| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Changes:
16.0.0 (2016-03-19)
-------------------
This is the first release under full stewardship of PyCA.
We have made *many* changes to make local development more pleasing.
The test suite now passes both on Linux and OS X with OpenSSL 0.9.8,
1.0.1, and 1.0.2. It has been moved to `py.test <https://pytest.org/>`_,
all CI test runs are part of `tox <https://testrun.org/tox/>`_ and
the source code has been made fully `flake8
<https://flake8.readthedocs.org/>`_ compliant.
We hope to have lowered the barrier for contributions significantly
but are open to hear about any remaining frustrations.
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Python 3.2 support has been dropped.
It never had significant real world usage and has been dropped
by our main dependency ``cryptography``. Affected users should
upgrade to Python 3.3 or later.
Deprecations:
^^^^^^^^^^^^^
- The support for EGD has been removed.
The only affected function ``OpenSSL.rand.egd()`` now uses
``os.urandom()`` to seed the internal PRNG instead. Please see
`pyca/cryptography#1636
<https://github.com/pyca/cryptography/pull/1636>`_ for more
background information on this decision. In accordance with our
backward compatibility policy ``OpenSSL.rand.egd()`` will be
*removed* no sooner than a year from the release of 16.0.0.
Please note that you should `use urandom
<http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/>`_
for all your secure random number needs.
- Python 2.6 support has been deprecated.
Our main dependency ``cryptography`` deprecated 2.6 in version
0.9 (2015-05-14) with no time table for actually dropping it.
pyOpenSSL will drop Python 2.6 support once ``cryptography``
does.
Changes:
^^^^^^^^
- Fixed ``OpenSSL.SSL.Context.set_session_id``,
``OpenSSL.SSL.Connection.renegotiate``,
``OpenSSL.SSL.Connection.renegotiate_pending``, and
``OpenSSL.SSL.Context.load_client_ca``.
They were lacking an implementation since 0.14. `#422
<https://github.com/pyca/pyopenssl/pull/422>`_
- Fixed segmentation fault when using keys larger than 4096-bit to sign data.
`#428 <https://github.com/pyca/pyopenssl/pull/428>`_
- Fixed ``AttributeError`` when ``OpenSSL.SSL.Connection.get_app_data()``
was called before setting any app data.
`#304 <https://github.com/pyca/pyopenssl/pull/304>`_
- Added ``OpenSSL.crypto.dump_publickey()`` to dump ``OpenSSL.crypto.PKey``
objects that represent public keys, and ``OpenSSL.crypto.load_publickey()``
to load such objects from serialized representations.
`#382 <https://github.com/pyca/pyopenssl/pull/382>`_
- Added ``OpenSSL.crypto.dump_crl()`` to dump a certificate revocation
list out to a string buffer.
`#368 <https://github.com/pyca/pyopenssl/pull/368>`_
- Added ``OpenSSL.SSL.Connection.get_state_string()`` using the
OpenSSL binding ``state_string_long``.
`#358 <https://github.com/pyca/pyopenssl/pull/358>`_
- Added support for the ``socket.MSG_PEEK`` flag to
``OpenSSL.SSL.Connection.recv()`` and
``OpenSSL.SSL.Connection.recv_into()``.
`#294 <https://github.com/pyca/pyopenssl/pull/294>`_
- Added ``OpenSSL.SSL.Connection.get_protocol_version()`` and
``OpenSSL.SSL.Connection.get_protocol_version_name()``.
`#244 <https://github.com/pyca/pyopenssl/pull/244>`_
- Switched to ``utf8string`` mask by default.
OpenSSL formerly defaulted to a ``T61String`` if there were UTF-8
characters present. This was changed to default to ``UTF8String``
in the config around 2005, but the actual code didn't change it
until late last year. This will default us to the setting that
actually works. To revert this you can call
``OpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default")``.
`#234 <https://github.com/pyca/pyopenssl/pull/234>`_
|
|
(due the deprecation of RTF_LLINFO).
Bump PKGREVISION.
Reviewed by <ozaki-r>.
|
|
Noteworthy changes in version 1.7.0 (2016-04-15) [C21/A1/R0]
------------------------------------------------
* New algorithms and modes:
- SHA3-224, SHA3-256, SHA3-384, SHA3-512, and MD2 hash algorithms.
