Revisions of p11-kit
Stefan Schäfer (flacco)
accepted
request 1099645
from
Stefan Schäfer (flacco)
(revision 6)
- make sure p11-kit components have matching versions (boo#1196812)
- Update to version 0.24.1:
* rpc: Support protocol version negotiation.
* proxy: Support copying attribute array recursively.
* Link libp11-kit so that it cannot unload.
* Translation improvements.
* Build fixes.
- Update to version 0.24.0:
* Use inclusive language on certificate distrust. Note: This
changes the directory and attribute names to distrust certain
CAs to "blocklist".
* Fix issues spotted by coverity and ASan.
* Integrate gettext with tools more tightly.
* rpc: Forbid use of array of attributes.
* Build fixes.
- Change dirs from blacklist to blocklist ref upstream changes.
- Enable systemd support
- update to 0.23.22 (bsc#1180064, bsc#1180065, bsc#1180066, jsc#SLE-18495):
* Fix memory-safety issues that affect the RPC protocol
(CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363), discovered
and fixed by David Cook
* anchor: Prefer persistent format when storing anchor [PR#329]
* common: Fix infloop in p11_path_build [PR#326, PR#327]
* proxy: C_CloseAllSessions: Make sure that calloc args are non-zero [PR#325]
* common: Check for a NULL locale before freeing it [PR#321]
* proxy: Do not assign duplicate slot IDs [PR#282]
* common: Get program name based on executable path if possible [PR#307]
* anchor: Exit with non-zero code, if any error occurs [PR#304]
* Build and test fixes
- avoid bareword to fix build failure
- Update to version 0.23.20:
* Revert "Fix RPC when length-s are 0" changes [PR#276]
- Changes for version 0.23.19:
* common: add Russian PKCS#11 extensions to pkcs11x.h header [PR#255]
* Add simple bash completion for provided commands [PR#258]
* Unbreak list matching in enable-in and disable-in [PR#262]
* Fix RPC when length-s are 0 [PR#259]
* rpc: Add vsock transport support [PR#270]
* trust: Support CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER [PR#265]
* Build fixes [PR#271, PR#272, PR#273, ...]
- Changes for version 0.23.18:
* rpc: Allow empty CK_DATE value [PR#253]
* build: Meson fixes [PR#245]
* build: Adjust feature parity between meson and autotools [PR#247]
- Changes for version 0.23.17:
* common: Fix uClibc-ng compilation [PR#237]
* trust: do not allow daylight to invalidate date validation [PR#236]
* build: Port to meson build system [PR#231, PR#234]
* rpc: On UNIX wait on condition variable instead of FD if header is for a different thread [PR#232]
* doc: Add 'server' command in help [PR#229]
* Build and test fixes [PR#230]
- Changes for version 0.23.16:
* proxy: Support C_WaitForSlotEvent() if CKF_DONT_BLOCK is specified [PR#225]
* conf: Ignore user configuration if the program is running as root [PR#226]
* proxy: Refresh slot list on every C_GetSlotList call [PR#224]
* modules: Fix index used in call to p11_dict_remove() [PR#219]
* Fix Win32 p11_dl_error crash [PR#218]
* modules: check gl.modules before iterates on it when freeing [PR#217]
* trust: Ignore unreadable content in anchors [PR#215]
* extract-jks: Prefer _p11_extract_jks_timestamp to SOURCE_DATE_EPOCH [PR#213]
- Changes for version 0.23.15:
* trust: Improve error handling if backed trust file is corrupted [PR#206]
* url: Prefer upper-case letters in hex characters when encoding [PR#193]
* trust/extract-jks.c: also honor SOURCE_DATE_EPOCH time [PR#202]
* virtual: Prefer fixed closures to libffi closures [PR#196]
* Fix issues spotted by coverity and cppcheck [PR#194, PR#204]
* Build and test fixes [PR#164, PR#191, PR#199, PR#201]
- Changes for version 0.23.14:
* proxy: Avoid invalid memory access when unloading proxy module [PR#180]
* Update pkcs11 header to allow SoftHSMv2 to compile [PR#181]
* build: Restore libpthread dependency [PR#183]
* Build fixes [PR#188]
- Changes for version 0.23.13:
* server: Enable socket activation through systemd [PR#173]
* rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules [PR#174]
* proxy: Fail early if there is no slot mapping [PR#175]
* Remove hard dependency on libpthread [PR#177]
* Build fixes [PR#170, PR#176]
- Remove obsolete patches:
* 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch
* 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch
- Also build documentation (boo#1013125)
- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
detects built in certificates (boo#1154871,
0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch,
0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch)
- Move RPM macros to %_rpmmacrodir.
