Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513.
Bump PKGREVISION.
|
|
|
|
0.6 - 2014-09-29
~~~~~~~~~~~~~~~~
* Added
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` to
ease loading private keys, and
:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key` to
support loading public keys.
* Removed the, deprecated in 0.4, support for the ``salt_length`` argument to
the :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1`
constructor. The ``salt_length`` should be passed to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` instead.
* Fix compilation on OS X Yosemite.
* Deprecated ``elliptic_curve_private_key_from_numbers`` and
``elliptic_curve_public_key_from_numbers`` in favor of
``load_elliptic_curve_private_numbers`` and
``load_elliptic_curve_public_numbers`` on
:class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`.
* Added
:class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePrivateKeyWithNumbers`
and
:class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicKeyWithNumbers`
support.
* Work around three GCM related bugs in CommonCrypto and OpenSSL.
* On the CommonCrypto backend adding AAD but not subsequently calling update
would return null tag bytes.
* One the CommonCrypto backend a call to update without an empty add AAD call
would return null ciphertext bytes.
* On the OpenSSL backend with certain versions adding AAD only would give
invalid tag bytes.
* Support loading EC private keys from PEM.
|
|
While here, add rpath to pkgconfig file.
* Version 1.0.0
- The API and ABI are now stable. New features will be added, but
backward-compatibility is guaranteed through all the 1.x.y releases.
- crypto_sign() properly works with overlapping regions again. Thanks
to @pysiak for reporting this regression introduced in version 0.6.1.
- The test suite has been extended.
* Version 0.7.1 (1.0 RC2)
- This is the second release candidate of Sodium 1.0. Minor
compilation, readability and portability changes have been made and the
test suite was improved, but the API is the same as the previous release
candidate.
* Version 0.7.0 (1.0 RC1)
- Allocating memory to store sensitive data can now be done using
sodium_malloc() and sodium_allocarray(). These functions add guard
pages around the protected data to make it less likely to be
accessible in a heartbleed-like scenario. In addition, the protection
for memory regions allocated that way can be changed using
sodium_mprotect_noaccess(), sodium_mprotect_readonly() and
sodium_mprotect_readwrite().
- ed25519 keys can be converted to curve25519 keys with
crypto_sign_ed25519_pk_to_curve25519() and
crypto_sign_ed25519_sk_to_curve25519(). This allows using the same
keys for signature and encryption.
- The seed and the public key can be extracted from an ed25519 key
using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk().
- aes256 was removed. A timing-attack resistant implementation might
be added later, but not before version 1.0 is tagged.
- The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was
removed. Use crypto_pwhash_scryptsalsa208sha256_*.
- The compatibility layer for implementation-specific functions was
removed.
- Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed.
- crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains
the prefix produced by crypto_pwhash_scryptsalsa208sha256_str()
* Version 0.6.1
- Important bug fix: when crypto_sign_open() was given a signed
message too short to even contain a signature, it was putting an
unlimited amount of zeros into the target buffer instead of
immediately returning -1. The bug was introduced in version 0.5.0.
- New API: crypto_sign_detached() and crypto_sign_verify_detached()
to produce and verify ed25519 signatures without having to duplicate
the message.
- New ./configure switch: --enable-minimal, to create a smaller
library, with only the functions required for the high-level API.
Mainly useful for the JavaScript target and embedded systems.
- All the symbols are now exported by the Emscripten build script.
- The pkg-config .pc file is now always installed even if the
pkg-config tool is not available during the installation.
* Version 0.6.0
- The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_*
- The ChaCha20Poly1305 AEAD construction has been implemented, as
crypto_aead_chacha20poly1305_*
- The _easy API does not require any heap allocations any more and
does not have any overhead over the NaCl API. With the password
hashing function being an obvious exception, the library doesn't
allocate and will not allocate heap memory ever.
- crypto_box and crypto_secretbox have a new _detached API to store
the authentication tag and the encrypted message separately.
- crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed
crypto_pwhash_scryptsalsa208sha256*().
- The low-level crypto_pwhash_scryptsalsa208sha256_ll() function
allows setting individual parameters of the scrypt function.
- New macros and functions for recommended crypto_pwhash_* parameters
have been added.
- Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair()
has been introduced to deterministically generate a key pair from a seed.
- crypto_onetimeauth() now provides a streaming interface.
- crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic()
have been added to use a non-zero initial block counter.
- On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which
doesn't require the Crypt API.
- The high bit in curve25519 is masked instead of processing the key as
a 256-bit value.
