Request 1099645 (accepted)

Overview

Request 1099645 accepted

- make sure p11-kit components have matching versions (boo#1196812)
- Update to version 0.24.1:
* rpc: Support protocol version negotiation.
* proxy: Support copying attribute array recursively.
* Link libp11-kit so that it cannot unload.
* Translation improvements.
* Build fixes.
- Update to version 0.24.0:
* Use inclusive language on certificate distrust. Note: This
changes the directory and attribute names to distrust certain
CAs to "blocklist".
* Fix issues spotted by coverity and ASan.
* Integrate gettext with tools more tightly.
* rpc: Forbid use of array of attributes.
* Build fixes.
- Change dirs from blacklist to blocklist ref upstream changes.
- Enable systemd support
- update to 0.23.22 (bsc#1180064, bsc#1180065, bsc#1180066, jsc#SLE-18495):
* Fix memory-safety issues that affect the RPC protocol
(CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363), discovered
and fixed by David Cook
* anchor: Prefer persistent format when storing anchor [PR#329]
* common: Fix infloop in p11_path_build [PR#326, PR#327]
* proxy: C_CloseAllSessions: Make sure that calloc args are non-zero [PR#325]
* common: Check for a NULL locale before freeing it [PR#321]
* proxy: Do not assign duplicate slot IDs [PR#282]
* common: Get program name based on executable path if possible [PR#307]
* anchor: Exit with non-zero code, if any error occurs [PR#304]
* Build and test fixes
- avoid bareword to fix build failure
- Update to version 0.23.20:
* Revert "Fix RPC when length-s are 0" changes [PR#276]
- Changes for version 0.23.19:
* common: add Russian PKCS#11 extensions to pkcs11x.h header [PR#255]
* Add simple bash completion for provided commands [PR#258]
* Unbreak list matching in enable-in and disable-in [PR#262]
* Fix RPC when length-s are 0 [PR#259]
* rpc: Add vsock transport support [PR#270]
* trust: Support CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER [PR#265]
* Build fixes [PR#271, PR#272, PR#273, ...]
- Changes for version 0.23.18:
* rpc: Allow empty CK_DATE value [PR#253]
* build: Meson fixes [PR#245]
* build: Adjust feature parity between meson and autotools [PR#247]
- Changes for version 0.23.17:
* common: Fix uClibc-ng compilation [PR#237]
* trust: do not allow daylight to invalidate date validation [PR#236]
* build: Port to meson build system [PR#231, PR#234]
* rpc: On UNIX wait on condition variable instead of FD if header is for a different thread [PR#232]
* doc: Add 'server' command in help [PR#229]
* Build and test fixes [PR#230]
- Changes for version 0.23.16:
* proxy: Support C_WaitForSlotEvent() if CKF_DONT_BLOCK is specified [PR#225]
* conf: Ignore user configuration if the program is running as root [PR#226]
* proxy: Refresh slot list on every C_GetSlotList call [PR#224]
* modules: Fix index used in call to p11_dict_remove() [PR#219]
* Fix Win32 p11_dl_error crash [PR#218]
* modules: check gl.modules before iterates on it when freeing [PR#217]
* trust: Ignore unreadable content in anchors [PR#215]
* extract-jks: Prefer _p11_extract_jks_timestamp to SOURCE_DATE_EPOCH [PR#213]
- Changes for version 0.23.15:
* trust: Improve error handling if backed trust file is corrupted [PR#206]
* url: Prefer upper-case letters in hex characters when encoding [PR#193]
* trust/extract-jks.c: also honor SOURCE_DATE_EPOCH time [PR#202]
* virtual: Prefer fixed closures to libffi closures [PR#196]
* Fix issues spotted by coverity and cppcheck [PR#194, PR#204]
* Build and test fixes [PR#164, PR#191, PR#199, PR#201]
- Changes for version 0.23.14:
* proxy: Avoid invalid memory access when unloading proxy module [PR#180]
* Update pkcs11 header to allow SoftHSMv2 to compile [PR#181]
* build: Restore libpthread dependency [PR#183]
* Build fixes [PR#188]
- Changes for version 0.23.13:
* server: Enable socket activation through systemd [PR#173]
* rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules [PR#174]
* proxy: Fail early if there is no slot mapping [PR#175]
* Remove hard dependency on libpthread [PR#177]
* Build fixes [PR#170, PR#176]
- Remove obsolete patches:
* 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch
* 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch
- Also build documentation (boo#1013125)
- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
detects built in certificates (boo#1154871,
0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch,
0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch)
- Move RPM macros to %_rpmmacrodir.
- New version 0.23.12
* Fix compile error when PKCS#11 GNU calling convention enabled
- Changelog from version 0.23.11
* trust: Add extractor for edk2/cacerts.bin
* modules: Add option to control module visibility from proxy
* trust: Prevent trust module being loaded by proxy module
* library: Use dedicated locale object for printing error
* Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly
* Improve const correctness for P11KitUri
* PKCS#11 URI scheme comparison is now case insensitive
- Drop p11-kit-biarch.patch: Obsolete since 0.23.10
- New version 0.23.10
* New p11-kit server command
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY attribute
* New trust dump command
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user configurations
* trust: Respect anyExtendedKeyUsage in CA certificates
* Support x-init-reserved argument of C_Initialize() in remote modules
* install private executables in libexecdir, obsoletes p11-kit-biarch.patch
- new server subpackage
- change keyring to new maintainer Daiki Ueno
- Changes for version 0.23.9
* Fix p11-kit server regressions [PR#103, PR#104]
* trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
* Build fixes related to reallocarray [PR#96, PR#98, PR#100]
- Changes for version 0.23.8
* Improve vendor query attributes handling in PKCS#11 URI [PR#92]
* Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
configurations [PR#87]
* Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]
- Changes for version 0.23.7
* Fix memory issues with "p11-kit server" [PR#78]
* Build fixes [PR#77 ...]
- Changes for version 0.23.6
* Port "p11-kit server" to Windows and portability fixes of the RPC
protocol [PR#67, PR#72, PR#74]
* Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
* Build fixes [PR#63 ...]
- Changes for version 0.23.5
* Fix license notice of common/unix-peer.c [PR#58]
* Remove systemd unit files for now [PR#60]
* Build fixes for FreeBSD [PR#56]
- Changes for version 0.23.4
* Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
PR#37, PR#52]
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
attribute, used by Firefox [#99453, PR#46]
* Add 'trust dump' command to dump all PKCS#11 objects in the
persistence format [PR#44]
* New experimental 'p11-kit server' command that allows PKCS#11
forwarding through a Unix domain socket. A client-side module
p11-kit-client.so is also provided [PR#15]
* Add systemd unit files for exporting the proxy module through a
Unix domain socket [PR#35]
* New P11KitIter API to iterate over slots, tokens, and modules in
addition to objects [PR#28]
* libffi dependency is now optional [PR#9]
* Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]
- Changes for version 0.23.3
* Install private executables in libexecdir [fdo#98817]
* Fix link error of proxy module on macOS [fdo#98022]
* Use new PKCS#11 URI specification for URIs [fdo#97245]
* Support x-init-reserved argument of C_Initialize() in remote modules
[fdo#80519]
* Incorporate changes from PKCS#11 2.40 specification
* Bump libtool library version
* Documentation fixes
* Build fixes [fdo#87192 ...]
- Use %license instead of %doc [bsc#1082318]
- 32-bit compatibility fixes:
* Add PKCS11 module to p11-kit-32bit (bsc#996047#c39)