- New version 0.23.12
* Fix compile error when PKCS#11 GNU calling convention enabled
- Changelog from version 0.23.11
* trust: Add extractor for edk2/cacerts.bin
* modules: Add option to control module visibility from proxy
* trust: Prevent trust module being loaded by proxy module
* library: Use dedicated locale object for printing error
* Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly
* Improve const correctness for P11KitUri
* PKCS#11 URI scheme comparison is now case insensitive
- Drop p11-kit-biarch.patch: Obsolete since 0.23.10
- New version 0.23.10
* New p11-kit server command
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY attribute
* New trust dump command
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user configurations
* trust: Respect anyExtendedKeyUsage in CA certificates
* Support x-init-reserved argument of C_Initialize() in remote modules
* install private executables in libexecdir, obsoletes p11-kit-biarch.patch
- new server subpackage
- change keyring to new maintainer Daiki Ueno
- Changes for version 0.23.9
* Fix p11-kit server regressions [PR#103, PR#104]
* trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
* Build fixes related to reallocarray [PR#96, PR#98, PR#100]
- Changes for version 0.23.8
* Improve vendor query attributes handling in PKCS#11 URI [PR#92]
* Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
configurations [PR#87]
* Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]
- Changes for version 0.23.7
* Fix memory issues with "p11-kit server" [PR#78]
* Build fixes [PR#77 ...]
- Changes for version 0.23.6
* Port "p11-kit server" to Windows and portability fixes of the RPC
protocol [PR#67, PR#72, PR#74]
* Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
* Build fixes [PR#63 ...]
- Changes for version 0.23.5
* Fix license notice of common/unix-peer.c [PR#58]
* Remove systemd unit files for now [PR#60]
* Build fixes for FreeBSD [PR#56]
- Changes for version 0.23.4
* Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
PR#37, PR#52]
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
attribute, used by Firefox [#99453, PR#46]
* Add 'trust dump' command to dump all PKCS#11 objects in the
persistence format [PR#44]
* New experimental 'p11-kit server' command that allows PKCS#11
forwarding through a Unix domain socket. A client-side module
p11-kit-client.so is also provided [PR#15]
* Add systemd unit files for exporting the proxy module through a
Unix domain socket [PR#35]
* New P11KitIter API to iterate over slots, tokens, and modules in
addition to objects [PR#28]
* libffi dependency is now optional [PR#9]
* Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]
- Changes for version 0.23.3
* Install private executables in libexecdir [fdo#98817]
* Fix link error of proxy module on macOS [fdo#98022]
* Use new PKCS#11 URI specification for URIs [fdo#97245]
* Support x-init-reserved argument of C_Initialize() in remote modules
[fdo#80519]
* Incorporate changes from PKCS#11 2.40 specification
* Bump libtool library version
* Documentation fixes
* Build fixes [fdo#87192 ...]
