| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
* Add yk_get_key_vid_pid() to get the vendor and product id of a key.
* Add flags for ykinfo to print vendor and product id.
* Fix a bug in the osx backend where it would return an error opening
a composite device with two hid interfaces.
|
|
* libykclient: Skip responses where the curl status isn't CURLE_OK.
* libykclient: Add forgotten prototype for ykclient_set_ca_info.
|
|
* Fix a bug with the 'urllist' parameter where urls would be forgotten.
* Manpages converted to asciidoc.
Version 2.16 (released 2014-06-10)
* Fix a crashbug with the new parameter 'urllist'
Version 2.15 (released 2014-04-30)
* Added new parameter 'urllist'
* Added pam_yubico(8) man page.
* Fix memory leak.
* Bump yubico-c-client version requirement to 2.12.
|
|
|
|
Version 5.07, 2014.11.01, urgency: MEDIUM:
* New features
- Several SMTP server protocol negotiation improvements.
- Added UTF-8 byte order marks to stunnel.conf templates.
- DH parameters are no longer generated by "make cert".
The hardcoded DH parameters are sufficiently secure,
and modern TLS implementations will use ECDH anyway.
- Updated manual for the "options" configuration file option.
- Added support for systemd 209 or later.
- New --disable-systemd ./configure option.
- setuid/setgid commented out in stunnel.conf-sample.
* Bugfixes
- Added support for UTF-8 byte order mark in stunnel.conf.
- Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
- Non-blocking mode set on inetd and systemd descriptors.
- shfolder.h replaced with shlobj.h for compatibility
with modern Microsoft compilers.
Version 5.06, 2014.10.15, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
- The insecure SSLv2 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv2".
- The insecure SSLv3 protocol is now disabled by default.
It can be enabled with "options = -NO_SSLv3".
- Default sslVersion changed to "all" (also in FIPS mode)
to autonegotiate the highest supported TLS version.
* New features
- Added missing SSL options to match OpenSSL 1.0.1j.
- New "-options" commandline option to display the list
of supported SSL options.
* Bugfixes
- Fixed FORK threading build regression bug.
- Fixed missing periodic Win32 GUI log updates.
Version 5.05, 2014.10.10, urgency: MEDIUM:
* New features
- Asynchronous communication with the GUI thread for faster
logging on Win32.
- systemd socket activation (thx to Mark Theunissen).
- The parameter of "options" can now be prefixed with "-"
to clear an SSL option, for example:
"options = -LEGACY_SERVER_CONNECT".
- Improved "transparent = destination" manual page (thx to
Vadim Penzin).
* Bugfixes
- Fixed POLLIN|POLLHUP condition handling error resulting
in prematurely closed (truncated) connection.
- Fixed a null pointer dereference regression bug in the
"transparent = destination" functionality (thx to
Vadim Penzin). This bug was introduced in stunnel 5.00.
- Fixed startup thread synchronization with Win32 GUI.
- Fixed erroneously closed stdin/stdout/stderr if specified
as the -fd commandline option parameter.
- A number of minor Win32 GUI bugfixes and improvements.
- Merged most of the Windows CE patches (thx to Pierre Delaage).
- Fixed incorrect CreateService() error message on Win32.
- Implemented a workaround for defective Cygwin file
descriptor passing breaking the libwrap support:
http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
Version 5.04, 2014.09.21, urgency: LOW:
* New features
- Support for local mode ("exec" option) on Win32.
- Support for UTF-8 config file and log file.
- Win32 UTF-16 build (thx to Pierre Delaage for support).
- Support for Unicode file names on Win32.
- A more explicit service description provided for the
Windows SCM (thx to Pierre Delaage).
- TCP/IP dependency added for NT service in order to prevent
initialization failure at boot time.
- FIPS canister updated to version 2.0.8 in the Win32 binary
build.
* Bugfixes
- load_icon_default() modified to return copies of default icons
instead of the original resources to prevent the resources
from being destroyed.
- Partially merged Windows CE patches (thx to Pierre Delaage).
- Fixed typos in stunnel.init.in and vc.mak.
