forked from Yubico/yubihsm-shell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG
191 lines (170 loc) · 8.49 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
=== Version 2.2.0
shell: Enable ykhsmauth to be used from commandline
ykhsmauth: lib: Add support for YubiCrypt authentication
yubihsm-auth: Add CLI for YubiCrypt authentication
=== Version 2.1.0
lib: Security update for https://www.yubico.com/support/security-advisories/ysa-2021-01/[YSA-2021-01]
lib: Add FIPS-mode option
lib: Add support for rsa-pkcs1-decrypt algorithm
lib: shell: Add support for OTP AEAD rewrap
shell: Add support writing attestation certificate to a file
pkcs11: Add support for CKA_TRUSTED attribute
all: Fix potential memory leaks
all: Improve error handling
doc: Clarify the minimum length of the password used with PKCS11
=== Version 2.0.3
all: Move away from archaic offensive terms
all: Update build scripts to account for changes in newer MACOS
all: Build on Windows with Visual Studio 2019
pkcs11: Enable .Net to load yubihsm-pkcs11.dylib
lib: Fix memory leaks
lib: Security fixes
lib: Add a session identifier for the backend
lib: Make the backend more thread-safe on Windows
shell: Honor the base64 format when returning a public key
shell: Honor the PEM format when returning a certificate
shell: Improve parsing of command line arguments when using OAEP decryption
shell: Add support for special (national) characters
test: Improve testing
=== Version 2.0.2
yhauth: Report touch policy as part of the "list" command
ykyh: Allow reading the password from stdin
yhwrap: Fix wrapping of ED25519 keys
shell: Fix ED25519 public key PEM formatting
shell: Replace unprintable characters in the object label with '.'
ci: Fail early if DEFAULT_CONNECTOR_URL is not set
ci: Update homebrew dependencies
build: Add two bionic-based builds
build: Fix 32-bit Windows builds with mingw32/gcc7
build: Ensure that PCSC is not automatically used on Windows
tool: Stop the timer for keepalive functionality while reading the password string
misc: Allow disabling link time optimization.
misc: Fixes and improvements to build, work and test on FreeBSD.
=== Version 2.0.1
shell: Add "blink-device" command in CLI mode
shell: Add "set-log-index" command to CLI mode
shell: Add "exit" as an alias to the "quit" command.
shell: Add an optional output file to "audit get" command
shell: No openning a session for commands that do not need one
shell/yhwrap/pkcs11: open all files in binary mode to keep Windows from changing line ends
shell: Install the sigalarm handler in CLI mode
build: Add support for installing to lib64 on Fedora
build: Only use LTO on clang > 7
build: Add a library only build option
examples: Improve code examples
test: Tests are improved and are better adapted for MacOS
pkcs11/tests: Only run ecdh engine tests on openssl 1.1+
lib: Improve handling of device memory
lib: Allow both USB and HTTP support to be compiled in static library
lib: Implement signing using sign-eddsa
lib: Add the possibility to generate authkey specifying all the capabilities in their string form
lib/curl: Include the curl strerror in debug when a connection fails
doc: Improvement in documentation, README files and command help
=== Version 2.0.0
lib: Fix issue with session creation if the authentication key ID is too high
lib: Fix a potential issue with memory operations
lib: Fix a potential issue with data left after previous transactions or connections
lib: Better documentation of arguments
lib: Better handling of errors
lib: Rename object types, algorithms, capabilities, commands, command options and errors
lib: API improvements
lib: Add a feature to derive an authentication key from a password
lib: Add a feature to change an authentication key
pkcs11: Added support for C_DeriveKey()
shell: More efficient use of the keepalive function
shell: More efficient handling of sessions when a connection is terminated
shell: Change keepalive command to a toggle (on/off)
tests: Make code examples compile
tests: Add support for running tests using direct USB connection
all: Drop unused files
all: Re-organization of file structure
doc: Drop documentation from the code base and moved the content to Yubico's developers website (https://developers.yubico.com/YubiHSM2/)
=== Version 1.0.4
pkcs11: Fix a potential issue with RSA bit calculation in C_GetMechanismInfo()
pkcs11: Fix a case where we return the wrong error from C_GetMechanismList()
pkcs11: Add a way for users to pass in options over the API to C_Initialize()
connector: Fix a race condition when the usb state was re-created.
connector: Better error reporting in some failure cases.
connector: Fix issues where the connector could hang on Windows.
connector: Fix an issue where the connector would not reconnect on Windows.
shell: Fix an issue with importing HMAC keys.