- Use %license instead of %doc [bsc#1082318]
- 32-bit compatibility fixes:
* Add PKCS11 module to p11-kit-32bit (bsc#996047#c39)
* Add p11-kit-nss-trust-32bit NSS module
* Fix potential bi-arch issue with private binaries
(fdo#98817, p11-kit-biarch.patch)
- Update to 0.23.2
* Fix forking issues with libffi
* Fix various crashes in corner cases
* Updated translations
* Build fixes
- Make building more verbose
- Enable tests
- Small spec file cleanup with spec-cleaner
- Update to version 0.23.1 (stable)
* Use new PKCS#11 URI draft fields for URIs [fdo#86474 fdo#87582]
* Add pem-directory-hash extract format
* Build fixes
- Remove 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff;
fixed on upstream release
- Remove autoconf, automake and libtool require; unneeded dependencies
- Add gtk-doc require; needed to build html documentation
- Remove redundant %clean section
- remove patches:
* trust-Print-label-of-certificate-when-complaining-.patch
* trust-Dont-use-invalid-public-keys-for-looking-up-.patch
- new version 0.20.7 (stable)
* New public pkcs11x.h header containing extensions [fdo#83495]
* Export necessary defines to lookup attached extensions [fdo#83495]
* Build fixes
- new version 0.20.6 (stable)
* Make the p11-kit-proxy.so module respect critical = no [fdo#83651]
* Build fix for FreeBSD [fdo#75674]
- new version 0.20.5 (stable)
* Don't use invalid keys for looking up stapled extensions [fdo#82328]
* Better error messages when invalid certificate extensions
* Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files
* Fix some leaks, and memory issues
* Silence some clang scanner warnings
- new version 0.20.4 (stable)
* Don't complain about C_Finalize after a fork
* Fix typo
- new version 0.20.3
* Fix problems reinitializing managed modules after fork
* Fix bad bookeeping when fail initializing one of the modules
* Fix case where module would be unloaded while in use [#74919]
* Remove assertions when module used before initialized [#74919]
* Fix handling of mmap failure and mapping empty files [#74773]
* Stable p11_kit_be_quiet() and p11_kit_be_loud() functions
* Require automake 1.12 or later
* Build fixes for Windows [#76594 #74149]
- apply patches to avoid errors from certificates with invalid public key
(fdo#82328, bnc#890908,
trust-Dont-use-invalid-public-keys-for-looking-up-.patch,
trust-Print-label-of-certificate-when-complaining-.patch)
- New version 0.20.2
* Fix bug where blacklist didn't affect extracted ca-anchors if the anchor
and blacklist were not in the same trust path (regression) [fdo#73558]
* Check for race in BasicConstraints stapled extension [fdo#69314]
* Build fixes and cleanup
- added .sig file. trying to locate source of the keyring.
- trust: allow to also add openssl style hashes to pem-directory
0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
- upgrade to 0.20.1 which is 0.19 declared stable
* Extract compat trust data after we've changes
* Skip compat extraction if running as non-root
* Better failure messages when removing anchors
- new version 0.19.4
* 'trust anchor' now adds/removes certificate anchors
* 'trust list' lists trust policy stuff
* 'p11-kit extract' is now 'trust extract'
* 'p11-kit extract-trust' is now 'trust extract-compat'
* Workarounds for working on broken zfsonlinux.org [#68525]
* Add --with-module-config parameter to the configure script [#68122]
* Add support for removing stored PKCS#11 objects in trust module
- new version 0.19.3
* Fix up problems with automake testing
* Fix a bunch of memory leaks in newly refactored code
* Don't use _GNU_SOURCE and the unportability it brings
* Add basic 'trust anchor' command to store a new anchor
* Support for writing out trust token objects
* Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec
* Add option to use freebl for hashing
* Implement reloading of token data
* Fix warnings and possible minor bugs higlighted by code scanners
* Don't load configs in home directories when running setuid or setgid
* Support treating ~/.config as $XDG_CONFIG_HOME
* Use $XDG_DATA_HOME/pkcs11 as default user config directory
* Use $TMPDIR instead of $TEMP while testing
* Open files and fds with O_CLOEXEC
* Abort initialization if a critical module fails to load
* Don't use thread-unsafe functions: strerror, getpwuid
* Fix p11_kit_space_strlen() result when empty string
* Refactoring of where various components live
- fix 32bit provides of libnssckbi.so
- repace p11-kit-extract-trust with update-ca-certificates
- provide libnssckbi.so to replace mozilla-nss-certs
- add p11-kit-nss-trust subpackage that serves as drop-in
replacement for mozilla-nss-certs
- use /etc/pki/trust and /usr/share/pki/trust as system CA
certificate store
- Update to version 0.19.1:
+ Refactor API to be able to handle managed modules.