- SHAKE128 and SHAKE256 extendable-output hash algorithms.
- ChaCha20 stream cipher.
- Poly1305 message authentication algorithm
- ChaCha20-Poly1305 Authenticated Encryption with Associated Data
mode.
- OCB mode.
- HMAC-MD2 for use by legacy applications.
* New curves for ECC:
- Curve25519.
- sec256k1.
- GOST R 34.10-2001 and GOST R 34.10-2012.
* Performance:
- Improved performance of KDF functions.
- Assembler optimized implementations of Blowfish and Serpent on
ARM.
- Assembler optimized implementation of 3DES on x86.
- Improved AES using the SSSE3 based vector permutation method by
Mike Hamburg.
- AVX/BMI is used for SHA-1 and SHA-256 on x86. This is for SHA-1
about 20% faster than SSSE3 and more than 100% faster than the
generic C implementation.
- 40% speedup for SHA-512 and 72% for SHA-1 on ARM Cortex-A8.
- 60-90% speedup for Whirlpool on x86.
- 300% speedup for RIPE MD-160.
- Up to 11 times speedup for CRC functions on x86.
* Other features:
- Improved ECDSA and FIPS 186-4 compliance.
- Support for Montgomery curves.
- gcry_cipher_set_sbox to tweak S-boxes of the gost28147 cipher
algorithm.
- gcry_mpi_ec_sub to subtract two points on a curve.
- gcry_mpi_ec_decode_point to decode an MPI into a point object.
- Emulation for broken Whirlpool code prior to 1.6.0. [from 1.6.1]
- Flag "pkcs1-raw" to enable PCKS#1 padding with a user supplied
hash part.
- Parameter "saltlen" to set a non-default salt length for RSA PSS.
- A SP800-90A conforming DRNG replaces the former X9.31 alternative
random number generator.
- Map deprecated RSA algo number to the RSA algo number for better
backward compatibility. [from 1.6.2]
- Use ciphertext blinding for Elgamal decryption [CVE-2014-3591].
See http://www.cs.tau.ac.il/~tromer/radioexp/ for details.
[from 1.6.3]
- Fixed data-dependent timing variations in modular exponentiation
[related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
are Practical]. [from 1.6.3]
- Flag "no-keytest" for ECC key generation. Due to a bug in
the parser that flag will also be accepted but ignored by older
version of Libgcrypt. [from 1.6.4]
- Speed up the random number generator by requiring less extra
seeding. [from 1.6.4]
- Always verify a created RSA signature to avoid private key leaks
due to hardware failures. [from 1.6.4]
- Mitigate side-channel attack on ECDH with Weierstrass curves
[CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
details. [from 1.6.5]
* Internal changes:
- Moved locking out to libgpg-error.
- Support of the SYSROOT envvar in the build system.
- Refactor some code.
- The availability of a 64 bit integer type is now mandatory.
* Bug fixes:
- Fixed message digest lookup by OID (regression in 1.6.0).
- Fixed a build problem on NetBSD
- Fixed memory leaks in ECC code.
- Fixed some asm build problems and feature detection bugs.
* Interface changes relative to the 1.6.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcry_cipher_final NEW macro.
GCRY_CIPHER_MODE_CFB8 NEW constant.
GCRY_CIPHER_MODE_OCB NEW.
GCRY_CIPHER_MODE_POLY1305 NEW.
gcry_cipher_set_sbox NEW macro.
gcry_mac_get_algo NEW.
GCRY_MAC_HMAC_MD2 NEW.
GCRY_MAC_HMAC_SHA3_224 NEW.
GCRY_MAC_HMAC_SHA3_256 NEW.
GCRY_MAC_HMAC_SHA3_384 NEW.
GCRY_MAC_HMAC_SHA3_512 NEW.
GCRY_MAC_POLY1305 NEW.
GCRY_MAC_POLY1305_AES NEW.
GCRY_MAC_POLY1305_CAMELLIA NEW.
GCRY_MAC_POLY1305_SEED NEW.
GCRY_MAC_POLY1305_SERPENT NEW.
GCRY_MAC_POLY1305_TWOFISH NEW.
gcry_md_extract NEW.
GCRY_MD_FLAG_BUGEMU1 NEW [from 1.6.1].
GCRY_MD_GOSTR3411_CP NEW.
GCRY_MD_SHA3_224 NEW.
