners=(undef) to disable spam
scanning;
* several decoders failed to propagate "Exceeded storage quota" exception,
so the protection of AV scanners against mail bombs was ineffective;
reported by Jorgen Lundman;
* milter usage (AM.PDP): verbatim header edits inserted a header body of
"1" instead of the correct string
* updated AV entry for BitDefender's bdscan to recognize tabs around
a colon in its output; contributed by Steve;
* fix parsing of a combined result from DSPAM (option --classify), as
earlier versions of DSPAM did not include a signature with a combined
result line; problem reported by Marijan Vidmar;
New Features
* provide a true SNMP agent and a MIB, facilitating monitoring the health
of a content filtering system, its performance and mail characteristics;
* a new AV interface to SMTP-based antivirus scanners;
* allow customizing SMTP-status response reason text for blocked messages;
* prevent inserting fake copies of certain important mail header fields
without breaking a DKIM signature;
|
|
Changes since previous version:
+ fixes for GNU autoconf/automake infrastructure
+ Elgamal encryption and decryption (for DSA keys) is now supported
|
|
|
|
Changes from previous version (20100601)
Changes to 3.99.13/20101104
+ fix up GNU autoconf framework to reflect new structure
+ add ability in netpgpkeys(1) and netpgp(1) to specify the cipher
(symmetric algorithm)
+ add the camellia cipher implementation from openssl as specified in RFC 5581
+ changes from Peter Pentchev to get rid of an exit(3) in library context
+ changes from Peter Pentchev for manual page hyphens
+ changes from Peter Pentchev to clean up after tests
+ changes from Arnaud Ysmal to avoid dereferencing possible NULL pointers
+ change from Arnaud Ysmal to clean up usage message in netpgpkeys(1)
+ avoid calling bzlib functions if they aren't present
+ when writing out the key as an ssh key, don't include the user id
information at the end, in-line with expectations about standard ssh
key formats
+ since the signing key changed its "menu line" entry from "pub" to
"signature", the offset of the key id moved 7 chars to the right, so
take this into consideration when generating new keys
+ allow the user specification of the secret key file as the
--sshkeyfile or -S argument, and check that the public key file exists
before trying to read it
Changes to 3.99.12/20100907
+ add a pretty print function mj_pretty(3) to libmj
+ added netpgp_write_sshkey(3) to libnetpgp
+ added pgp2ssh(1)
+ added preliminary support for ElGamal decryption, needed for DSA keys
as yet untested, unworking, and a WIP
+ add support for using all ssh keys, even those protected by a passphrase,
for decryption and signing. This rounds off ssh key file support in netpgp.
+ add a single character alias (-S file) for [--sshkeyfile file] to
netpgpkeys(1) and netpgp(1)
Changes to 3.99.11/20100809
+ update hkpd(8) to reflect the -S argument to hkpd(8)
+ add reachover Makefile support for hkpd(8) and hkpc(1)
+ regen autoconf with new version and date information
Changes to 3.99.10/20100809
+ check return value from option setting function in netpgpkeys(1)
+ be smarter when checking for a null id
+ add test for crap being returned when listing specific keys in netpgpkeys(1)
+ take the public key from the pubring, not the secring when exporting
keys
+ allow hkpd to serve ssh keys in pgp format
+ test on whether a seckey is needed, not on a userid needed, for ssh keys
Changes to 3.99.9/20100809
+ add single character options to netpgp(1) and netpgpkeys(1)
+ add -o long-option (=value)? to netpgp(1) and netpgpkeys(1)
+ save subkeys when parsing keys. when listing keys, note that the first
subkey is for encryption
+ rationalise birthtime/expiration timestamps into a single function
+ clean up some 64-bit (amd64) lint
Changes to 3.99.8/20100805
+ free a regular expression after using it
+ be a bit less typedef-happy when it's not needed
+ added minimalist JSON (libmj) to distribution
+ add a function in ops layer to construct JSON serialised text from keys
+ use json output from the library in netpgpkeys(1)
+ added check for alternative openssl location
Changes to 3.99.7/20100701
+ recognise ascii-armoured encrypted messages properly, in memory and
in files