- The curve25519 ref implementation was replaced by the latest ref10
implementation from Supercop.
- sodium_mlock() now prevents memory from being included in coredumps
on Linux 3.4+
* Version 0.5.0
- sodium_mlock()/sodium_munlock() have been introduced to lock pages
in memory before storing sensitive data, and to zero them before
unlocking them.
- High-level wrappers for crypto_box and crypto_secretbox
(crypto_box_easy and crypto_secretbox_easy) can be used to avoid
dealing with the specific memory layout regular functions depend on.
- crypto_pwhash_scryptsalsa208sha256* functions have been added
to derive a key from a password, and for password storage.
- Salsa20 and ed25519 implementations now support overlapping
inputs/keys/outputs (changes imported from supercop-20140505).
- New build scripts for Visual Studio, Emscripten, different Android
architectures and msys2 are available.
- The poly1305-53 implementation has been replaced with Floodyberry's
poly1305-donna32 and poly1305-donna64 implementations.
- sodium_hex2bin() has been added to complement sodium_bin2hex().
- On OpenBSD and Bitrig, arc4random() is used instead of reading
/dev/urandom.
- crypto_auth_hmac_sha512() has been implemented.
- sha256 and sha512 now have a streaming interface.
- hmacsha256, hmacsha512 and hmacsha512256 now support keys of
arbitrary length, and have a streaming interface.
- crypto_verify_64() has been implemented.
- first-class Visual Studio build system, thanks to @evoskuil
- CPU features are now detected at runtime.
|
|
From David Shao in PR 49250 for DragonFly BSD. Also tested on NetBSD-7.99.1.
|
|
24 September 2014
- make hotplug using libudev (default) more robust
- add ReiserFS file system support (for configuration files)
- add musl libC support (increase the thread stack)
- Some other minor improvements and bug corrections
|
|
- Add support of
. Cherry Cherry TC 1100
. Cherry Smart Card Reader USB
. Cherry Smartcard Keyboard G87-1xx44
. FujitsuTechnologySolutions GmbH Keyboard KB SCR2
. Lenovo Lenovo USB Smartcard Keyboard
. Yubico Yubikey NEO OTP+U2F+CCID
. Yubico Yubikey NEO U2F+CCID
. eID_R6 001 X8
- fix support of Omnikey CardMan 3121
- reduce memory consumed when configured with --enable-embedded
- prepare the port to UEFI
http://ludovicrousseau.blogspot.fr/2014/09/new-version-of-libccid-1418.html
|
|
|
|
Provides bindings to the functions of libssh2 which implements
the SSH2 protocol.
|
|
Noteworthy changes in version 1.16 (2014-09-18) [C12/A12/R2]
-----------------------------------------------
* Support building for iOS.
* Fixed a prototype mismatch.
* Fix es_fclose for streams opened with "samethread".
|
|
* yhsm-db-import, yhsm-db-export: Fix syntax error.
Version 1.0.4j (released 2014-09-16)
* yhsm-yubikey-ksm: Fix syntax error.
Version 1.0.4i (released 2014-09-16)
* yhsm-yubikey-ksm: Add --daemon.
* yhsm-yubikey-ksm: Add --db-url to specify SQL database path to AEAD store.
* yhsm-db-import, yhsm-db-export: New tools to do database import/export.
* Documentation cleanup.
|
|
* Rewrote man pages using Asciidoc.
|
|
* Use pkg-config to find curl, instead of libcurl.m4.
* ykclient: Added --cai parameter to specify GnuTLS-compatible CA Info.
* libykclient: Added ykclient_set_ca_info function.
Used when curl is linked with GnuTLS, used to set CA Info.
* libykclient: Added ykclient_set_url_bases function.
Uses a more reasonable/extensible URL string syntax. The old
ykclient_set_url_templates is hereby deprecated.
* Added shared library versioning script.
* Valgrind is used for selftests.
|
|
* Fix URLs for opensource.y.com -> developers.y.com move.
* Whitelist firmware version 3.3 and detect new PIDs.
Version 1.15.2 (released 2014-07-30)
* Whitelist firmware version 2.5
* Read key when importing configuration.
* Fix formatting error in information about what is written to key.
* Check return codes when doinf NDEF writes.
|
|
* Signer Engine: Print secondary server address when logging notify reply
errors.
* Build: Fixed various OpenBSD compatibility issues.
* OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and
signer, and <SocketFile> for the signer.
