xmlsec1/xmlsec1.changes

-------------------------------------------------------------------
Thu Aug  3 07:40:48 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>

- Update to 1.3.1:
  * core xmlsec and all xmlsec-crypto libraries:
    + (ABI breaking change) Added support for the KeyInfoReference Element.
    + (ABI breaking change) Switched xmlSecSize to use size_t by default.
      Use "--enable-size-t=no" configure option ("size_t=no" on Windows)
      to restore the old behaviour (note that support for xmlSecSize
      being different from size_t will be removed in the future).
    + (API breaking change) Changed the key search to strict mode: only
      keys referenced by KeyInfo are used. To restore the old "lax" mode,
      set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx
      or use '--lax-key-search' option for XMLSec command line utility.
    + (API breaking change) The KeyName element content is now trimmed
      before key search is performed.
    + (API breaking change) Disabled FTP support by default.
      Use "--enable-ftp" configure option to restore it. Also added
      "--enable-http" and "--enable-files" configure options to control
      support for loading files over HTTP or locally.
    + (API/ABI breaking change) Disabled MD5 digest method by default.
      Use "--enable-md5" configure options to re-enable MD5.
    + (ABI breaking change) Added "failureReason" file to xmlSecDSigCtx
      and xmlEncCtx to provide more granular operation failure reason.
    + (ABI breaking change) Removed deprecated functions.
    + Added support for loading keys through ossl-store interface.
      Also see '--privkey-openssl-store' and '--pubkey-openssl-store '
      command line options for XMLSec utility.
    + Added ability to control transforms binary chunk size to improve
      performance (see '--transform-binary-chunk-size' command line option
      for XMLSec utility).
    + Fixed all potentially unsafe integer conversions and all the
      other warnings.
    + Added XML Signature 1.1 interop (2012) and XML Encryption 1.1
      interop (2012) tests.
  * xmlsec-openssl library:
    + Added support for SHA3 digests.
    + Added support for ECDSA-SHA3 signatures.
    + Added support for RSA PSS signatures (withtout parameters).
    + Added support for ConcatKDF key and PBKDF2 derivation algorithms.
    + (ABI breaking change) Added support for ECDH-ES Key Agreement
      algorithm.
    + (ABI breaking change) Added support for DH-ES Key Agreement
      algorithm with explicit KDF.
    + Added support for MGF1 algorithm to RSA OAEP key transport.
    + Added support for X509Digest element and ability to lookup keys
      using other X509Data elements.
    + Added support for DEREncodedKeyValue element.
    + Automatically set key name from PKCS12 key name.
    + Removed support for OpenSSL 1.0.0 and LibreSSL before 2.7.0.
  * xmlsec-nss library:
    + Added support for RSA PSS signatures (withtout parameters).
    + Added support for RSA OAEP key transport including MGF1 algorithms.
    + Added support for AES GCM ciphers.
    + Added support for PBKDF2 derivation algorithm.
    + Added support for X509Digest element and ability to lookup keys
      using other X509Data elements.
    + Added support for DEREncodedKeyValue element.
    + Automatically set key name from PKCS12 key name.
  * xmlsec-gnutls library:
    + (API/ABI breaking change) Removed dependency on xmlsec-gcrypt
      and libgcrypt libraries (including API functions) to enable
      support for different GnuTLS backends.
    + Bumped minimal GnuTLS version to 3.6.13.
    + Added support for SHA3 digests.
    + Added support for ECDSA signatures.
    + Added support for DSA-SHA256 signatures.
    + Added support for RSA PSS signatures (withtout parameters).
    + Added support for RSA PKCS 1.5 key transport.
    + Added support for AES GCM ciphers.
    + Added support for PBKDF2 derivation algorithm.
    + Added support for X509Digest element and ability to lookup keys
      using other X509Data elements.
    + Added support for DEREncodedKeyValue element.
    + Automatically set key name from PKCS12 key name.
  * xmlsec-mscng library:
    + Added support for RSA PSS signatures (withtout parameters).
    + Added support for MGF1 algorithm to RSA OAEP key transport.
    + (ABI breaking change) Added support for ECDH-ES Key Agreement algorithm.
    + Added support for ConcatKDF key and PBKDF2 derivation algorithms.
    + Added support for X509Digest element for keys and certificates
      lookup from the system stores (only SHA1 is supported).
    + Added support for DEREncodedKeyValue element.
    + Automatically set key name from PKCS12 key name.
  * xmlsec-gcrypt library:
    + In maintenance mode starting from this release.
    + Added support for SHA3 digests.
    + Added support for ECDSA signatures.
    + Added support for RSA PSS signatures (withtout parameters).
    + Added support for RSA PKCS 1.5 key transport.
    + Added support for RSA OAEP key transport including MGF1 algorithms.
  * xmlsec command line utility:
    + (API breaking change) The XMLSec command line utility is using 'strict' key
      search mode by default. To restore the old 'lax' key search mode,
      use the new '--lax-key-search' option.
    + (API breaking change) The XMLSec command line utility is no longer
      prints detailed errors by default. To restore the detailed errors,
      use the new '--verbose' option.
    + Added '--transform-binary-chunk-size' option to control transforms
      binary chunk size (increasing the chunk size should improve
      performance at the expense of memory usage.
    + Added support for loading keys through ossl-store interface.
      Also see '--privkey-openssl-store' and '--pubkey-openssl-store'
      command line options for XMLSec utility.
    + Added '--enabled-key-info-reference-uris' option to control processing of
      the the KeyInfoReference Element.
    + Added '--pbkdf2-key' option for loading PBKDF2 keys.
    + Added '--concatkdf-key' option for loading ConcatKDF keys.
    + Added '--hmac-min-out-len' option to control the min accepted HMAC Output length.
    + Added '--pubkey-openssl-engine' option to load public keys from OpenSSL engine.
    + Added '--crl-pem' and '--crl-der' options to load CRLs.
    + Added '--verify-keys' option to verify key's certificate before
      loading into Keys Manager (only supported for OpenSSL currently).
    + Enabled templatized output filenames to facilitate batch operations on
      multiple input files.