GCRY_MD_SHA3_256 NEW.
GCRY_MD_SHA3_384 NEW.
GCRY_MD_SHA3_512 NEW.
GCRY_MD_SHAKE128 NEW.
GCRY_MD_SHAKE256 NEW.
gcry_mpi_ec_decode_point NEW.
gcry_mpi_ec_sub NEW.
GCRY_PK_EDDSA NEW constant.
GCRYCTL_GET_TAGLEN NEW.
GCRYCTL_SET_SBOX NEW.
GCRYCTL_SET_TAGLEN NEW.
|
|
The RTM_RESOLVE symbol has been removed after the following change in
src/sys/net/route.h:
revision 1.98
date: 2016-04-04 09:37:07 +0200; author: ozaki-r; state: Exp; lines: +8 -6; commitid: r0chxU5ZkTdAqh1z;
Separate nexthop caches from the routing table
Bump PKGREVISION to 1
|
|
1.12 2015-08-16 CPAN Day release
- Add NoVersion parameter to CO::Armour->armour (GH#26)
1.11 2015-07-20
- Check that Crypt::OpenPGP::Cipher->new succeeded, RT#14033.
- Fix GH#7, when false data was discarded (@Camspi).
1.10 2015-07-06
- Update GnuPG defaults (@bk2204).
- Fix error propagation on generating RSA key (@niner).
1.09 2015-07-02
- Require Digest::SHA instead of Digest::SHA1, RT#82316 (@bk2204).
1.08 2014-11-20
- Move distribution to Dist::Zilla.
- Require Alt::Crypt::RSA::BigInt instead of Crypt::RSA.
- Apply a patch from RT#82314 (@bk2204, @kmx).
- Add a test case from GH#7, yet to be fixed (@throughnothing).
1.07 2014-06-23
- Reformatted Changes as per CPAN::Changes::Spec.
- Fixed hash randomisation bug (RT#81442).
- Documentation now references most recent "OpenPGP Message Format" RFC.
- Fixed typo in Pod (@dsteinbrunner).
- Improved ASCII armor detection (@gwillen).
|
|
Upstream changes:
2016-01-07 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Version): Version 0.6.9
* DESCRIPTION (Date): Bumped Date: to current date
2016-01-06 Dirk Eddelbuettel <edd@debian.org>
* vignettes/sha1.Rmd: Small edits
2016-01-06 Thierry Onkelinx <thierry.onkelinx@inbo.be>
* R/sha1.R: Add functions to calculate stable SHA1 with floating points
* man/sha1.Rd: Add helpfile for sha1()
* tests/num2hexTest.R: unit tests for num2hex() (non exported function)
* tests/sha1Test.R: unit tests for sha1()
* NAMESPACE: Export sha1 and its methods
* DESCRIPTION: Add Thierry Onkelinx as contributor, bump Version and Date
* README.md: Add Thierry Onkelinx as contributor
* vignette/sha1.Rmd: Added
* .travis.yml: Added 'sudo: required' per recent Travis changes
2015-10-14 Dirk Eddelbuettel <edd@debian.org>
* man/digest.Rd: Remove references to inaccessible web pages
* man/hmac.Rd: Ditto
2015-10-13 Dirk Eddelbuettel <edd@debian.org>
* src/digest.c: Use uint32_t instead of int for nchar
2015-10-12 Qiang Kou <qkou@umail.iu.edu>
* src/digest.c: Use XLENGTH instead of LENGTH (PR #17, issue #16)
2015-08-06 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Title): Updated now stressing 'compact' over 'crypto'
2014-12-30 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Version): Version 0.6.8
* DESCRIPTION (Date): Bumped Date: to current date
2014-12-29 Dirk Eddelbuettel <edd@debian.org>
* inst/include/pmurhashAPI.h: Added HOWTO comment to top of file
2014-12-26 Dirk Eddelbuettel <edd@debian.org>
* src/pmurhash.c: Protect against _BIG_ENDIAN defined but empty
* inst/include/pmurhash.h: Consistent four space indentation
2014-12-25 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION: Bump Date: and Version:
* src/init.c: Minor edit and removal of unused headers
2014-12-25 Wush Wu <wush978@gmail.com>
* inst/include/pmurhash.h: Export function
* src/init.c: Register function for use by other packages
2014-12-20 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Version): Version 0.6.7
* DESCRIPTION (Date): Bumped Date: to current date
2014-12-19 Dirk Eddelbuettel <edd@debian.org>
* cleanup: Also remove src/symbols.rds
* src/sha2.c: Apply (slightly edited) patch from