- Fixed incorrect memory allocation statistics update in
str_realloc().
- Missing REMOTE_PORT environmental variable is provided to
processes spawned with "exec" on Unix platforms.
- Taskbar icon is no longer disabled for NT service.
- Fixed taskbar icon initialization when commandline options are
specified.
- Reportedly more compatible values used for the dwDesiredAccess
parameter of the CreateFile() function (thx to Pierre Delaage).
- A number of minor Win32 GUI bugfixes and improvements.
|
|
|
|
Bump PKGREVISION.
|
|
|
|
Secret Sharing Scheme, into the packages collection.
In simple terms, this package provides a library for implementing the
sharing of secrets and two tools for simple use-cases of the
algorithm. The library implements what is known as Shamir's method
for secret sharing in the Galois Field 2^8. In slightly simpler words,
this is N-of-M secret-sharing byte-by-byte. Essentially this allows
us to split a secret S into any M shares S1..SM such that any N of
those shares can be used to reconstruct S but any less than N shares
yields no information whatsoever.
|
|
there's no need to byte-swap values read from a local file.
This would cause some IXFRs to mysteriously and consistently fail
until manual intervention is done, because the wrong (byte-swapped)
SOA serial# was being stuffed into the IXFR requests.
Ref. https://issues.opendnssec.org/browse/SUPPORT-147.
Also fix the rc.d script to not insist that the components must be
running to allow "stop" to proceed, so that "restart" or "stop" can
be done if one or both of the processes have exited or crashed.
Bump PKGREVISION.
|
|
|
|
library wind-down function is both called on dlclose() and exit().
Should avoid segfault when trying to call the atexit function after
dlclose() which unmaps the library. Fixes PR pkg/49333, thanks to
joerg@ for the suggested fix.
Also, the IRIX and NetBSD tool name to get at nawk is just "awk",
flagged by pkglint.
Bump PKGREVISION.
|
|
|
|
Upstream changes:
5.93 Sun Oct 26 06:00:48 MST 2014
- corrected alignment problem in SHA struct (src/sha.h)
-- thanks to H. Merijn Brand and J. Hietaniemi for
analysis and suggested patch
- provided workaround in t/methods.t for unreliable -T test
-- Some Perl 5.8's mistake text for binary
|
|
2.002 2014/10/21
- fix check for (invalid) IPv4 when validating hostname against certificate. Do
not use inet_aton any longer because it can cause DNS lookups for malformed
IP. RT#99448, thanks to justincase[AT]yopmail[DOT]com.
- Update PublicSuffix with latest version from publicsuffix.org - lots of new
top level domains.
- Add exception to PublicSuffix for s3.amazonaws.com - RT#99702, thanks to
cpan[AT]cpanel[DOT]net.
2.001 2014/10/21
- Add SSL_OP_SINGLE_(DH|ECDH)_USE to default options to increase PFS security.
Thanks to Heikki Vatiainen for suggesting.
- Update external tests with currently expected fingerprints of hosts.
- Some fixes to make it still work on 5.8.1.
|
|
Changelog:
spiped-1.4.2
* Fix crash on platforms which support AESNI (i386, amd64) but do not
automatically provide 16-byte alignment to large memory allocations
(glibc, possibly others).
|
|
0.6.1 - 2014-10-15
~~~~~~~~~~~~~~~~~~
* Updated Windows wheels to be compiled against OpenSSL 1.0.1j.
* Fixed an issue where OpenSSL 1.0.1j changed the errors returned by some
functions.
* Added our license file to the ``cryptography-vectors`` package.
* Implemented DSA hash truncation support (per FIPS 186-3) in the OpenSSL
backend. This works around an issue in 1.0.0, 1.0.0a, and 1.0.0b where
truncation was not implemented.
|
|
|
|
Noteworthy changes in version 1.17 (2014-10-15) [C13/A13/R0]
-----------------------------------------------
* New error codes for TLS protocol libraries.
* New configure option --enable-build-timestamp.
* New man page for gpg-error-config.
|
|
2.000 2014/10/15
- consider SSL3.0 as broken because of POODLE and disable it by default.
