| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
1.985 2014/05/15
- make OCSP callback return 1 even if it was called on the server side
because of bad setup of the socket. Otherwise we get an endless calling
of the OCSP callback.
- consider an OCSP response which is not yet or no longer valid a soft error
instead of an hard error
- fix skip in t/external/ocsp.t in case fingerprint does not match
- RT#95633 call EVP_PKEY_free not EVP_KEY_free in
IO::Socket::SSL::Utils::KEY_free. Thanks to paul[AT]city-fan[DOT]org
- util/analyze.pl - with --show-chain check if chain with SNI is different
from chain w/o SNI.
1.984 2014/05/10
- added OCSP support:
- needs Net::SSLeay >=1.59
- for usage see documentation of IO::Socket::SSL (examples and anything with
OCSP in the name)
- new tool util/analyze-ssl.pl which is intended to help in debugging of SSL
problems and to get information about capabilities of server. Works also
as en example of how to use various features (like OCSP, SNI..)
- fix peer_certificates (returns leaf certificate only once on client side)
- added timeout for stop_SSL (either with Timeout or with the default
timeout for IO::Socket)
- fix IO::Socket::SSL::Utils mapping between ASN1_TIME and time_t when local
time is not GMT. Use Net::SSLeay::ASN1_TIME_timet if available.
- fix t/external/usable_ca.t for system with junk in CA files
1.983 2014/05/03
- fix public suffix handling: ajax.googleapis.com should be ok even if googleapis.com
is in public suffix list (e.g. check one level less)
#95317, thanks to purification[AT]ukr[DOT]net
- usable_ca.t - update fingerprints after heartbleed attack
- usable_ca.t - make sure we have usable CA for tested hosts in CA store
1.982 2014/04/24
- fix for using subroutine as argument to set_args_filter_hack
1.981 2014/04/08
- #95432 fix ecdhe Test for openssl1.0.1d, thanks to paul[AT]city-fan[DOT]org
- fix detection of openssl1.0.1d (detected 1.0.1e instead)
- new function can_ecdh in IO::Socket::SSL
1.980 2014/04/08
- fixed incorrect calculation of certificate fingerprint in get_fingerprint*
and comparison in SSL_fingerprint. Thanks to
david[DT]palmer[AT]gradwell[DOT]com for reporting.
- disable elliptic curve support for openssl 1.0.1d on 64bit because of
openssl rt#2975
1.979 2014/04/06
- hostname checking:
- configuration of 'leftmost' is renamed to 'full_label', but the old
version is kept for compatibility reasons.
- documentation of predefined schemes fixed to match reality
1.978 2014/04/04
- RT#94424 again, fix test on older openssl version with no SNI support
1.977 2014/04/04
- fix publicsuffix for IDNA, more tests with various IDNA libs
RT#94424. Thanks to paul[AT]city-fan[DOT]org
- reuse result of IDN lib detection from PublicSuffix.pm in SSL.pm
- add more checks to external/usable_ca.t. Now it is enough that at least
one of the hosts verifies against the builtin CA store
- add openssl and Net::SSleay version to diagnostics in load test
1.976 2014/04/03
- added public prefix checking to verification of wildcard certificates,
e.g. accept *.foo.com but not *.co.uk.
See documentation of SSL_verifycn_publicsuffix and
IO::Socket::SSL::PublicSuffix
Thanks to noloader for pointing out the problem.
1.975 2014/04/02
- BEHAVIOR CHANGE: work around TEA misfeature on OS X builtin openssl, e.g.
guarantee that only the explicitly given CA or the openssl default CA will
be used. This means that certificates inside the OS X keyring will no
longer be used, because there is no way to control the use by openssl
(e.g. certificate pinning etc)
- make external tests run by default to make sure default CA works on all
platforms, it skips automatically on network problems like timeouts or ssl
interception, can also use http(s)_proxy environment variables
1.974 2014/04/02
- new function peer_certificates to get the whole certificate chain, needs
Net::SSLeay>=1.58
- extended IO::Socket::Utils::CERT_asHash to provide way more information,
like issuer information, cert and pubkey digests, all extensions, CRL
distributions points and OCSP uri
1.973 2014/03/25
- with SSL_ca certificate handles can now be used additionally to
SSL_ca_file and SSL_ca_path
- do not complain longer if SSL_ca_file and SSL_ca_path are both given,
instead add both as options to the CA store
- Shortcut 'issuer' to give both issuer_cert and issuer_key in CERT_create.
1.972 2014/03/23
- make sure t/external/usable_ca.t works also with older openssl without
support for SNI. RT#94117. Thanks to paul[AT]city-fan[DOT]org
1.971 2014/03/22
- try to use SSL_hostname for hostname verification if no SSL_verifycn_name
is given. This way hostname for SNI and verification can be specified in
one step.