https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=220&action=diff
to overcome the strict-aliasing warning
* src/digest.c: Use inttypes.h macro PRIx64 only on Windows
2014-12-16 Dirk Eddelbuettel <edd@debian.org>
* src/xxhash.c: Remove two semicolons to make gcc -pedantic happy
* tests/digestTest.Rout.save: Updated reflecting murmurHash test
* src/pmurhash.c: Renamed from PMurHash.c for naming consistency
* src/pmurhash.h: Renamed from PMurHash.h for naming consistency
2014-12-16 Jim Hester <james.f.hester@gmail.com>
* src/digest.c: murmurHash implementation
* tests/digestTest.R: murmurHash implementation
* R/digest.R: murmurHash implementation
* src/PMurHash.c: murmurHash implementation
* src/PMurHash.h: murmurHash implementation
2014-12-10 Dirk Eddelbuettel <edd@debian.org>
* src/xxhash.c: Applied pull request #6 by Jim Hester with updated
upstream code and already corrected UBSAN issue identified by CRAN
2014-12-09 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Version): Version 0.6.6
* DESCRIPTION (Date): Bumped Date: to current date
* src/digest.c: Applied pull request #5 by Jim Hester providing
portable integer printing inttypes.h header
2014-12-08 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION (Version): Version 0.6.5
* DESCRIPTION (Date): Bumped Date: to current date
* NAMESPACE: Expanded useDynLib() declaring C level symbols, in
particular using digest_impl to for the C-level digest
* R/AES.R: Use R symbols from NAMESPACE declaration in .Call()
* R/digest.R: Use R symbol digest_impl to load C level digest
2014-12-07 Dirk Eddelbuettel <edd@debian.org>
* DESCRIPTION: Edited Title and Description
* R/digest.R: Added GPL copyright header, reindented to four spaces
* src/digest.c: Reindented to four spaces
* R/AES.R: Reindented to four spaces
* R/hmac.R: Reindented to four spaces
2014-12-06 Dirk Eddelbuettel <edd@debian.org>
* src/digest.c: Updated GPL copyright header
* src/xxhash.c: Removed two spurious ';'
* man/digest.Rd: Document 'seed' argument in \usage
* tests/digest.Rout.save: Updated for expanded tests
* DESCRIPTION: Add Jim Hester to list of Authors
2014-12-05 Dirk Eddelbuettel <edd@debian.org>
* R/digest.R: Applied pull request #3 by Jim Hester with support for
xxHash (https://code.google.com/p/xxhash/)
* src/digest.c: Ditto
* src/xxhash.c: xxHash implementation supplied as part of #3
* src/xxhash.h: xxHash implementation supplied as part of #3
* R/digest.R: Applied pull request #4 by Jim Hester with expanded
support for xxHash providing xxhash32 and xxhash64
* src/digest.c: Ditto
* man/digest.Rd: Added documentation for xxHash, corrected typos
* src/digest.R: New support for a seed parameter used by xxHash
* tests/digestTest.R: Added tests for xxHash
2014-08-15 Dirk Eddelbuettel <edd@debian.org>
* R/hmac.R: Applied (slightly edited) patch for crc32 computation of
hmac kindly supplied by Suchen Jin
|
|
|
|
(hi wiz! :))
DEPENDS on devel/py-attrs now that we have it and bump PKGREVISION.
While here also simplify MASTER_SITE.
|
|
1.74 2016-04-12
README.OSX was missing from the distribution
1.73 2016-04-11
Added X509_get_X509_PUBKEY. Patch supplied by GUILHEM. Thanks.
Added README.OSX with instructions on how to build for recent OS X.
Added info about using OPENSSL_PREFIX to README.Win32.
Added comments in POD about installation documentation.
Added '/usr/local/opt/openssl/bin/openssl' to Openssl search path for
latest version of OSX homebrew openssl. Patch from Shoichi Kaji.
|
|
Noteworthy changes in version 2.0.30 (2016-03-31)
-------------------------------------------------
* gpg: Avoid too early timeout during key generation with 2.1 cards.