- Skip live tests without asking if environment NO_NETWORK_TESTING is set.
Thanks to ntyni[AT]debian[DOT]org for suggestion.
- skip tests which require fork on non-default windows setups without proper
fork. Thanks to SHAY for https://github.com/noxxi/p5-io-socket-ssl/pull/18
|
|
|
|
by the infrastructure. Tangentially related to PR 48555.
|
|
|
|
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
*) SRTP Memory Leak.
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.
The fix was developed by the OpenSSL team.
(CVE-2014-3513)
[OpenSSL team]
*) Session Ticket Memory Leak.
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)
[Steve Henson]
*) Build option no-ssl3 is incomplete.
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)
[Akamai and the OpenSSL team]
*) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
(CVE-2014-3566)
[Adam Langley, Bodo Moeller]
*) Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original when
verifying RSA signature: this will reject any improperly encoded
DigestInfo structures.
Note: this is a precautionary measure and no attacks are currently known.
[Steve Henson]
|
|
|
|
1.999 2014/10/09
- make sure we don't use version 0.30 of IO::Socket::IP
- make sure that PeerHost is checked on all places where PeerAddr is
checked, because these are synonyms and IO::Socket::IP prefers PeerHost
while others prefer PeerAddr. Also accept PeerService additionally to
PeerPort.
See https://github.com/noxxi/p5-io-socket-ssl/issues/16 for details.
- add ability to use client certificates and to overwrite hostname with
util/analyze-ssl.pl.
|
|
|
|
** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.
** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid.
** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original.
|
|
- Added sanity checks in the decoding of time when
ASN1_DECODE_FLAG_STRICT_DER is used.
- Fixes in the decoding of OCTET STRING when close to the end
of the structure.
|
|
Changes include:
- More fixes to build in Windows with zlib (mingw and msvc).
- Build .cmxs with C bindings (Closes: #1303)
- Use advapi32 on Windows (Close: #1055)
- Allow to define --zlib-include and --zlib-libdir if zlib is not installed in
the standard location.
- Added SHA-3 hash function.
|
|
Changes:
* Add support for TLS1.1 and TLS1.2 (thanks Thomas Calderon).
* Add function to initialize Diffie-Hellman and elliptic curve parameters
(thanks Thomas Calderon and Edwin Török).
* Add set_client_SNI_hostname to specify client-side SNI hostname (thanks
Mauricio Fernandez).
* Fix double leave of blocking section in ocaml_ssl_accept (thanks Edwin Török).
* Check for errors in SSL_connect/SSL_accept (thanks Jérôme Vouillon).
* Clear the error queue before calling SSL_read and similar functions;
SSL_get_error does not work reliably otherwise (thanks Jérôme Vouillon).
* Allow static linking on Mingw64 (thanks schadinger).
|
|
(Some packages omitted because they will be updated to new versions)
|
|
|
|
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513.
Bump PKGREVISION.
|
|
|
|
0.6 - 2014-09-29
~~~~~~~~~~~~~~~~
* Added
:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` to
ease loading private keys, and
:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key` to
support loading public keys.
* Removed the, deprecated in 0.4, support for the ``salt_length`` argument to
the :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1`
constructor. The ``salt_length`` should be passed to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` instead.
* Fix compilation on OS X Yosemite.
* Deprecated ``elliptic_curve_private_key_from_numbers`` and
``elliptic_curve_public_key_from_numbers`` in favor of
``load_elliptic_curve_private_numbers`` and
``load_elliptic_curve_public_numbers`` on
:class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`.
* Added
:class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePrivateKeyWithNumbers`
and
:class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicKeyWithNumbers`
support.
* Work around three GCM related bugs in CommonCrypto and OpenSSL.
* On the CommonCrypto backend adding AAD but not subsequently calling update
would return null tag bytes.
* One the CommonCrypto backend a call to update without an empty add AAD call
would return null ciphertext bytes.
* On the OpenSSL backend with certain versions adding AAD only would give
invalid tag bytes.
* Support loading EC private keys from PEM.
|
|
While here, add rpath to pkgconfig file.