* Add p11-kit-nss-trust-32bit NSS module
* Fix potential bi-arch issue with private binaries
(fdo#98817, p11-kit-biarch.patch)
- Update to 0.23.2
* Fix forking issues with libffi
* Fix various crashes in corner cases
* Updated translations
* Build fixes
- Make building more verbose
- Enable tests
- Small spec file cleanup with spec-cleaner
- Update to version 0.23.1 (stable)
* Use new PKCS#11 URI draft fields for URIs [fdo#86474 fdo#87582]
* Add pem-directory-hash extract format
* Build fixes
- Remove 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff;
fixed on upstream release
- Remove autoconf, automake and libtool require; unneeded dependencies
- Add gtk-doc require; needed to build html documentation
- Remove redundant %clean section
- remove patches:
* trust-Print-label-of-certificate-when-complaining-.patch
* trust-Dont-use-invalid-public-keys-for-looking-up-.patch
- new version 0.20.7 (stable)
* New public pkcs11x.h header containing extensions [fdo#83495]
* Export necessary defines to lookup attached extensions [fdo#83495]
* Build fixes
- new version 0.20.6 (stable)
* Make the p11-kit-proxy.so module respect critical = no [fdo#83651]
* Build fix for FreeBSD [fdo#75674]
- new version 0.20.5 (stable)
* Don't use invalid keys for looking up stapled extensions [fdo#82328]
* Better error messages when invalid certificate extensions
* Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files
* Fix some leaks, and memory issues
* Silence some clang scanner warnings
- new version 0.20.4 (stable)
* Don't complain about C_Finalize after a fork
* Fix typo
- new version 0.20.3
* Fix problems reinitializing managed modules after fork
* Fix bad bookeeping when fail initializing one of the modules
* Fix case where module would be unloaded while in use [#74919]
* Remove assertions when module used before initialized [#74919]
* Fix handling of mmap failure and mapping empty files [#74773]
* Stable p11_kit_be_quiet() and p11_kit_be_loud() functions
* Require automake 1.12 or later
* Build fixes for Windows [#76594 #74149]
- apply patches to avoid errors from certificates with invalid public key
(fdo#82328, bnc#890908,
trust-Dont-use-invalid-public-keys-for-looking-up-.patch,
trust-Print-label-of-certificate-when-complaining-.patch)
- New version 0.20.2
* Fix bug where blacklist didn't affect extracted ca-anchors if the anchor
and blacklist were not in the same trust path (regression) [fdo#73558]
* Check for race in BasicConstraints stapled extension [fdo#69314]
* Build fixes and cleanup
- added .sig file. trying to locate source of the keyring.
- trust: allow to also add openssl style hashes to pem-directory
0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
- upgrade to 0.20.1 which is 0.19 declared stable
* Extract compat trust data after we've changes
* Skip compat extraction if running as non-root
* Better failure messages when removing anchors
- new version 0.19.4
* 'trust anchor' now adds/removes certificate anchors
* 'trust list' lists trust policy stuff
* 'p11-kit extract' is now 'trust extract'
* 'p11-kit extract-trust' is now 'trust extract-compat'
* Workarounds for working on broken zfsonlinux.org [#68525]
* Add --with-module-config parameter to the configure script [#68122]
* Add support for removing stored PKCS#11 objects in trust module
- new version 0.19.3
* Fix up problems with automake testing
* Fix a bunch of memory leaks in newly refactored code
* Don't use _GNU_SOURCE and the unportability it brings
* Add basic 'trust anchor' command to store a new anchor
* Support for writing out trust token objects
* Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec
* Add option to use freebl for hashing
* Implement reloading of token data
* Fix warnings and possible minor bugs higlighted by code scanners
* Don't load configs in home directories when running setuid or setgid