* agent: Fixed printing of ssh fingerprints for 384 bit ECDSA keys.
* agent: Fixed an alignment bug related to the passphrase
confirmation.
* scdaemon: Fixed a "conflicting usage" bug.
* scdaemon: Fixed usb card reader removal problem on Windows 8 and
later.
* Fixed a problem on AIX due to peculiarity with RLIMIT_NOFILE.
* Updated the Japanese and Dutch translations.
* Fixed a few other bugs.
|
|
Version 3.4.1 - released 2006-03-26
----------------------------------------
- Included tests/private.pem in MANIFEST.in
- Included README.md and CHANGELOG.txt in MANIFEST.in
|
|
Upstream changes:
2016-03-09 Gisle Aas <gisle@ActiveState.com>
Release 2.55
Gordon Stanton (2):
Make use warnings work including test cases.
Initial Travis config
Gisle Aas (1):
Avoid warning: 'static' is not at beginning of declaration [RT#105646]
|
|
Problem isolated and solution provided by @Kurlon
https://github.com/joyent/pkgsrc/pull/350
|
|
|
|
|
|
gnutls will add a Requires.private for it in its .pc file
|
|
1.3.1 - 2016-03-21
~~~~~~~~~~~~~~~~~~
* Fixed a bug that caused an ``AttributeError`` when using ``mock`` to patch
some ``cryptography`` modules.
1.3 - 2016-03-18
~~~~~~~~~~~~~~~~
* Added support for padding ANSI X.923 with
:class:`~cryptography.hazmat.primitives.padding.ANSIX923`.
* Deprecated support for OpenSSL 0.9.8. Support will be removed in
``cryptography`` 1.4.
* Added support for the :class:`~cryptography.x509.PolicyConstraints`
X.509 extension including both parsing and generation using
:class:`~cryptography.x509.CertificateBuilder` and
:class:`~cryptography.x509.CertificateSigningRequestBuilder`.
* Added :attr:`~cryptography.x509.CertificateSigningRequest.is_signature_valid`
to :class:`~cryptography.x509.CertificateSigningRequest`.
* Fixed an intermittent ``AssertionError`` when performing an RSA decryption on
an invalid ciphertext, ``ValueError`` is now correctly raised in all cases.
* Added
:meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`.
|
|
2.025 2016/04/04
- Resolved memleak if SSL_crl_file was used: RT#113257, RT#113530
Thanks to avi[DOT]maslati[AT]forescout[DOT]com and
mark[DOT]kurman[AT]gmail[DOT]com for reporting the problem
|
|
1.22: Records created by Crypt::PWSafe3 (eg. the ones fetched
with getrecords) are now associated with the parent
object, so that you can modify them directly and call
$vault->save afterwards without using $vault->modifyrecord.
Erase passwd from memory using zeros instead of
random bytes. fixes github#9.
Fixed rt.cpan.org#112975: Crypt::ECB (which we use) have been
reworked and among other issues it fixed handline of padding.
PWSafe3.pm did not specify a padding scheme (because it doesn't
use it) and therefore Crypt::ECB enforced a default scheme
which lead to an invalid key size. Now we specify explicitly
padding:none, as suggested by Christoph Appel.
|
|
Upstream changes:
v2.15, 14.03.2016
- removing caching with v2.00 made Crypt::ECB ignorant of key changes
within the same Crypt::ECB object. Fixed, changing the key now
forces a new cipher object to be created.
- added some notes on upgrading from versions before v2.00 to the README
|
|
"xterm" binary not found - please amend $PATH or the cssh config file
ok wiz@
|
|
|
|
NetBSD doesn't ship a CA bundle by default.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This fixes the build with the newest OpenSSL from pkgsrc. Bump revision.
|
|
|
|
Fixes a security vulnerability.
No proper changelog found, which I find even more astonishing for
security software...
|
|
Found by coypu.
|
|
** Bug
* [CPPOST-91] - BOOST autoconf macros break with gcc5
Release Notes - OpenSAML 2 - C++ - Version 2.5.4
** Bug
* [CPPOST-87] - legacyOrgNames doesn't work as expected with empty
mdui:UIInfo
* [CPPOST-88] - Insufficient XML entity encoding in Metadata Status
generation
* [CPPOST-90] - Condition validation for empty element incorrectly
requires either a NotBefore or a NotOnOrAfter attribute
This is part of fixing PR pkg/50354
|
|
* Based on Firefox 38.7.1
* Fix PR pkg/50975: security/tor-browser is built without -pie
* Store cache in ~/.tor-browser-caches instead of ~/Caches
|
|
|
|
Changes since OpenSSH 7.2p1
===========================
This release fixes a security bug:
* sshd(8): sanitise X11 authentication credentials to avoid xauth
command injection when X11Forwarding is enabled.