+ fix a bug when printing out the public key when prompting for a secret
key
+ print error message and exit for now when trying to encrypt with a DSA key
+ fix bug reported by dyoung when trying to print out the encryption key
fingerprint
Changes to 3.99.6/20100701
+ make some synonyms for --ssh-keys
+ make proper defaults for home dir for ssh key files as well as pgp files
+ modify regression test script to ensure that ssh-keygen and netpgpkey's
idea of ssh keys are the same
+ return any error codes when reading ssh pub or private keys
Changes to 3.99.5/20100613
+ make ssh fingerprints (md5) match netpgp listing
+ use the more functional hexdump function from ssh2pgp in place of the
older hexdump function from openpgpsdk
+ pass hash type down from command line where needed
+ add test for netpgp/ssh key fingerprint matching
+ make netpgpkeys(1) take a --hash= option
|
|
|
|
|
|
=== 0.4.4 2010-10-31
* Fix LoadError rescue in tests: return can't be used in this context
(Hans de G raaff)
* HTTP headers should be strings. (seancribbs)
* ensure consumer uri gets set back to original config even if an error occurs
(Brian Finney)
* Yahoo uses & to split records in OAuth headers (Brian Finney)
* Added support for Rails 3 in client/action_controller_request (Pelle)
|
|
|
|
* fix: LDAP write on userPassword fails when chasing referral and cached
policy error is POLICY_ERROR_PASSWORD_EXPIRED
* fix: only request attributes that are actually used
* fix: canonicalize PAM_USER name
|
|
Fix bug reported by Makoto Yamakura in PR 43992.
|
|
Noteworthy changes in version 1.4.11 (2010-10-18)
-------------------------------------------------
* Bug fixes and portability changes.
* Minor changes for better interoperability with GnuPG-2.
|
|
* Added mechanism CKM_RSA_X_509 (use Botan 1.9.7 to fix a bug
when verifying these signatures)
* The softhsm command now have the option --module <path>
To use a PKCS#11 library other than SoftHSM.
* The softhsm command now import all parts of the RSA key.
CKA_EXPONENT_1, CKA_EXPONENT_2, and CKA_COEFFICIENT is not needed
by SoftHSM but might be needed by other HSM:s.
* Ticket #163: softhsm-keyconv now support BIND format v1.3
* Write message to stderr when the config file cannot be found
* CKA_WRAP_WITH_TRUSTED was not handled correctly. But it has not
been a problem since wrapping is not supported.
* Set CKA_KEY_GEN_MECHANISM to CK_UNAVAILABLE_INFORMATION when
importing objects.
* C_GetInfo now returns CKR_CRYPTOKI_NOT_INITIALIZED if library
is not initialized.
* Force clean up if the app does not do C_Finalize (using auto_ptr)
* Limit the scope of the session objects to the owner application
* softhsm --optimize will clean up leftovers (session objects)
from applications that haven't closed down properly.
* Do not use CKF_HW, the mechanisms are not performed by a device.
* The ulMinKeySize and ulMaxKeySize are not used for the digesting
mechanisms, but we set them to zero for applications that forget
this.
* Used wrong buffer size for signatures. This was only a problem
for keys where (key size % 8 == 1), e.g. 1025 bit keys.
* C_Login now returns CKR_USER_ANOTHER_ALREADY_LOGGED_IN instead of
CKR_USER_TOO_MANY_TYPES
|
|
* Version 2.10.2 (released 2010-09-30)
** Use Libtool 2.2.10 to ease MinGW64 builds.
** libgnutls: Add new extended key usage ipsecIKE.
** libgnutls: Is now more liberal in the PEM decoding.
That is spaces and tabs are being skipped.
** libgnutls: Renamed NULL MAC to MAC-NULL to prevent clash with NULL cipher.
This prevented the usage of the TLS ciphersuites with NULL cipher.
See <http://thread.gmane.org/gmane.network.gnutls.general/2093>.
** libgnutls: The %COMPAT flag now allows larger records that violate the
TLS spec.
** libgnutls: Fix asynchronous API handling.
The code was clearing session hash data on EAGAIN. Problem reported
by Sjoerd Simons <sjoerd.simons@collabora.co.uk> and Vivek
Dasmohapatra <vivek@collabora.co.uk>. See
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4531>.
** gnutls-cli: Flush stdout/stderr before removing buffering.
Reported by Knut Anders Hatlen see
<http://savannah.gnu.org/support/?107481>.
|
|
* Noteworthy changes in release 2.8 (2010-09-25) [stable]
- Update gnulib files.
- Use Libtool 2.2.10 to ease MinGW64 builds.
|