- new test program example/simulate_proxy.pl
1.970 2014/03/19
- fix rt#93987 by making sure sub default_ca does use a local $_ and not a
version of an outer scope which might be read-only. Thanks to gshank
1.969 2014/03/13
- fix set_defaults to match documentation regarding short names
- new function set_args_filter_hack to make it possible to override bad SSL
settings from other code at the last moment.
- determine default_ca on module load (and not on first use in each thread)
- don't try default hostname verification if verify_mode 0
- fix hostname verification when reusing context
1.968 2014/03/13
- BEHAVIOR CHANGE: removed implicit defaults of certs/server-{cert,key}.pem
for SSL_{cert,key}_file and ca/,certs/my-ca.pem for SSL_ca_file.
These defaults were depreceated since 1.951 (2013/7/3).
- Usable CA verification path on Windows etc:
Do not use Net::SSLeay::CTX_set_default_verify_paths any longer to set
system/build dependended default verification path, because there was no
way to retrieve these default values and check if they contained usable
CA. Instead re-implement the same algorithm and export the results with
public function default_ca() and make it possible to overwrite it.
Also check for usable verification path during build.
If no usable path are detected require Mozilla::CA at build and try to
use it at runtime.
|
|
1.61 2014-05-12
Changes calloc to Newx and free to Safefree, otherwise there might be
problems because calloc is done from a different memory pool than free (depends
on the build options for perl, but seen on Windows). Patch from Steffen
Ullrich. Thanks.
1.60 2014-05-10
Fixed a typo in an error message. Patch from gregor herrmann. Thanks.
Fixed a problem with building with openssl that does not support
OCSP. Also fixed some newly introduced warnings
if compiled with -Wall. Patch from Steffen Ullrich. Thanks.
fix build-failure on most Debian architectures:
SSLeay.xs: In function 'XS_Net__SSLeay_OCSP_response_results':
SSLeay.xs:5602:3: error: format not a string literal and no format
arguments. Patch from gregor herrmann.
1.59 2014-05-10
Fixed local/30_error.t, so that tests do not fail if diagnostics are
enabled.
Fixed error messages about undefined strings used with length or
split. Reported and patched by Peter Heuchert.
Improvements to configuration of OPTIMIZE flags, to prevent overriding
of perls expected optimization flags. Caution: HPUX aCC optimize options are special.
SSL_peek() now returns openssl error code as second item when called in
array context, same as SSL_read. Patch from Andreas Mohr.
Fixed some warnings.
Added support for tlsv1.1 tlsv1.2 via $Net::SSLeay::ssl_version. Patch
from Andreas Mohr.
Improve examples in 'Using other perl modules based on
Net::SSLeay'. Patched by Andreas Mohr.
Added support for OCSP. Patched by Steffen Ullrich. Thanks!
Added missing t/external/ocsp.t
|
|
|
|
|
|
|
|
|
|
|
|
until proven otherwise.
|
|
- Support for common raw disk image formats using 512 byte sectors,
specifically GPT, APM, and MBR partitioning.
- Experimental support of OpenIOC files. ClamAV will now extract file
hashes from OpenIOC files residing in the signature database location,
and generate ClamAV hash signatures. ClamAV uses no other OpenIOC
features at this time. No OpenIOC files will be delivered through
freshclam. See openioc.org and iocbucket.com for additional information
about OpenIOC.
- All ClamAV sockets (clamd, freshclam, clamav-milter, clamdscan, clamdtop)
now support IPV6 addresses and configuration parameters.
- Use OpenSSL file hash functions for improved performance. OpenSSL
is now prerequisite software for ClamAV 0.98.3.
- Improved detection of malware scripts within image files. Issue reported
by Maarten Broekman.
- Change to circumvent possible denial of service when processing icons within
specially crafted PE files. Icon limits are now in place with corresponding
clamd and clamscan configuration parameters. This issue was reported by
Joxean Koret.
- Improvements to the fidelity of the ClamAV pattern matcher, an issue
reported by Christian Blichmann.
- Opt-in collection of statistics. Statistics collected are: sizes and MD5
hashes of files, PE file section counts and section MD5 hashes, and names
and counts of detected viruses. Enable statistics collection with the
--enable-stats clamscan flag or StatsEnabled clamd configuration
parameter.
- Improvements to ClamAV build process, unit tests, and platform support with
assistance and suggestions by Sebastian Andrzej Siewior, Scott Kitterman,
and Dave Simonson.
- Patch by Arkadiusz Miskiewicz to improve error handling in freshclam.