Full details of the vulnerability are available at:
http://www.openssh.com/txt/x11fwd.adv
|
|
|
|
CVE-2015-2695
CVE-2015-2696
CVE-2015-2697
CVE-2015-2698
CVE-2015-8629
CVE-2015-8630
CVE-2015-8631
|
|
Changes from 0.4.7 are too many to write here, please refer commit log:
<https://github.com/oauth-xx/oauth-ruby/commits/master>.
|
|
3.1.11 Mar 06 2016
- Add support for Ruby 2.2 in compiled Windows binaries
|
|
Changelog:
Rebase to Firefox 38.7.0
|
|
Changelog: 2016-03-05 PuTTY 0.67 released, fixing a SECURITY HOLE
PuTTY 0.67, released today, fixes a security hole in 0.66 and
before: vuln-pscp-sink-sscanf. It also contains a few other small
bug fixes.
Also, for the first time, the Windows executables in this release
(including the installer) are signed using an Authenticode certificate,
to help protect against tampering in transit from our website or
after downloading. You should find that they list "Simon Tatham"
as the verified publisher.
|
|
Changes since 2.4.1 from NEWS file:
2.5.1 - February 19th 2016
---------------------------
17 commits, 16 files changed, 1096 insertions, 42 deletions
- Add missing urn constants used in PAOS HTTP header
- Set NotBefore in SAML 2.0 login assertions
- tests: fix leak in test test16_test_get_issuer
- id-ff: fix leak of profile->private_data->message_id
- saml-2.0: fix leak of message_id in
lasso_profile_saml20_build_paos_request_msg
- tests: fix leaks in test_ecp
- xml: fix wrong termination of comment
- xml: fix leak in lasso_soap_envelope_new_full
- profile: fix leak of private idp_list field
- saml-2.0: fix leaks of url
- tests: fix leak
- tests: update valgrind suppressions
- perl: remove quotes from $PERL -V::ccflags: output (#9572)
- Fix wrong snippet type (fixes #9616). Thanks to Brett Gardner for the patch.
- tools.c: use correct NID and digest length when building RSA signature
using SHA-2 digest
(fixes #10019) Thanks to Brett Gardner for the patch.
- bindings/php5: fix enum getters and setters (fixes #10032). Thanks to
Brett Gardner for the bug report.
- fix warning about INCLUDES directive
2.5.0 - September 2nd 2015
--------------------------
151 commits, 180 files changed, 8391 insertions, 1339 deletions
- lots of bugfixes (reported by static analysis tools like clang,
coverity and manual inspection) thanks to Simo Sorce and John Dennis from
RedHat
- xsd:choices are now parsed correctly by implementing a real finite automata
for parsing XML documents. New flag for jumping forward and backward in
schema snippets have been added. It fixes parsing of message from third
party not following the ordre from the schema (they are entitled to do it but
most SAML implementations do not)
- added C CGI examples for SP and IdP side
- removed the _POSIX_SOURCE declaration
- added support for the SHA-2 family of hash functions
- fixed protocol profile selection when parsing AuthnRequest
- added support for Python 3, thanks to Houzefa Abbasbhay from
XCG Consulting
- fixed default value of WantAuthnRequestSigned in metadata parsing
- SAML 2.0 ECP is now functionnal, thanks to John Dennis from RedHat
- added two new API function to LassoProfile to extract the Issuer and
InResponseTo attribute of messages, allowing pre-treatment before parsing
the message, to load the metadata of the remote provider, or find the request
which the response matches.
- fixed segfault when parsing HTTP-Redirect marlformed base64 content
- added support for automake 1.15 (jdennis)
|
|
v2.10, 07.03.2016
- forgot another change in the v2.00 changelog...