-------------------------------------------------------------------
Wed Feb  1 09:23:37 UTC 2023 - Dirk Müller <dmueller@suse.com>

- switch to pkgconfig(zlib) to allow alternative providers as well

-------------------------------------------------------------------
Sat Dec  3 17:03:47 UTC 2022 - Dirk Müller <dmueller@suse.com>

- update to 1.2.37:
  Fixed two regressions from 1.2.36 release 

-------------------------------------------------------------------
Fri Nov  4 15:33:42 UTC 2022 - Pedro Monreal <pmonreal@suse.com>

- Update to 1.2.36:
  * Retired the XMLSec mailing list "xmlsec@aleksey.com" and the
    XMLSec Online Signature Verifier.

- Update to 1.2.35:
  * Migration to OpenSSL 3.0 API (based on PR by @snargit). Note
    that OpenSSL engines are disabled by default when XMLSec
    library is compiled against OpenSSL 3.0. To re-enable OpenSSL
    engines, use "--enable-openssl3-engines" configure flag (there
    will be a lot of deprecation warnings).
  * The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now
    deprecated and will be removed in the future versions of
    XMLSec Library.
  * Refactored all the integer casts to ensure cast-safety. Fixed
    all warnings and enabled "-Werror" and "-pedantic" flags on
    CI builds.
  * Added configure flag to use size_t for xmlSecSize (currently
    disabled by default for backward compatibility).
  * Moved all CI builds to GitHub actions.

-------------------------------------------------------------------
Thu Sep  8 07:25:33 UTC 2022 - Bjørn Lie <bjorn.lie@gmail.com>

- Add export CFLAGS/CXXFLAGS="-Wno-error=deprecated-declarations"
  inbefore configure. We pass --enable-werror to configure, and
  that leads to warnings about deprecations failing build. As
  deprecations is mainly a consern for upstream, stop failing on
  those.

-------------------------------------------------------------------
Mon May 23 09:49:35 UTC 2022 - Dirk Müller <dmueller@suse.com>

- update to 1.2.34:
  * Support for OpenSSL compiled with OPENSSL_NO_ERR.
  * Full support for LibreSSL 3.5.0 and above
  * Several other small fixes

-------------------------------------------------------------------
Sun Nov 28 18:53:47 UTC 2021 - Dirk Müller <dmueller@suse.com>

- update to 1.2.33:
  * Fix decrypting session key for two recipients 
  * Added --privkey-openssl-engine option to enhance openssl engine support

-------------------------------------------------------------------
Sun May  9 19:54:21 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>

- update to 1.2.32:
  + Remove MD5 for NSS 3.59 and above
  + Fix PKCS12_parse return code handling
  + Fix OpenSSL lookup
  + xmlSecX509DataGetNodeContent(): don't return 0 for non-empty
    elements - fix for LibreOffice
- add upstream signing key and validate source signature
- put license text into all subpackages
- treat all compiler warnings as errors

-------------------------------------------------------------------
Wed Feb 17 12:17:06 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

- Relax the crypto policies for the test-suite. This allows the
  tests using certificates with small key lengths to pass.

-------------------------------------------------------------------
Thu Dec 17 09:16:49 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>

- Update to version 1.2.31:
  + Unload error strings in OpenSSL shutdown.
  + Make userData available when executing preExecCallback
    function.
  + Add an option to use secure memset.
- Pass --disable-md5 to configure: The cryptographic strength of
  the MD5 algorithm is sufficiently doubtful that its use is
  discouraged at this time. It is not listed as an algorithm in
  [XMLDSIG-CORE1]
  https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1

-------------------------------------------------------------------
Thu Jun 18 12:10:34 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

- Update to 1.2.30:
  * Enabled XML_PARSE_HUGE for all xml parsers.
  * Various build and tests fixes and improvements.
  * Move remaining private header files away from xmlsec/include/ folder.