* Version 1.0.0
- The API and ABI are now stable. New features will be added, but
backward-compatibility is guaranteed through all the 1.x.y releases.
- crypto_sign() properly works with overlapping regions again. Thanks
to @pysiak for reporting this regression introduced in version 0.6.1.
- The test suite has been extended.
* Version 0.7.1 (1.0 RC2)
- This is the second release candidate of Sodium 1.0. Minor
compilation, readability and portability changes have been made and the
test suite was improved, but the API is the same as the previous release
candidate.
* Version 0.7.0 (1.0 RC1)
- Allocating memory to store sensitive data can now be done using
sodium_malloc() and sodium_allocarray(). These functions add guard
pages around the protected data to make it less likely to be
accessible in a heartbleed-like scenario. In addition, the protection
for memory regions allocated that way can be changed using
sodium_mprotect_noaccess(), sodium_mprotect_readonly() and
sodium_mprotect_readwrite().
- ed25519 keys can be converted to curve25519 keys with
crypto_sign_ed25519_pk_to_curve25519() and
crypto_sign_ed25519_sk_to_curve25519(). This allows using the same
keys for signature and encryption.
- The seed and the public key can be extracted from an ed25519 key
using crypto_sign_ed25519_sk_to_seed() and crypto_sign_ed25519_sk_to_pk().
- aes256 was removed. A timing-attack resistant implementation might
be added later, but not before version 1.0 is tagged.
- The crypto_pwhash_scryptxsalsa208sha256_* compatibility layer was
removed. Use crypto_pwhash_scryptsalsa208sha256_*.
- The compatibility layer for implementation-specific functions was
removed.
- Compilation issues with Mingw64 on MSYS (not MSYS2) were fixed.
- crypto_pwhash_scryptsalsa208sha256_STRPREFIX was added: it contains
the prefix produced by crypto_pwhash_scryptsalsa208sha256_str()
* Version 0.6.1
- Important bug fix: when crypto_sign_open() was given a signed
message too short to even contain a signature, it was putting an
unlimited amount of zeros into the target buffer instead of
immediately returning -1. The bug was introduced in version 0.5.0.
- New API: crypto_sign_detached() and crypto_sign_verify_detached()
to produce and verify ed25519 signatures without having to duplicate
the message.
- New ./configure switch: --enable-minimal, to create a smaller
library, with only the functions required for the high-level API.
Mainly useful for the JavaScript target and embedded systems.
- All the symbols are now exported by the Emscripten build script.
- The pkg-config .pc file is now always installed even if the
pkg-config tool is not available during the installation.
* Version 0.6.0
- The ChaCha20 stream cipher has been added, as crypto_stream_chacha20_*
- The ChaCha20Poly1305 AEAD construction has been implemented, as
crypto_aead_chacha20poly1305_*
- The _easy API does not require any heap allocations any more and
does not have any overhead over the NaCl API. With the password
hashing function being an obvious exception, the library doesn't
allocate and will not allocate heap memory ever.
- crypto_box and crypto_secretbox have a new _detached API to store
the authentication tag and the encrypted message separately.
- crypto_pwhash_scryptxsalsa208sha256*() functions have been renamed
crypto_pwhash_scryptsalsa208sha256*().
- The low-level crypto_pwhash_scryptsalsa208sha256_ll() function
allows setting individual parameters of the scrypt function.
- New macros and functions for recommended crypto_pwhash_* parameters
have been added.
- Similarly to crypto_sign_seed_keypair(), crypto_box_seed_keypair()
has been introduced to deterministically generate a key pair from a seed.
- crypto_onetimeauth() now provides a streaming interface.
- crypto_stream_chacha20_xor_ic() and crypto_stream_salsa20_xor_ic()
have been added to use a non-zero initial block counter.
- On Windows, CryptGenRandom() was replaced by RtlGenRandom(), which
doesn't require the Crypt API.
- The high bit in curve25519 is masked instead of processing the key as
a 256-bit value.
- The curve25519 ref implementation was replaced by the latest ref10
implementation from Supercop.