- changed license from GPL to Artistic
- improved kwalitee:
- added license information to meta files
- removed test.pl
- added eg/ecb.pl (command line en- and decryption)
- added dummy cipher, so the test suite makes sense even if there are no block ciphers installed
- refactored test data from test scripts
|
|
|
|
Changelog:
0.22.1 (stable)
* Use SubjectKeyIdentifier for CKA_ID when available [#84761]
* Allow 'BEGIN PuBLIC KEY' PEM blocks in .p11-kit files
* Bump libtool library version
* Build fixes [#84665 ...]
0.22.0 (stable)
* Remove the 'isolated = yes' option due to unclear semantics
replacement forth coming in later versions.
* Use secure_getenv() where necessary
* Run separate binary for 'p11-kit remote' command
0.21.3 (unstable)
* New public pkcs11x.h header containing extensions [#83495]
* Export necessary defines to lookup attached extensions [#83495]
* Use term 'attached extensions' rather than 'stabled extensions'
* Make proxy module respect 'critical = no' [#83651]
* Show public-key-info in 'trust list --details'
* Build fixes [#75674 ...]
0.21.2 (unstable)
* Don't use invalid keys for looking up stapled extensions [#82328]
* Better error messages when invalid certificate extensions
* Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files
* Fix some leaks, and memory issues
* Silence some clang scanner warnings
* Fix build against older pthread implementations [#82617]
* Move to a non-recursive Makefile
* Can now specify which tests to run on command line
0.21.1 (unstable)
* Add new 'isolate' pkcs11 config option [#80472]
* Add 'p11-kit remote' command for isolating modules [#54105]
* Don't complain about C_Finalize after a fork
* Other minor fixes
0.20.3 (stable)
* Fix problems reinitializing managed modules after fork
* Fix bad bookeeping when fail initializing one of the modules
* Fix case where module would be unloaded while in use [#74919]
* Remove assertions when module used before initialized [#74919]
* Fix handling of mmap failure and mapping empty files [#74773]
* Stable p11_kit_be_quiet() and p11_kit_be_loud() functions
* Require automake 1.12 or later
* Build fixes for Windows [#76594 #74149]
0.20.2 (stable)
* Fix bug where blacklist didn't affect extracted ca-anchors if the anchor
and blacklist were not in the same trust path (regression) [#73558]
* Check for race in BasicConstraints stapled extension [#69314]
* autogen.sh now runs configure as srcdir != builddir by default
* Build fixes and cleanup
0.20.1 (stable)
* Extract compat trust data after we've changes
* Skip compat extraction if running as non-root
* Better failure messages when removing anchors
* Build cleanup
0.20.0 (stable)
* Doc fixes
0.19.4 (unstable)
* 'trust anchor' now adds/removes certificate anchors
* 'trust list' lists trust policy stuff
* 'p11-kit extract' is now 'trust extract'
* 'p11-kit extract-trust' is now 'trust extract-compat'
* Workarounds for working on broken zfsonlinux.org [#68525]
* Add --with-module-config parameter to the configure script [#68122]
* Add support for removing stored PKCS#11 objects in trust module
* Various debugging tweaks
0.19.3 (unstable)
* Fix up problems with automake testing
* Fix a bunch of memory leaks in newly refactored code
* Don't use _GNU_SOURCE and the unportability it brings
* Testing fixes
0.19.2 (unstable)
* Add basic 'trust anchor' command to store a new anchor
* Support for writing out trust token objects
* Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec
* Add option to use freebl for hashing
* Implement reloading of token data
* Fix warnings and possible minor bugs higlighted by code scanners
* Don't load configs in home directories when running setuid or setgid
* Support treating ~/.config as $XDG_CONFIG_HOME
* Use $XDG_DATA_HOME/pkcs11 as default user config directory
* Use $TMPDIR instead of $TEMP while testing
* Open files and fds with O_CLOEXEC
* Abort initialization if a critical module fails to load
* Don't use thread-unsafe functions: strerror, getpwuid
* Fix p11_kit_space_strlen() result when empty string
* Refactoring of where various components live
* Build fixes
0.19.1 (unstable)
* Refactor API to be able to handle managed modules
* Deprecate much of old p11-kit API
* Implement concept of managed modules
* Make C_CloseAllSessions function work for multiple callers
* New dependency on libffi
* Fix possible threading problems reported by hellgrind
* Add log-calls option
* Mark p11_kit_message() as a stable function
* Use our own unit testing framework
0.18.3 (stable)
* Fix reinitialization of trust module [#65401]
* Fix crash in trust module C_Initialize
* Mac OS fixes [#57714]
0.18.2 (stable)
* Build fixes [#64378 ...]