=== Version 1.0.3
shell: Handle return values from reset correctly on windows.
connector: Return HTTP errors when operations fail.
lib: Handle HTTP errors correctly on windows.
lib: Fix printing of time in debug on windows.
pkcs11: Fix a problem in C_FindObjects() where not all items would be returned
=== Version 1.0.2
lib: Fix connect timeout on windows
lib: Fix debugging to file
lib/pkcs11/shell: Openssl 1.1 compatibility
lib: Mark internal symbols as hidden correctly
pkcs11: Fix an error case leaving the session in a broken state
pkcs11: Start session IDs from 1, not 0
pkcs11: Add option to set connect timeout
pkcs11: Accept C_SetAttributeValue() for CKA_ID and CKA_LABEL if unchanged
setup: Fix broken debian package
shell: Implement decrypt-ecdh in non-interactive mode
connector: On Windows use internal USB libraries instead of libusb
connector: Implement Host header allow listing (Use to prevent DNS rebinding attacks in applicable environments, e.g., if there is an absolute need to use a web browser on the host where the Yubihsm2 is installed to connect to untrusted web sites on the Internet. This is not a recommended practice.)
=== Version 1.0.1
shell: Fix hashing so signing from windows shell works
shell: Sorted output
pkcs11: Handle ecdsa with longer hash than key
pkcs11: Correct error for trying to extract EC key
pkcs11: Fix native locking on windows
pkcs11: Correct linking on macos
lib: Fix logic in session re-use
lib: Mark all internal symbols as hidden
ksp: Handle passwords longer than 8 characters
all: Provide deb packages on debian/ubuntu
=== Version 0.2.1
doc: add Compatibility.adoc
doc: fixup GET LOGS text
doc: fixup GET LOGS stanza
doc: fixup GET OBJECT INFO text
doc: add text about pkcs11 configuration
examples/attest: add reading out of cert after loading it
examples/import_rsa: change import_rsa example to use pss signing
examples: add wrap_data example
examples: change all examples to use yh_parse_domains
lib/tool/doc: add blink command
log: add yh_set_connector_option for transport options
lib: give create_session functions a reopen option
lib: add OBJECT_EXISTS error
lib: allow yh_util_get_object_info to not fill in an object
lib: implement yh_util_reset
lib: new function for setting debug output: yh_set_debug_output
pkcs11: add CKA_ENCRYPT and CKA_VERIFY to public keys
pkcs11: add an offset to the vendor defined values
pkcs11: add checks for boolean attributes we just accept
pkcs11: add configfile options for setting verbosity
pkcs11: add debug output file to pkcs11 config
pkcs11: don't set CKF_DECRYPT for pkcs+hash mechanisms
pkcs11: fix verify for CKM_RSA_PKCS_PSS
pkcs11: fixup for C_FindObjectsInit being called without logging in
pkcs11: fixup session release in C_CloseSession
pkcs11: ignore CKA_APPLICATION in object filtering
pkcs11: ignore CKA_KEY_TYPE in C_FindObjectsInit
pkcs11: in C_FindObjectsInit make more initial state earlier
pkcs11: in C_FindObjectsInit set operation type as late as possible
pkcs11: in C_GetSlotList detect overflow more reliably
pkcs11: move CKA_ENCRYPT and CKA_VERIFY from hard true on pubkey
pkcs11: move CKA_VERIFY and CKA_ENCRYPT from hard true for ec pubkey
pkcs11: move wrap/unwrap on rsa generate to unchecked
pkcs11: never try to delete a public key, lie and say it's fine instead
pkcs11: print more debug info on OAEP mechanism error
pkcs11: remove some skipped pkcs11test tests, we fail them correctly
pkcs11: return CKR_ATTRIBUTE_SENSITIVE on CKA_PRIVATE_EXPONENT
pkcs11: truncate CKA_ID to two bytes if it's longer
pkcs11: when closing the debug output file, reset it to stderr
tool: drop local connector spawn code
tool: add decrypt ecdh command
tool: add decrypt oaep command
tool: add output for decrypt pkcs1v15
tool: cleanup created objects after benchmark
tool: fixup otp decrypt that has to hex decode the otp
tool: for ecdh benchmarks delete the temporary key
tool: print a message when doing benchmark setup
tool: make the reset command print nicer messages
yhwrap: add hmac key pre-split