* Support treating ~/.config as $XDG_CONFIG_HOME
* Use $XDG_DATA_HOME/pkcs11 as default user config directory
* Use $TMPDIR instead of $TEMP while testing
* Open files and fds with O_CLOEXEC
* Abort initialization if a critical module fails to load
* Don't use thread-unsafe functions: strerror, getpwuid
* Fix p11_kit_space_strlen() result when empty string
* Refactoring of where various components live
- fix 32bit provides of libnssckbi.so
- repace p11-kit-extract-trust with update-ca-certificates
- provide libnssckbi.so to replace mozilla-nss-certs
- add p11-kit-nss-trust subpackage that serves as drop-in
replacement for mozilla-nss-certs
- use /etc/pki/trust and /usr/share/pki/trust as system CA
certificate store
- Update to version 0.19.1:
+ Refactor API to be able to handle managed modules.
+ Deprecate much of old p11-kit API.
+ Implement concept of managed modules.
+ Make C_CloseAllSessions function work for multiple callers.
+ New dependency on libffi.
+ Fix possible threading problems reported by hellgrind.
+ Add log-calls option.
+ Mark p11_kit_message() as a stable function.
+ Use our own unit testing framework.
- Add pkgconfig(libffi) BuildRequires: new dependency.
- Update to version 0.18.2:
+ Build fixes (fdo#64378)
- Also provide p11-kit-32bit (in fact, the pkcs#11 modules)
(bnc#819246).
- Update to version 0.18.1:
+ Put the external tools in $libdir/p11-kit.
+ Documentation build fixes.
- Update to version 0.18.0:
+ Fix use of trust module with gcr and empathy (fdo#62896).
+ Further tweaks to trust module date parsing.
+ Fix unaligned memory reads (fdo#62819).
+ Win32 fixes (fdo#63062, fdo#63046).
+ Debug and logging tweaks (fdo#62874).
+ Other build fixes.
- Update to version 0.17.5:
+ Don't try to guess at overflowing time values on 32-bit
systems (fdo#62825).
+ Test fixes (fdo#927394).
- Update to version 0.17.4:
+ Check for duplicate certificates in a token, warn and discard
(fdo#62548).
+ Implement a proper index so we have decent load performance.
- Update to version 0.17.3:
+ Use descriptive labels for the trust module tokens (fdo#62534).
+ Remove the temporary built in distrust objects.
+ Make extracted output directories and files read-only
(fdo#61898).
+ Don't export unneccessary ABI.
+ Build fixes (fdo#62479).
- Update to version 0.17.2:
+ Fix build on 32-bit linux.
+ Fix several crashers.
- Changes from version 0.17.1:
+ Support a p11-kit specific PKCS#11 attribute persistance format
(fdo#62156).
+ Use the SHA1 hash of SPKI as the CKA_ID in the trust module by
default (fdo#62329).
+ Refactor a trust builder which builds objects out of parsed
data (fdo#62329).
+ Combine trust policy when extracting certificates (fdo#61497).
+ The extract --comment option adds comments to PEM bundles
(fdo#62029).
+ A new 'priority' config option for ordering modules
(fdo#61978).
+ Make each configured path its own trust module token
(fdo#61499).
+ Use --with-trust-paths to configure trust module (fdo#62327).
+ Fix bug decoding some PEM files.
+ Better debug output for trust module lookups.
+ Work around bug in NSS when doing serial number lookups.
+ Work around broken strndup() function in firefox.
+ Fix the nickname for the distrusted attribute.
+ Build fixes.
- Add ca-certificates BuildRequires: needed to find the location of
the root certificates.
- Update to version 0.16.4:
+ Display per command help again (fdo#62153).
+ Don't always print tools debug output (fdo#62152).
- Changes from version 0.16.3:
+ When iterating don't skip tokens without the
CKF_TOKEN_INITIALIZED flag.
+ Hardcode some distrust records for NSS temporarily.
+ Parse global options better in the p11-kit command.
+ Better debugging.
- Changes from version 0.16.2:
+ Fix regression in 'p11-kit extract --purpose' option
(fdo#62009)
+ Documentation updates
+ Build fixes (fdo#62001).
- Changes from version 0.16.1:
+ Don't break when cA field of BasicConstraints is missing
(fdo#61975).
+ Documentation fixes and updates.
+ p11-kit extract-trust is a placeholder script now.
- Update to version 0.16.0:
+ Update the pkcs11.h header for new mechanisms
+ Fix build and tests on mingw64 (ie: win32)
+ Relicense LGPL code to BSD license
+ Documentation tweaks
+ Bugs fixed: fdo#61739, fdo#60894, fdo#61740, fdo#60792
+ Updated translations.
- Changes from version 0.15.2:
+ Better define the libtasn1 dependency.
+ Crasher and bug fixes.
+ Build fixes.
+ Updated translations.
- Changes from version 0.15.1:
+ Fix some memory leaks.
+ Add a location for packages to drop module configs.
+ Documentation updates and fixes.
+ Add command line tool manual page.
+ Remove unused err() function and friends.
+ Move more code into common/ directory and refactor.
+ Add a system trust policy module.
+ Refactor how the p11-kit command line tool works.
+ Add p11-kit extract and extract-trust commands.
+ Don't complain if we cannot access ~/.pkcs11/pkcs11.conf.
+ Refuse to load the p11-kit-proxy.so as a registered module.
+ Don't fail initialization if last initialized module fails.
- Update to version 0.14:
+ Change default for user-config to merge
+ Always URI-encode the 'id' attribute in PKCS#11 URIs
+ Expect a .module extension on module configs
+ Windows compatibility fixes
+ Testing fixes
+ Build fixes
- Update to version 0.13:
+ Don't allow reading of PIN files larger than 4096 bytes
+ If a module is not marked as critical then ignore init failure
+ Use preconditions to check for input problems and out of memory
+ Add enable-in and disable-in options to module config
+ Fix the flags in pin.h
+ Use gcc extensions to check varargs during compile
+ Fix crasher when a duplicate module is present
+ Fix broken hashmap behavior
+ Testing fixes
+ Win32 build fixes
+ 'p11-kit -h' now works
+ Documentation fixes
- Update to version 0.12:
+ Build fix.
- Update to version 0.11:
+ Remove automatic reinitialization of PKCS#11 after fork
- Update to version 0.10:
+ Build fixes, for windows, gcc 4.6.1.
- Update to version 0.9:
+ p11-kit can't be used as a static library.
+ Fix problems crashing when freeing TLS on windows.
+ Add debug output to windows init and uninit of library.
+.Build fixes, especially for windows
- Update to version 0.8:
+ Rename non-static functions to have a _p11_xxx prefix
+ No concurrent calling of C_Initialize and C_Finalize
+ Print more information in 'p11-kit -l'
+ Initial port to win32
+ Build and testing fixes.
- Update to version 0.7:
+ Expand p11-kit config variables correctly in various build
scenarios
+ Add test tool to print out error messages
+ Build fix on FreeBSD
- Update to version 0.6:
+ Add concept of a default module directory from which modules
with relative paths are loaded.
+ Renamed pkg-config variables to make it clearer what's what.
- Update to version 0.5:
+ Fix crasher in p11_kit_registered_modules()
+ Add 'critical' setting for modules, which defaults to 'no'
+ Fix initialization issues in the proxy module
- Update to version 0.4:
+ Fix endless loop if module forks during initialization
+ Update PKCS#11 URI code for new draft of spec
+ Don't fail when duplicate modules are configured
+ Better debug output
+ Add example configuration documentation
+ Support whitespace in PKCS#11 URIs
- Move the p11-kit.conf.example to the doc folder.
- Update to version 0.3:
+ Rewrite hash table, and simplify licensing.
+ Correct paths for p11-kit config files.
+ Many build fixes and tweaks.
- Remove Apache-2 part from License tag, as the code was rewritten.
- Initial package (version 0.2).

Created by flacco 10 months ago
In state accepted

Submit p11-kit

Comments for request 1099645 0

Request History

flacco created request 10 months ago

flacco accepted request 10 months ago

Places

Overview