- sodium_mlock() now prevents memory from being included in coredumps
on Linux 3.4+
* Version 0.5.0
- sodium_mlock()/sodium_munlock() have been introduced to lock pages
in memory before storing sensitive data, and to zero them before
unlocking them.
- High-level wrappers for crypto_box and crypto_secretbox
(crypto_box_easy and crypto_secretbox_easy) can be used to avoid
dealing with the specific memory layout regular functions depend on.
- crypto_pwhash_scryptsalsa208sha256* functions have been added
to derive a key from a password, and for password storage.
- Salsa20 and ed25519 implementations now support overlapping
inputs/keys/outputs (changes imported from supercop-20140505).
- New build scripts for Visual Studio, Emscripten, different Android
architectures and msys2 are available.
- The poly1305-53 implementation has been replaced with Floodyberry's
poly1305-donna32 and poly1305-donna64 implementations.
- sodium_hex2bin() has been added to complement sodium_bin2hex().
- On OpenBSD and Bitrig, arc4random() is used instead of reading
/dev/urandom.
- crypto_auth_hmac_sha512() has been implemented.
- sha256 and sha512 now have a streaming interface.
- hmacsha256, hmacsha512 and hmacsha512256 now support keys of
arbitrary length, and have a streaming interface.
- crypto_verify_64() has been implemented.
- first-class Visual Studio build system, thanks to @evoskuil
- CPU features are now detected at runtime.
|
|
From David Shao in PR 49250 for DragonFly BSD. Also tested on NetBSD-7.99.1.
|
|
24 September 2014
- make hotplug using libudev (default) more robust
- add ReiserFS file system support (for configuration files)
- add musl libC support (increase the thread stack)
- Some other minor improvements and bug corrections
|
|
- Add support of
. Cherry Cherry TC 1100
. Cherry Smart Card Reader USB
. Cherry Smartcard Keyboard G87-1xx44
. FujitsuTechnologySolutions GmbH Keyboard KB SCR2
. Lenovo Lenovo USB Smartcard Keyboard
. Yubico Yubikey NEO OTP+U2F+CCID
. Yubico Yubikey NEO U2F+CCID
. eID_R6 001 X8
- fix support of Omnikey CardMan 3121
- reduce memory consumed when configured with --enable-embedded
- prepare the port to UEFI
http://ludovicrousseau.blogspot.fr/2014/09/new-version-of-libccid-1418.html
|
|
|
|
Provides bindings to the functions of libssh2 which implements
the SSH2 protocol.
|
|
Noteworthy changes in version 1.16 (2014-09-18) [C12/A12/R2]
-----------------------------------------------
* Support building for iOS.
* Fixed a prototype mismatch.
* Fix es_fclose for streams opened with "samethread".
|
|
* yhsm-db-import, yhsm-db-export: Fix syntax error.
Version 1.0.4j (released 2014-09-16)
* yhsm-yubikey-ksm: Fix syntax error.
Version 1.0.4i (released 2014-09-16)
* yhsm-yubikey-ksm: Add --daemon.
* yhsm-yubikey-ksm: Add --db-url to specify SQL database path to AEAD store.
* yhsm-db-import, yhsm-db-export: New tools to do database import/export.
* Documentation cleanup.
|
|
* Rewrote man pages using Asciidoc.
|
|
* Use pkg-config to find curl, instead of libcurl.m4.
* ykclient: Added --cai parameter to specify GnuTLS-compatible CA Info.
* libykclient: Added ykclient_set_ca_info function.
Used when curl is linked with GnuTLS, used to set CA Info.
* libykclient: Added ykclient_set_url_bases function.
Uses a more reasonable/extensible URL string syntax. The old
ykclient_set_url_templates is hereby deprecated.
* Added shared library versioning script.
* Valgrind is used for selftests.
|
|
* Fix URLs for opensource.y.com -> developers.y.com move.
* Whitelist firmware version 3.3 and detect new PIDs.
Version 1.15.2 (released 2014-07-30)
* Whitelist firmware version 2.5
* Read key when importing configuration.
* Fix formatting error in information about what is written to key.
* Check return codes when doinf NDEF writes.
|