0.18.1 (stable)
* Put the external tools in $libdir/p11-kit
* Documentation build fixes
0.18.0 (stable)
* Fix use of trust module with gcr and empathy [#62896]
* Further tweaks to trust module date parsing
* Fix unaligned memory reads [#62819]
* Win32 fixes [#63062, #63046]
* Debug and logging tweaks [#62874]
* Other build fixes
0.17.5 (unstable)
* Don't try to guess at overflowing time values on 32-bit systems [#62825]
* Test fixes [#927394]
0.17.4 (unstable)
* Check for duplicate certificates in a token, warn and discard [#62548]
* Implement a proper index so we have decent load performance
0.17.3 (unstable)
* Use descriptive labels for the trust module tokens [#62534]
* Remove the temporary built in distrust objects
* Make extracted output directories and files read-only [#61898]
* Don't export unneccessary ABI
* Build fixes [#62479]
0.17.2 (unstable)
* Fix build on 32-bit linux
* Fix several crashers
0.17.1 (unstable)
* Support a p11-kit specific PKCS#11 attribute persistance format [#62156]
* Use the SHA1 hash of SPKI as the CKA_ID in the trust module by default [#62329]
* Refactor a trust builder which builds objects out of parsed data [#62329]
* Combine trust policy when extracting certificates [#61497]
* The extract --comment option adds comments to PEM bundles [#62029]
* A new 'priority' config option for ordering modules [#61978]
* Make each configured path its own trust module token [#61499]
* Use --with-trust-paths to configure trust module [#62327]
* Fix bug decoding some PEM files
* Better debug output for trust module lookups
* Work around bug in NSS when doing serial number lookups
* Work around broken strndup() function in firefox
* Fix the nickname for the distrusted attribute
* Build fixes
0.16.4 (stable)
* Display per command help again [#62153]
* Don't always print tools debug output [#62152]
0.16.3 (stable)
* When iterating don't skip tokens without the CKF_TOKEN_INITIALIZED flag
* Hardcode some distrust records for NSS temporarily
* Parse global options better in the p11-kit command
* Better debugging
0.16.2 (stable)
* Fix regression in 'p11-kit extract --purpose' option [#62009]
* Documentation updates
* Build fixes [#62001, ...]
0.16.1 (stable)
* Don't break when cA field of BasicConstraints is missing [#61975]
* Documentation fixes and updates
* p11-kit extract-trust is a placeholder script now
0.16.0 (stable)
* Update the pkcs11.h header for new mechanisms
* Fix build and tests on mingw64 (ie: win32)
* Relicense LGPL code to BSD license
* Documentation tweaks
* Pull translations from Transifex [#60792]
* Build fixes [#61739, #60894, #61740]
0.15.2 (unstable)
* Add German and Finish translations
* Better define the libtasn1 dependency
* Crasher and bug fixes
* Build fixes
0.15.1 (unstable)
* Fix some memory leaks
* Add a location for packages to drop module configs
* Documentation updates and fixes
* Add command line tool manual page
* Remove unused err() function and friends
* Move more code into common/ directory and refactor
* Add a system trust policy module
* Refactor how the p11-kit command line tool works
* Add p11-kit extract and extract-trust commands
* Don't complain if we cannot access ~/.pkcs11/pkcs11.conf
* Refuse to load the p11-kit-proxy.so as a registered module
* Don't fail initialization if last initialized module fails
0.14
* Change default for user-config to merge
* Always URI-encode the 'id' attribute in PKCS#11 URIs
* Expect a .module extension on module configs
* Windows compatibility fixes
* Testing fixes
* Build fixes
0.13
* Don't allow reading of PIN files larger than 4096 bytes
* If a module is not marked as critical then ignore init failure
* Use preconditions to check for input problems and out of memory
* Add enable-in and disable-in options to module config
* Fix the flags in pin.h
* Use gcc extensions to check varargs during compile
* Fix crasher when a duplicate module is present
* Fix broken hashmap behavior
* Testing fixes
* Win32 build fixes
* 'p11-kit -h' now works
* Documentation fixes
0.12
* Build fix
0.11
* Remove automatic reinitialization of PKCS#11 after fork
|
|
|
