------------------------------------------------------------------- Thu Aug 3 07:40:48 UTC 2023 - Paolo Stivanin - Update to 1.3.1: * core xmlsec and all xmlsec-crypto libraries: + (ABI breaking change) Added support for the KeyInfoReference Element. + (ABI breaking change) Switched xmlSecSize to use size_t by default. Use "--enable-size-t=no" configure option ("size_t=no" on Windows) to restore the old behaviour (note that support for xmlSecSize being different from size_t will be removed in the future). + (API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode, set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility. + (API breaking change) The KeyName element content is now trimmed before key search is performed. + (API breaking change) Disabled FTP support by default. Use "--enable-ftp" configure option to restore it. Also added "--enable-http" and "--enable-files" configure options to control support for loading files over HTTP or locally. + (API/ABI breaking change) Disabled MD5 digest method by default. Use "--enable-md5" configure options to re-enable MD5. + (ABI breaking change) Added "failureReason" file to xmlSecDSigCtx and xmlEncCtx to provide more granular operation failure reason. + (ABI breaking change) Removed deprecated functions. + Added support for loading keys through ossl-store interface. Also see '--privkey-openssl-store' and '--pubkey-openssl-store ' command line options for XMLSec utility. + Added ability to control transforms binary chunk size to improve performance (see '--transform-binary-chunk-size' command line option for XMLSec utility). + Fixed all potentially unsafe integer conversions and all the other warnings. + Added XML Signature 1.1 interop (2012) and XML Encryption 1.1 interop (2012) tests. * xmlsec-openssl library: + Added support for SHA3 digests. + Added support for ECDSA-SHA3 signatures. + Added support for RSA PSS signatures (withtout parameters). + Added support for ConcatKDF key and PBKDF2 derivation algorithms. + (ABI breaking change) Added support for ECDH-ES Key Agreement algorithm. + (ABI breaking change) Added support for DH-ES Key Agreement algorithm with explicit KDF. + Added support for MGF1 algorithm to RSA OAEP key transport. + Added support for X509Digest element and ability to lookup keys using other X509Data elements. + Added support for DEREncodedKeyValue element. + Automatically set key name from PKCS12 key name. + Removed support for OpenSSL 1.0.0 and LibreSSL before 2.7.0. * xmlsec-nss library: + Added support for RSA PSS signatures (withtout parameters). + Added support for RSA OAEP key transport including MGF1 algorithms. + Added support for AES GCM ciphers. + Added support for PBKDF2 derivation algorithm. + Added support for X509Digest element and ability to lookup keys using other X509Data elements. + Added support for DEREncodedKeyValue element. + Automatically set key name from PKCS12 key name. * xmlsec-gnutls library: + (API/ABI breaking change) Removed dependency on xmlsec-gcrypt and libgcrypt libraries (including API functions) to enable support for different GnuTLS backends. + Bumped minimal GnuTLS version to 3.6.13. + Added support for SHA3 digests. + Added support for ECDSA signatures. + Added support for DSA-SHA256 signatures. + Added support for RSA PSS signatures (withtout parameters). + Added support for RSA PKCS 1.5 key transport. + Added support for AES GCM ciphers. + Added support for PBKDF2 derivation algorithm. + Added support for X509Digest element and ability to lookup keys using other X509Data elements. + Added support for DEREncodedKeyValue element. + Automatically set key name from PKCS12 key name. * xmlsec-mscng library: + Added support for RSA PSS signatures (withtout parameters). + Added support for MGF1 algorithm to RSA OAEP key transport. + (ABI breaking change) Added support for ECDH-ES Key Agreement algorithm. + Added support for ConcatKDF key and PBKDF2 derivation algorithms. + Added support for X509Digest element for keys and certificates lookup from the system stores (only SHA1 is supported). + Added support for DEREncodedKeyValue element. + Automatically set key name from PKCS12 key name. * xmlsec-gcrypt library: + In maintenance mode starting from this release. + Added support for SHA3 digests. + Added support for ECDSA signatures. + Added support for RSA PSS signatures (withtout parameters). + Added support for RSA PKCS 1.5 key transport. + Added support for RSA OAEP key transport