-------------------------------------------------------------------
Thu Apr 25 09:13:57 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>

- Update to 1.2.28:
  * Added BoringSSL support (chenbd).
  * Added gnutls-3.6.x support (alonbl).
  * Added DSA and ECDSA key size getter for MSCNG (vmiklos).
  * Added --enable-mans configuration option (alonbl).
  * Added coninuous build integration for MacOSX (vmiklos).
  * Several other small fixes (more details).

-------------------------------------------------------------------
Fri Dec  7 11:01:44 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

- Make sure to recommend at least one backend when you install
  just xmlsec1

-------------------------------------------------------------------
Wed Oct 31 13:21:31 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

- Drop the gnutls backend as based on the tests it is quite borked:
  * We still have nss and openssl backend for people to use

-------------------------------------------------------------------
Wed Oct 31 12:00:28 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

- Version update to 1.2.27:
  * Added AES-GCM support for OpenSSL and MSCNG (snargit).
  * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
  * Added RSA-OAEP support for MSCNG (vmiklos).
  * Continuous build integration in Travis and Appveyor.
  * Several other small fixes (more details).

-------------------------------------------------------------------
Thu Aug 16 10:22:09 UTC 2018 - tchvatal@suse.com

- Add rplintrc to avoid bogus errors:
  * xmlsec1-rpmlintrc

-------------------------------------------------------------------
Tue Aug 14 18:51:27 UTC 2018 - kallan@suse.com

- Fixed (bsc#1104876).  Added: Requires: %{libname} = %{version} to each module
  in the spec file. This will ensure that when one of the modules is installed
  the corresponding version of libxmlsec1-1 will also be installed/upgraded.

-------------------------------------------------------------------
Tue Jun  5 20:10:17 UTC 2018 - vmiklos@collabora.co.uk

- Version update to 1.2.26:
  * Added xmlsec-mscng module based on Microsoft Cryptography API: Next
    Generation
  * Added support for GOST 2012 and fixed CryptoPro CSP provider for GOST R
    34.10-2001 in xmlsec-mscrypto
  * Added LibreSSL 2.7 support
  * Upgraded documentation build process to support the latest gtk-doc

-------------------------------------------------------------------
Thu Nov 30 09:53:35 UTC 2017 - tchvatal@suse.com

- Version update to 1.2.25:
  * Various small fixes
  * Coverity cleanups
  * Removed support for old openssl

-------------------------------------------------------------------
Thu Apr 20 14:48:11 UTC 2017 - vmiklos@collabora.co.uk

- Version update to 1.2.24:
  * Added ECDSA-SHA1, ECDSA-SHA256, ECDSA-SHA512 support
  for xmlsec-nss.

  * Fixed XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS
  handling.

  * Disabled external entities loading by xmlsec utility app by
  default to prevent XXE attacks.

  * Improved OpenSSL version and features detection.

  * Cleaned up, simplified, and standardized internal error
  reporting.

  * Fixed a few Coverity-discovered bugs.

  * Marked as deprecated all the functions in xmlsec/soap.h file
  and a couple other functions no longer required by xmlsec.
  These functions will be removed in the future releases.

  * Several other small fixes (see commit log for more details).

-------------------------------------------------------------------
Thu Mar 23 12:19:26 UTC 2017 - pmonrealgonzalez@suse.com

- Fixed dependencies with libraries (bsc#1012246):
  * libxmlsec1-openssl.so
  * libxmlsec1-gcrypt.so
  * libxmlsec1-gnutls.so
  * libxmlsec1-nss.so

-------------------------------------------------------------------
Mon Nov 28 09:29:03 UTC 2016 - tchvatal@suse.com

- Version update to 1.2.23:
  * Full support for OpenSSL 1.1.0
  * Several other small fixes

-------------------------------------------------------------------
Wed May 25 10:49:08 UTC 2016 - tchvatal@suse.com

- Version update to 1.2.22 (fate#320861):
  * see the ChangeLog for most detailed output
  * openssl 1.1 support
  * Few features from libreoffice for integrated
  * Run the testsuite

-------------------------------------------------------------------
Thu Sep  3 12:39:49 UTC 2015 - astieger@suse.com

- update to 1.2.20:
  * fix a number of miscellaneous bugs 
  * update expired or soon-to-be-expired certificates in test suite

-------------------------------------------------------------------
Tue Jan  7 13:10:28 UTC 2014 - mvyskocil@suse.com

- Initial packaging of xmlsec1 for SUSE