- ClamAV 0.98.3 also includes miscellaneous bug fixes and documentation
improvements.
|
|
|
|
Collection.
This project provides first-class OAuth library support for Python Requests.
|
|
|
|
Collection.
OAuth often seems complicated and difficult-to-implement. There are several
prominent libraries for handling OAuth requests, but they all suffer from one
or both of the following:
* They predate the OAuth 1.0 spec, AKA RFC 5849.
* They predate the OAuth 2.0 spec, AKA RFC 6749.
* They assume the usage of a specific HTTP request library.
OAuthLib is a generic utility which implements the logic of OAuth without
assuming a specific HTTP request object or web framework. Use it to graft OAuth
client support onto your favorite HTTP library, or provider support onto your
favourite web framework. If you're a maintainer of such a library, write a thin
veneer on top of OAuthLib and get OAuth support for very little effort.
|
|
|
|
Bump PKGREVISION.
|
|
|
|
0.4 - 2014-05-03
~~~~~~~~~~~~~~~~
* Deprecated ``salt_length`` on
:class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1` and added it
to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. It will be
removed from ``MGF1`` in two releases per our :doc:`/api-stability` policy.
* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED` support.
* Added :class:`~cryptography.hazmat.primitives.cmac.CMAC`.
* Added decryption support to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
and encryption support to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
* Added signature support to
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
and verification support to
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
0.3 - 2014-03-27
~~~~~~~~~~~~~~~~
* Added :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP`.
* Added :class:`~cryptography.hazmat.primitives.twofactor.totp.TOTP`.
* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA` support.
* Added signature support to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
and verification support to
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
* Moved test vectors to the new ``cryptography_vectors`` package.
|
|
|
|
cryptography algorithm designed by Bruce Schneier.
|
|
{authlib,maildir} packages won't build otherwise (at least with
PREFER_PKGSRC=yes).
|
|
Fix PR pkg/48777
|
|
* OpenBSD 5.5 has no _PASSWORD_WARNDAYS definition in its header files
Declare _PASSWORD_WARNDAYS as 14 if _PASSWORD_WARNDAYS is not defined.
Move the definition above its use.
|
|
- Correctly handle decoding of recursive CHOICE options.
- Allow deleting elements of SET OF.
- Several small bug fixes found by coverity.
- Code improvements
|
|
|
|
|
|
|
|
Modern password hashing for your software and your servers.
|
|
Changelog:
Version 5.01, unreleased, urgency: HIGH:
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1g.
This version mitigates TLS heartbeat read overrun (CVE-2014-0160).
* New features
- X.509 extensions added to the created self-signed stunnel.pem.
- "FIPS = no" also allowed in non-FIPS builds of stunnel.
- Search all certificates with the same subject name for a matching
public key rather than only the first one (thx to Leon Winter).
- Create logs in the local application data folder if stunnel folder
is not writable on Win32.
* Bugfixes
- close_notify not sent when SSL still has some data buffered.
- Protocol negotiation with server-side SNI fixed.
- A Mac OS X missing symbols fixed.
- Win32 configuration file reload crash fixed.
- Added s_pool_free() on exec+connect service retires.
- Line-buffering enforced on stderr output.
|
|
We need buitin version to check suficient API, not for security fix.
|
|
|
|
Noteworthy changes in version 1.13 (2014-04-15)
-----------------------------------------------
* Added a portable mutex API.
* The AM_PATH_GPG_ERROR macro now defines GPG_ERROR_MT_CFLAGS and
GPG_ERROR_MT_LIBS autoconf output variables for use by programs
which need gpgrt based thread support. gpg-error-config has a new
option --mt.
* Interface changes relative to the 1.12 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPG_ERR_KEY_ON_CARD NEW.
GPG_ERR_MAC_ALGO NEW.
GPG_ERR_INV_LOCK_OBJ NEW.
gpgrt_lock_t NEW.
GPGRT_LOCK_INITIALIZER NEW.
GPGRT_LOCK_DEFINE NEW.
gpgrt_lock_init NEW.
gpgrt_lock_lock NEW.
gpgrt_lock_unlock NEW.
gpgrt_lock_destroy NEW.
gpgrt_yield NEW.
|
|
|
|
PortableSigner is a signing (with X.509 certificates) program for
PDF files. It's platform independent and runs (tested) under
Windows (2000, XP, ...), Linux and Mac OS X.
It's possible to sign PDF documents digital with X.509 certificates.