including MGF1 algorithms. * xmlsec command line utility: + (API breaking change) The XMLSec command line utility is using 'strict' key search mode by default. To restore the old 'lax' key search mode, use the new '--lax-key-search' option. + (API breaking change) The XMLSec command line utility is no longer prints detailed errors by default. To restore the detailed errors, use the new '--verbose' option. + Added '--transform-binary-chunk-size' option to control transforms binary chunk size (increasing the chunk size should improve performance at the expense of memory usage. + Added support for loading keys through ossl-store interface. Also see '--privkey-openssl-store' and '--pubkey-openssl-store' command line options for XMLSec utility. + Added '--enabled-key-info-reference-uris' option to control processing of the the KeyInfoReference Element. + Added '--pbkdf2-key' option for loading PBKDF2 keys. + Added '--concatkdf-key' option for loading ConcatKDF keys. + Added '--hmac-min-out-len' option to control the min accepted HMAC Output length. + Added '--pubkey-openssl-engine' option to load public keys from OpenSSL engine. + Added '--crl-pem' and '--crl-der' options to load CRLs. + Added '--verify-keys' option to verify key's certificate before loading into Keys Manager (only supported for OpenSSL currently). + Enabled templatized output filenames to facilitate batch operations on multiple input files. ------------------------------------------------------------------- Wed Feb 1 09:23:37 UTC 2023 - Dirk Müller - switch to pkgconfig(zlib) to allow alternative providers as well ------------------------------------------------------------------- Sat Dec 3 17:03:47 UTC 2022 - Dirk Müller - update to 1.2.37: Fixed two regressions from 1.2.36 release ------------------------------------------------------------------- Fri Nov 4 15:33:42 UTC 2022 - Pedro Monreal - Update to 1.2.36: * Retired the XMLSec mailing list "xmlsec@aleksey.com" and the XMLSec Online Signature Verifier. - Update to 1.2.35: * Migration to OpenSSL 3.0 API (based on PR by @snargit). Note that OpenSSL engines are disabled by default when XMLSec library is compiled against OpenSSL 3.0. To re-enable OpenSSL engines, use "--enable-openssl3-engines" configure flag (there will be a lot of deprecation warnings). * The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now deprecated and will be removed in the future versions of XMLSec Library. * Refactored all the integer casts to ensure cast-safety. Fixed all warnings and enabled "-Werror" and "-pedantic" flags on CI builds. * Added configure flag to use size_t for xmlSecSize (currently disabled by default for backward compatibility). * Moved all CI builds to GitHub actions. ------------------------------------------------------------------- Thu Sep 8 07:25:33 UTC 2022 - Bjørn Lie - Add export CFLAGS/CXXFLAGS="-Wno-error=deprecated-declarations" inbefore configure. We pass --enable-werror to configure, and that leads to warnings about deprecations failing build. As deprecations is mainly a consern for upstream, stop failing on those. ------------------------------------------------------------------- Mon May 23 09:49:35 UTC 2022 - Dirk Müller - update to 1.2.34: * Support for OpenSSL compiled with OPENSSL_NO_ERR. * Full support for LibreSSL 3.5.0 and above * Several other small fixes ------------------------------------------------------------------- Sun Nov 28 18:53:47 UTC 2021 - Dirk Müller - update to 1.2.33: * Fix decrypting session key for two recipients * Added --privkey-openssl-engine option to enhance openssl engine support ------------------------------------------------------------------- Sun May 9 19:54:21 UTC 2021 - Andreas Stieger - update to 1.2.32: + Remove MD5 for NSS 3.59 and above + Fix PKCS12_parse return code handling + Fix OpenSSL lookup + xmlSecX509DataGetNodeContent(): don't return 0 for non-empty elements - fix for LibreOffice - add upstream signing key and validate source signature - put license text into all subpackages - treat all compiler warnings as errors ------------------------------------------------------------------- Wed Feb 17 12:17:06 UTC 2021 - Pedro Monreal - Relax the crypto policies for the test-suite. This allows the tests using certificates with small key lengths to pass. ------------------------------------------------------------------- Thu Dec 17 09:16:49 UTC 2020 - Dominique Leuenberger - Update to version 1.2.31: + Unload error strings