* New tool: ods-getconf: to retrieve a configuration value from conf.xml
given an expression.
Bugfixes:
* OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup
can't be written zone is still added to database, solved it by checking the
zonelist.xml.backup is writable before adding zones, and add error message
when add zone failed.
* OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone
the first time due to RFC 1982 serial arethmetic.
* OPENDNSSEC-619: memory leak when signer failed, solved it by add
ldns_rr_free(signature) in libhsm.c
* OPENDNSSEC-627: Signer Engine: Unable to update serial after restart
when the backup files has been removed.
* OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed
from debug to info.
* OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone.
* libhsm: Fixed a few other memory leaks.
* simple-dnskey-mailer.sh: Fix syntax error.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: this commit is part of reorganizing some of the recently
imported R packages, which are being reimported into more appropriate
categories (and removed from math) as a result of a recent discussion
on tech-pkg and privately with wiz@. See the thread starting with:
http://mail-index.netbsd.org/tech-pkg/2014/09/05/msg013558.html
|
|
The digest package provides a function 'digest()' for the creation of
hash digests of arbitrary R objects (using the md5, sha-1, sha-256 and
crc32 algorithms) permitting easy comparison of R language objects, as
well as a function 'hmac()' to create hash-based message
authentication code.
Note: this commit is part of reorganizing some of the recently
imported R packages, which are being reimported into more appropriate
categories (and removed from math) as a result of a recent discussion
on tech-pkg and privately with wiz@. See the thread starting with:
http://mail-index.netbsd.org/tech-pkg/2014/09/05/msg013558.html
|
|
|
|
|
|
Quoted from http://jessekornblum.livejournal.com/295883.html:
This is an important update, which corrects a bug in the signature
generation code. Any ssdeep hashes created with version 2.10 should be
recomputed. The signatures are not wrong per se though, they are just not
as good as they should be"
|
|
|
|
Noteworthy changes in version 1.15 (2014-09-11) [C12/A12/R1]
-----------------------------------------------
* This releases fixes problems with the use of off_t and ssize_t by
the estream functions introduced with 1.14. Although this is
technically an ABI break on some platforms, we take this as a
simple bug fix for 1.14. The new functions are very unlikely in
use by any code and thus no breakage should happen. The 1.14
tarball will be removed from the archive.
* Add type gpgrt_off_t which is guaranteed to be 64 bit.
* Add type gpgrt_ssize_t to make use on Windows easier. On Unix
platforms this is an alias for ssize_t.
Noteworthy changes in version 1.14 (2014-09-08) [C12/A12/R0]
-----------------------------------------------
* Added gpgrt_lock_trylock.
* Added the estream library under the name gpgrt and a set of macros
to use them with their "es_" names.
* Interface changes relative to the 1.13 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_KEY_DISABLED NEW.
gpgrt_init NEW macro.
gpgrt_check_version NEW.
gpgrt_lock_trylock NEW.
gpgrt_set_syscall_clamp NEW.
gpgrt_set_alloc_func NEW.
gpgrt_stream_t NEW.
gpgrt_cookie_io_functions_t NEW.
gpgrt_syshd_t NEW.
GPGRT_SYSHD_NONE NEW.
GPGRT_SYSHD_FD NEW.
GPGRT_SYSHD_SOCK NEW.
GPGRT_SYSHD_RVID NEW.
GPGRT_SYSHD_HANDLE NEW.
gpgrt_stdin NEW macro.
gpgrt_stdout NEW macro.
gpgrt_stderr NEW macro.
gpgrt_fopen NEW.
gpgrt_mopen NEW.
gpgrt_fopenmem NEW.
gpgrt_fopenmem_init NEW.
gpgrt_fdopen NEW.
gpgrt_fdopen_nc NEW.
gpgrt_sysopen NEW.
gpgrt_sysopen_nc NEW.
gpgrt_fpopen NEW.
gpgrt_fpopen_nc NEW.
gpgrt_freopen NEW.
gpgrt_fopencookie NEW.
gpgrt_fclose NEW.
gpgrt_fclose_snatch NEW.
gpgrt_onclose NEW.
gpgrt_fileno NEW.
gpgrt_fileno_unlocked NEW.
gpgrt_syshd NEW.
gpgrt_syshd_unlocked NEW.
gpgrt_flockfile NEW.
gpgrt_ftrylockfile NEW.
gpgrt_funlockfile NEW.
gpgrt_feof NEW.
gpgrt_feof_unlocked NEW.
gpgrt_ferror NEW.