This signed documents are read only. Therefore it's possible to
implement "electronic paper".
|
|
|
|
|
|
|
|
Digest::SHA3 is a complete implementation of the NIST SHA-3
cryptographic hash function, known originally as Keccak. It
gives Perl programmers a convenient way to calculate SHA3-224,
SHA3-256, SHA3-384, and SHA3-512 message digests, as well as
variable-length hashes using the SHA3-0 variant. The module
can handle all types of input, including partial-byte data.
|
|
Upstream changes:
5.89 Sat Apr 19 05:14:48 MST 2014
- added universal newlines mode ("U") to addfile and shasum
-- based on Python Universal Newlines concept
-- newlines identical across MacOS, DOS, and UNIX
-- will deprecate portable mode ("p") in future
-- "U" mode is cleaner and more efficient
- enhanced performance
-- reduced number of dynamic memory allocations
-- sped up addfile method with use of C code
-- ref. SHA.xs (_addfilebin and _addfileuniv)
- eliminated experimental -M option in favor of new -R option
-- reverses order of digest module preference
-- undocumented: for test and development use only
- sealed memory leak in SHA.xs
-- arose only with SvPVbyte exceptions during eval
- patched inheritence bug (ref: rt.cpan.org #94830)
-- use sv_isobject/sv_derived_from instead of sv_isa
- added 'allocated' flag to SHA structure (ref. src/sha.h)
-- to guard against Perl double frees
|
|
|
|
spiped (pronounced "ess-pipe-dee") is a utility for creating symmetrically
encrypted and authenticated pipes between socket addresses, so that one may
connect to one address (e.g., a UNIX socket on localhost) and transparently
have a connection established to another address (e.g., a UNIX socket on a
different system). This is similar to 'ssh -L' functionality, but does not
use SSH and requires a pre-shared symmetric key.
Note that spiped:
1. Requires a strong key file: The file specified via the -k option should
have at least 256 bits of entropy. ('dd if=/dev/urandom bs=32 count=1' is
your friend.)
2. Does not provide any protection against information leakage via packet
timing: Running telnet over spiped will protect a password from being directly
read from the network, but will not obscure the typing rhythm.
3. Can significantly increase bandwidth usage for interactive sessions: It
sends data in packets of 1024 bytes, and pads smaller messages up to this
length, so a 1 byte write could be expanded to 1024 bytes if it cannot be
coalesced with adjacent bytes.
4. Uses a symmetric key -- so anyone who can connect to an spiped "server" is
also able to impersonate it.
|
|
|
|
|
|
|
|
Upstream changes:
1.12 - Fri Jan 3 17:36:10 2014
* Get rid of MYMETA
|
|
Add LICENSE
Upstream changes:
0.05 2014-02-03
- Replaced old testsuite (test.pl) with tests in t/
- Added "use warnings"
- Specified min version of perl 5.6.0
- Fixed pod errors
- Changed doc for internal funcs from pod to comments
0.04 2013-10-28
- github repo and license type (perl) now specified in Makefile.PL
so it will appear in the dist's metadata.
0.03 2013-04-10
- Fixed bug where word() would sometimes go into an infinite loop
- Reformatted according to CPAN::Changes::Spec
|
|
Add LICENSE
Upstream changes:
1.40 2013-09-30 15:32:00
- No code changes.
- Maintenance by Ron Savage <rsavage@cpan.org>.
- Fabricate some version #s for this file.
- Made Passwd.pm utf-8 so we can use Luis' proper name.
- Clean up code formatting.
- Clean up Makefile.PL.
- Use fake (ASCII) 帽 in Makefile.PL to keep Solaris happy. See RT#68478.
- Clean up README.
- Add Build.PL.
- Add Changes and Changelog.ini.
- Add META.*.
- Adopt Test::More in t/basic.t.
- Adopt 'use strict' and 'use warnings' to PasswdMD5.pm and t/basic.t.
- Accept patch for new function random_md5_salt(), and tests, from kbrint@rufus.net.
With thanx. See RT#37036.
- Add xt/author/pod.t.
|
|
Upstream changes:
5.88 Mon Mar 17 08:46:10 MST 2014
- added OUTPUT clause in SHA.xs to silence compiler warning
-- ref. shaclose()
- changed text file test (-T) to act on filehandles
-- ref. addfile portable mode
-- improves consistency when reading from STDIN
-- still acts on filenames for early Perls (< 5.6)
- added -M and -V options to shasum
-- undocumented: for development and testing use only
5.87 Mon Feb 17 16:42:02 MST 2014
- simplified capture of intermediate SHA states
-- can now be done via strings (ref. getstate/putstate)
-- substantially reduces size of src/sha.c
- tightened code in SHA.xs
-- added sv_isa checks when invoking methods
5.86 Thu Jan 30 08:24:28 MST 2014
- improved the performance of hexadecimal output functions
-- ref. 'shahex' in src/sha.c
-- thanks to Thomas Drugeon for ideas and test script
|
|
|
|
|