+ Deprecate much of old p11-kit API.
+ Implement concept of managed modules.
+ Make C_CloseAllSessions function work for multiple callers.
+ New dependency on libffi.
+ Fix possible threading problems reported by hellgrind.
+ Add log-calls option.
+ Mark p11_kit_message() as a stable function.
+ Use our own unit testing framework.
- Add pkgconfig(libffi) BuildRequires: new dependency.
- Update to version 0.18.2:
+ Build fixes (fdo#64378)
- Also provide p11-kit-32bit (in fact, the pkcs#11 modules)
(bnc#819246).
- Update to version 0.18.1:
+ Put the external tools in $libdir/p11-kit.
+ Documentation build fixes.
- Update to version 0.18.0:
+ Fix use of trust module with gcr and empathy (fdo#62896).
+ Further tweaks to trust module date parsing.
+ Fix unaligned memory reads (fdo#62819).
+ Win32 fixes (fdo#63062, fdo#63046).
+ Debug and logging tweaks (fdo#62874).
+ Other build fixes.
- Update to version 0.17.5:
+ Don't try to guess at overflowing time values on 32-bit
systems (fdo#62825).
+ Test fixes (fdo#927394).
- Update to version 0.17.4:
+ Check for duplicate certificates in a token, warn and discard
(fdo#62548).
+ Implement a proper index so we have decent load performance.
- Update to version 0.17.3:
+ Use descriptive labels for the trust module tokens (fdo#62534).
+ Remove the temporary built in distrust objects.
+ Make extracted output directories and files read-only
(fdo#61898).
+ Don't export unneccessary ABI.
+ Build fixes (fdo#62479).
- Update to version 0.17.2:
+ Fix build on 32-bit linux.
+ Fix several crashers.
- Changes from version 0.17.1:
+ Support a p11-kit specific PKCS#11 attribute persistance format
(fdo#62156).
+ Use the SHA1 hash of SPKI as the CKA_ID in the trust module by
default (fdo#62329).
+ Refactor a trust builder which builds objects out of parsed
data (fdo#62329).
+ Combine trust policy when extracting certificates (fdo#61497).
+ The extract --comment option adds comments to PEM bundles
(fdo#62029).
+ A new 'priority' config option for ordering modules
(fdo#61978).
+ Make each configured path its own trust module token
(fdo#61499).
+ Use --with-trust-paths to configure trust module (fdo#62327).
+ Fix bug decoding some PEM files.
+ Better debug output for trust module lookups.
+ Work around bug in NSS when doing serial number lookups.
+ Work around broken strndup() function in firefox.
+ Fix the nickname for the distrusted attribute.
+ Build fixes.
- Add ca-certificates BuildRequires: needed to find the location of
the root certificates.
- Update to version 0.16.4:
+ Display per command help again (fdo#62153).
+ Don't always print tools debug output (fdo#62152).
- Changes from version 0.16.3:
+ When iterating don't skip tokens without the
CKF_TOKEN_INITIALIZED flag.
+ Hardcode some distrust records for NSS temporarily.
+ Parse global options better in the p11-kit command.
+ Better debugging.
- Changes from version 0.16.2:
+ Fix regression in 'p11-kit extract --purpose' option
(fdo#62009)
+ Documentation updates
+ Build fixes (fdo#62001).
- Changes from version 0.16.1:
+ Don't break when cA field of BasicConstraints is missing
(fdo#61975).
+ Documentation fixes and updates.
+ p11-kit extract-trust is a placeholder script now.