in OpenSSL shutdown. + Make userData available when executing preExecCallback function. + Add an option to use secure memset. - Pass --disable-md5 to configure: The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time. It is not listed as an algorithm in [XMLDSIG-CORE1] https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1 ------------------------------------------------------------------- Thu Jun 18 12:10:34 UTC 2020 - Tomáš Chvátal - Update to 1.2.30: * Enabled XML_PARSE_HUGE for all xml parsers. * Various build and tests fixes and improvements. * Move remaining private header files away from xmlsec/include/ folder. ------------------------------------------------------------------- Thu Apr 25 09:13:57 UTC 2019 - Tomáš Chvátal - Update to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). ------------------------------------------------------------------- Fri Dec 7 11:01:44 UTC 2018 - Tomáš Chvátal - Make sure to recommend at least one backend when you install just xmlsec1 ------------------------------------------------------------------- Wed Oct 31 13:21:31 UTC 2018 - Tomáš Chvátal - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use ------------------------------------------------------------------- Wed Oct 31 12:00:28 UTC 2018 - Tomáš Chvátal - Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). ------------------------------------------------------------------- Thu Aug 16 10:22:09 UTC 2018 - tchvatal@suse.com - Add rplintrc to avoid bogus errors: * xmlsec1-rpmlintrc ------------------------------------------------------------------- Tue Aug 14 18:51:27 UTC 2018 - kallan@suse.com - Fixed (bsc#1104876). Added: Requires: %{libname} = %{version} to each module in the spec file. This will ensure that when one of the modules is installed the corresponding version of libxmlsec1-1 will also be installed/upgraded. ------------------------------------------------------------------- Tue Jun 5 20:10:17 UTC 2018 - vmiklos@collabora.co.uk - Version update to 1.2.26: * Added xmlsec-mscng module based on Microsoft Cryptography API: Next Generation * Added support for GOST 2012 and fixed CryptoPro CSP provider for GOST R 34.10-2001 in xmlsec-mscrypto * Added LibreSSL 2.7 support * Upgraded documentation build process to support the latest gtk-doc ------------------------------------------------------------------- Thu Nov 30 09:53:35 UTC 2017 - tchvatal@suse.com - Version update to 1.2.25: * Various small fixes * Coverity cleanups * Removed support for old openssl ------------------------------------------------------------------- Thu Apr 20 14:48:11 UTC 2017 - vmiklos@collabora.co.uk - Version update to 1.2.24: * Added ECDSA-SHA1, ECDSA-SHA256, ECDSA-SHA512 support for xmlsec-nss. * Fixed XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS handling. * Disabled external entities loading by xmlsec utility app by default to prevent XXE attacks. * Improved OpenSSL version and features detection. * Cleaned up, simplified, and standardized internal error reporting. * Fixed a few Coverity-discovered bugs. * Marked as deprecated all the functions in xmlsec/soap.h file and a couple other functions no longer required by xmlsec. These functions will be removed in the future releases. * Several other small fixes (see commit log for more details). ------------------------------------------------------------------- Thu Mar 23 12:19:26 UTC 2017 - pmonrealgonzalez@suse.com - Fixed dependencies with libraries (bsc#1012246): * libxmlsec1-openssl.so * libxmlsec1-gcrypt.so * libxmlsec1-gnutls.so * libxmlsec1-nss.so ------------------------------------------------------------------- Mon Nov 28 09:29:03 UTC 2016 - tchvatal@suse.com - Version update to 1.2.23: * Full support for OpenSSL 1.1.0 * Several other small fixes ------------------------------------------------------------------- Wed May 25 10:49:08 UTC 2016 - tchvatal@suse.com - Version update to 1.2.22 (fate#320861): * see the ChangeLog for most detailed output * openssl 1.1 support * Few features from libreoffice for integrated * Run the testsuite ------------------------------------------------------------------- Thu Sep 3 12:39:49 UTC 2015 - astieger@suse.com - update to 1.2.20: * fix a number of miscellaneous bugs * update expired or soon-to-be-expired certificates in test suite ------------------------------------------------------------------- Tue Jan 7 13:10:28 UTC 2014 - mvyskocil@suse.com - Initial packaging of xmlsec1 for SUSE