gpgrt_ferror_unlocked NEW.
gpgrt_clearerr NEW.
gpgrt_clearerr_unlocked NEW.
gpgrt_fflush NEW.
gpgrt_fseek NEW.
gpgrt_fseeko NEW.
gpgrt_ftell NEW.
gpgrt_ftello NEW.
gpgrt_rewind NEW.
gpgrt_getc NEW macro.
gpgrt_getc_unlocked NEW macro.
gpgrt_fgetc NEW.
gpgrt_fputc NEW.
gpgrt_ungetc NEW.
gpgrt_read NEW.
gpgrt_write NEW.
gpgrt_write_sanitized NEW.
gpgrt_write_hexstring NEW.
gpgrt_fread NEW.
gpgrt_fwrite NEW.
gpgrt_fgets NEW.
gpgrt_putc NEW macro.
gpgrt_putc_unlocked NEW macro.
gpgrt_fputs NEW.
gpgrt_fputs_unlocked NEW.
gpgrt_getline NEW.
gpgrt_read_line NEW.
gpgrt_free NEW.
gpgrt_fprintf NEW.
gpgrt_fprintf_unlocked NEW.
gpgrt_printf NEW.
gpgrt_printf_unlocked NEW.
gpgrt_vfprintf NEW.
gpgrt_vfprintf_unlocked NEW.
gpgrt_setvbuf NEW.
gpgrt_setbuf NEW.
gpgrt_set_binary NEW.
gpgrt_tmpfile NEW.
gpgrt_opaque_set NEW.
gpgrt_opaque_get NEW.
gpgrt_fname_set NEW.
gpgrt_fname_get NEW.
gpgrt_asprintf NEW.
gpgrt_vasprintf NEW.
gpgrt_bsprintf NEW.
gpgrt_vbsprintf NEW.
gpgrt_snprintf NEW.
gpgrt_vsnprintf NEW.
|
|
1.998 2014/09/07
- make client authentication work at the server side when SNI is in by use
having CA path and other settings in all SSL contexts instead of only the main
one. Based on code from lundstrom[DOT]jerry[AT]gmail[DOT]com,
https://github.com/noxxi/p5-io-socket-ssl/pull/15
|
|
* Relaxed the license for many source files to cut-down BSD.
* Relaxed the license for John the Ripper as a whole from GPLv2 (exact
version) to GPLv2 or newer with optional OpenSSL and unRAR exceptions.
* Enhanced the support for DES-based tripcodes by making use of the
bitslice DES implementation and supporting OpenMP parallelization.
* Implemented bitmaps for fast initial comparison of computed hashes
against those loaded for cracking.
This provides a substantial performance improvement when cracking large
numbers of fast hashes.
* With 32-bit x86 builds and at least MMX enabled, the "two hashes at a
time" code for bcrypt is now enabled for GCC 4.2 and newer.
This is faster bcrypt cracking on some old and new computers running
32-bit operating systems or VMs for whatever reason.
* Revised the incremental mode to let the current character counts grow
for each character position independently, with the aim to improve
efficiency in terms of successful guesses per candidate passwords tested.
* Revised the pre-defined incremental modes, as well as external mode
filters that are used to generate .chr files.
* Added makechr, a script to (re-)generate .chr files.
* Enhanced the status reporting to include four distinct speed metrics
(g/s, p/s, c/s, and C/s).
* Added the "--fork=N" and "--node=MIN[-MAX]/TOTAL" options for trivial
parallel and distributed processing.
|
|
|
|
spiped-1.4.1
* Fix build on OS X, and improve strict POSIX compliance.
* Improved zeroing of sensitive cryptographic data.
spiped-1.4.0
* Add automatic detection of compiler support (at compile-time) and CPU
support (at run-time) for x86 "AES New Instructions"; and when available,
use these to improve cryptographic performance.
* Add support for -g option, which makes {spiped, spipe} require perfect
forward secrecy by dropping connections if the peer endpoint is detected to
be running using the -f option.
|
|
Add some build fixes where necessary.
|
|
not linking against it.
Bump PKGREVISION for packages that (might be|are) changed.
|
|
|
|
0.50 - 2014-03-14
- Version 0.49 implicitly required Moose; switch to a technique that
does not
- Modernize CHANGES
0.49 - 2014-03-13
- Restore context-sensitive (array/arrayref) behavior of multiple array
methods from 0.46.