- Update to version 0.16.0:
+ Update the pkcs11.h header for new mechanisms
+ Fix build and tests on mingw64 (ie: win32)
+ Relicense LGPL code to BSD license
+ Documentation tweaks
+ Bugs fixed: fdo#61739, fdo#60894, fdo#61740, fdo#60792
+ Updated translations.
- Changes from version 0.15.2:
+ Better define the libtasn1 dependency.
+ Crasher and bug fixes.
+ Build fixes.
+ Updated translations.
- Changes from version 0.15.1:
+ Fix some memory leaks.
+ Add a location for packages to drop module configs.
+ Documentation updates and fixes.
+ Add command line tool manual page.
+ Remove unused err() function and friends.
+ Move more code into common/ directory and refactor.
+ Add a system trust policy module.
+ Refactor how the p11-kit command line tool works.
+ Add p11-kit extract and extract-trust commands.
+ Don't complain if we cannot access ~/.pkcs11/pkcs11.conf.
+ Refuse to load the p11-kit-proxy.so as a registered module.
+ Don't fail initialization if last initialized module fails.
- Update to version 0.14:
+ Change default for user-config to merge
+ Always URI-encode the 'id' attribute in PKCS#11 URIs
+ Expect a .module extension on module configs
+ Windows compatibility fixes
+ Testing fixes
+ Build fixes
- Update to version 0.13:
+ Don't allow reading of PIN files larger than 4096 bytes
+ If a module is not marked as critical then ignore init failure
+ Use preconditions to check for input problems and out of memory
+ Add enable-in and disable-in options to module config
+ Fix the flags in pin.h
+ Use gcc extensions to check varargs during compile
+ Fix crasher when a duplicate module is present
+ Fix broken hashmap behavior
+ Testing fixes
+ Win32 build fixes
+ 'p11-kit -h' now works
+ Documentation fixes
- Update to version 0.12:
+ Build fix.
- Update to version 0.11:
+ Remove automatic reinitialization of PKCS#11 after fork
- Update to version 0.10:
+ Build fixes, for windows, gcc 4.6.1.
- Update to version 0.9:
+ p11-kit can't be used as a static library.
+ Fix problems crashing when freeing TLS on windows.
+ Add debug output to windows init and uninit of library.
+.Build fixes, especially for windows
- Update to version 0.8:
+ Rename non-static functions to have a _p11_xxx prefix
+ No concurrent calling of C_Initialize and C_Finalize
+ Print more information in 'p11-kit -l'
+ Initial port to win32
+ Build and testing fixes.
- Update to version 0.7:
+ Expand p11-kit config variables correctly in various build
scenarios
+ Add test tool to print out error messages
+ Build fix on FreeBSD
- Update to version 0.6:
+ Add concept of a default module directory from which modules
with relative paths are loaded.
+ Renamed pkg-config variables to make it clearer what's what.
- Update to version 0.5:
+ Fix crasher in p11_kit_registered_modules()
+ Add 'critical' setting for modules, which defaults to 'no'
+ Fix initialization issues in the proxy module
- Update to version 0.4:
+ Fix endless loop if module forks during initialization
+ Update PKCS#11 URI code for new draft of spec
+ Don't fail when duplicate modules are configured
+ Better debug output
+ Add example configuration documentation
+ Support whitespace in PKCS#11 URIs
- Move the p11-kit.conf.example to the doc folder.
- Update to version 0.3:
+ Rewrite hash table, and simplify licensing.
+ Correct paths for p11-kit config files.
+ Many build fixes and tweaks.
- Remove Apache-2 part from License tag, as the code was rewritten.
- Initial package (version 0.2).
Ingo Göppert (ingogoeppert)
committed
(revision 5)
Ingo Göppert (ingogoeppert)
committed
(revision 4)
Stefan Schäfer (flacco)
committed
(revision 3)
Stefan Schäfer (flacco)
committed
(revision 2)
Stefan Schäfer (flacco)
committed
(revision 1)
Displaying all 6 revisions