- Fix MANIFEST/.gitignore inconsistency
0.48 - 2014-03-10
- Switch from --always-trust to --trust-model=always
0.47 - 2014-03-10
- No changes from 0.47_02
0.47_02 - 2014-02-14
- Remove a stray 'use Data::Dumper::Concise' added in 0.47_01
0.47_01 - 2014-01-27
- Switch from Any::Moose to Moo
- Accept "gpg (GnuPG/MacGPG2)" as a valid gpg version
- Typo fixes in documentation
|
|
1.997 2014/07/12
- thanks to return code 1 from Net::SSLeay::library_init if the library needed
initialization and 0 if not we can now clearly distinguish if initialization
was needed and do not need any work-arounds for perlcc by the user.
1.996 2014/07/12
- move initialization of OpenSSL-internals out of INIT again because this
breaks if module is used with require. Since there is no right place to
work in all circumstances just document the work-arounds needed for
perlcc. RT#97166
1.995 2014/07/11
- RT#95452 - move initialization and creation of OpenSSL-internals into INIT
section, so they get executed after compilation and perlcc is happy.
- refresh option for peer_certificate, so that it checks if the certificate
changed in the mean time (on renegotiation)
- fix fingerprint checking - now applies only to topmost certificate
- IO::Socket::SSL::Utils - accept extensions within CERT_create
- documentations fixes thanks to frioux
- fix documentation bug RT#96765, thanks to Salvatore Bonaccorso.
1.994 2014/06/22
- IO::Socket::SSL can now be used as dual-use socket, e.g. start plain, upgrade
to SSL and downgrade again all with the same object. See documentation of
SSL_startHandshake and chapter Advanced Usage.
- try to apply SSL_ca* even if verify_mode is 0, but don't complain if this
fails. This is needed if one wants to explicitly verify OCSP lookups even if
verification is otherwise off, because otherwise the signature check would
fail. This is mostly useful for testing.
- reorder documentation of attributes for new, so that the more important ones
are at the top.
1.993 2014/06/13
- major rewrite of documentation, now in separate file
- rework error handling to distinguish between SSL errors and internal errors
(like missing capabilities).
- fix handling of default_ca if given during the run of the program (Debian#750646)
- util/analyze-ssl.pl - fix hostname check if SNI does not work
|
|
1.66 2014-08-21
Fixed compile problem with perl prior to 5.8.8, similar to
RT#76267. Reported by Graham Knop.
Fixed a problem with Socket::IPPROTO_TCP on early perls.
After discussions with the community and the original author Sampo
Kellomaki, the license conditions have been changed to "Perl Artisitic
License 2.0".
1.65 2014-07-14
Added note to doc to make it clear that X509_get_subjectAltNames returns a
packed binary IP address for type 7 - GEN_IPADD.
Improvements to SSL_OCSP_response_verify to compile under non c99
compilers. Requested by MERIJNB.
Port to Android, contributed by Brian Fraser. Includes Android specific
version of RSA_generate_key.
Added LibreSSL support, patch provided by Alexander Bluhm. Thanks!
Patch that fixes the support for SSL_set_info_callback and adds
SSL_CTX_set_info_callback and SSL_set_state. Support for these functions is
necessary to either detect renegotiation or to enforce
renegotiation. Contributed by Steffen Ullrich. Thanks!
Fixed a problem with SSL_set_state not available on some early OpenSSLs,
patched by Steffen Ullrich. Thanks!
Removed arbitrary size limits from calls to tcp_read_all in tcpcat() and
http_cat().
Removed unnecessary Debian_SPANTS.txt from MANIFEST. Again.
1.64 2014-06-11
Fixes for test ocsp.t. Test now does not fail if HTTP::Tiny is not
installed.
Fixed repository in META.yml.
Fixed a problem with SSL_get_peer_cert_chain: if the SSL handshake
results in an anonymous authentication, like ADH-DES-CBC3-SHA,
get_peer_cert_chain will not return an empty list, but instead return the
SSL object. Reported and fixed by Steffen
Ullrich. Thanks.
Fixed a problem where patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3009244da47b989c4cc59ba02cf81a4e9d8f8431
caused a failed test in t/local/33_x509_create_cert.t.
|
|
in PR 49176. Bump PKGREVISION.
|
|
0.28 2013-11-21
- Removed silly micro-optimization that was responsible for generating a
warning in Perl versions prior to 5.18.
0.27 2013-10-06
- Merged pull request from David Steinbrunner: specifying meta-spec
so metadata can be seen/used.
- Fixed t/05-kwalitee.t to work with latest revisions on Test::Kwalitee.
|