-
Notifications
You must be signed in to change notification settings - Fork 54
/
CHANGELOG
279 lines (240 loc) · 12.1 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
=== Version 2.6.0
lib: shell: pkcs11: Add support for asymmetric wrap
pkcs11: Add support for PKCS11 3.0
cmd: Fix opening a session using credentials stored on a YubiKey
build: Always compile with YubiHSM Auth enabled
=== Version 2.5.0
pkcs11: Add support for applying KDF after ECDH derivation
pkcs11: Shell: Fix minor bugs
test: Increase test coverage
=== Version 2.4.2
pkcs11: Add Symmetric key capabilities to searchable criteria
pkcs11: Add support for CKA_KEY_TYPE when searching for objects
pkcs11: Add support for CKA_MODIFIABLE and CKA_COPYABLE attributes for AES and Wrap keys
test: Increase test coverage
=== Version 2.4.1
pkcs11: Security update for https://www.yubico.com/support/security-advisories/ysa-2023-01/[YSA-2023-01]
pkcs11: Allow only a user with access to all the object's domains to edit its attributes
pkcs11: Allow for the creation of an asymmetric key even if CKA_ID or CKA_LABEL attribute values for the private and public key are different.
pkcs11: Improve backup capabilities of objects whose attributes have been changed
pkcs11: Add support for CKA_ALLOWED_MECHANISMS
pkcs11: Fix CKA_SENSITIVE and CKA_PRIVATE return value for opaque objects
pkcs11: Add support for CKA_EXTRACTABLE for imported certificates
pkcs11: Fix regression that only allowed encryption with private keys
lib: pkcs11: Delay client side MAC check to avoid leaving unauthenticated sessions open
shell: Fix handling of ED25519 keys
build: Update release script for Centos7
build: Fix paths in pkg-config template
build: Set linker flags by platform
test: Improve test coverage
=== Version 2.4.0
lib: shell: pkcs11: Add support for symmetric encryption, AES-ECB and AES-CBC (Requires firmware version 2.3 and later)
shell: Enable asymmetric authentication by default (Requires firmware version 2.3 and later)
shell: Allow hex format when creating symmetric authentication key
shell: Improve usage of the list command
shell: Allow yubihsm-auth reader to be specified
shell: Enable backend TLS support in the command line
pkcs11: Add support for modifying CKA_ID and CKA_LABEL attribute values
pkcs11: Improve handling of attributes
pkcs11: Improve debug output
pkcs11: Improve error handling
pkcs11: Change in firmware/harware version representation. The version as reported by C_GetSlotInfo and C_GetTokenInfo will now show minor*10+patch, instead of minor*100+patch
build: Dependecy updates
=== Version 2.3.2
shell: Remove limit on input file size
shell: pkcs11: build: Minor improvements
=== Version 2.3.1
lib: Fix handling errors received from the YubiHSM
shell: Enforce valid DER certificate when importing a certificate
shell: Support PEM in-format when importing a certificate
shell: pkcs11: Fix minor memory leaks
pkcs11: Better handling of invalid input
build: Better build experience on MacOS
build: Better usage of security flags
build: Improve scripts to build debian packages
test: Improve testing
=== Version 2.3.0a
build: Enable additional hardening flags when building with CMake < 3.14
=== Version 2.3.0
lib: Security update for https://www.yubico.com/support/security-advisories/ysa-2021-04/[YSA-2021-04]
lib: Improve backend loading on Windows
lib: Add support for ecdh primitives using bcrypt on Windows
lib: cli: Improve error handling
lib: pkcs11: Add more connection option
lib: pkcs11: cli: Fix minor bugs
cli: Rename set-option to put-option and add support for get-option
pkcs11: Add support for RSA encryption
yubihsm-auth: No PSCS reader name filtering by default
build: Add version details to yubihsm_pkcs11 module and libykhsmauth library files on Windows
build: Make minimum CMake version required 3.5
test: Improved testing
=== Version 2.2.0
shell: Enable ykhsmauth to be used from commandline
ykhsmauth: lib: Add support for YubiCrypt authentication
yubihsm-auth: Add CLI for YubiCrypt authentication
=== Version 2.1.0
lib: Security update for https://www.yubico.com/support/security-advisories/ysa-2021-01/[YSA-2021-01]
lib: Add FIPS-mode option
lib: Add support for rsa-pkcs1-decrypt algorithm
lib: shell: Add support for OTP AEAD rewrap
shell: Add support writing attestation certificate to a file
pkcs11: Add support for CKA_TRUSTED attribute
all: Fix potential memory leaks
all: Improve error handling
doc: Clarify the minimum length of the password used with PKCS11
=== Version 2.0.3
all: Move away from archaic offensive terms
all: Update build scripts to account for changes in newer MACOS
all: Build on Windows with Visual Studio 2019
pkcs11: Enable .Net to load yubihsm-pkcs11.dylib
lib: Fix memory leaks
lib: Security fixes
lib: Add a session identifier for the backend
lib: Make the backend more thread-safe on Windows
shell: Honor the base64 format when returning a public key
shell: Honor the PEM format when returning a certificate
shell: Improve parsing of command line arguments when using OAEP decryption
shell: Add support for special (national) characters
test: Improve testing
=== Version 2.0.2
yhauth: Report touch policy as part of the "list" command
ykyh: Allow reading the password from stdin
yhwrap: Fix wrapping of ED25519 keys
shell: Fix ED25519 public key PEM formatting
shell: Replace unprintable characters in the object label with '.'
ci: Fail early if DEFAULT_CONNECTOR_URL is not set
ci: Update homebrew dependencies
build: Add two bionic-based builds
build: Fix 32-bit Windows builds with mingw32/gcc7
build: Ensure that PCSC is not automatically used on Windows
tool: Stop the timer for keepalive functionality while reading the password string
misc: Allow disabling link time optimization.
misc: Fixes and improvements to build, work and test on FreeBSD.
=== Version 2.0.1
shell: Add "blink-device" command in CLI mode
shell: Add "set-log-index" command to CLI mode
shell: Add "exit" as an alias to the "quit" command.
shell: Add an optional output file to "audit get" command
shell: No openning a session for commands that do not need one
shell/yhwrap/pkcs11: open all files in binary mode to keep Windows from changing line ends
shell: Install the sigalarm handler in CLI mode
build: Add support for installing to lib64 on Fedora
build: Only use LTO on clang > 7
build: Add a library only build option
examples: Improve code examples
test: Tests are improved and are better adapted for MacOS
pkcs11/tests: Only run ecdh engine tests on openssl 1.1+
lib: Improve handling of device memory
lib: Allow both USB and HTTP support to be compiled in static library
lib: Implement signing using sign-eddsa
lib: Add the possibility to generate authkey specifying all the capabilities in their string form
lib/curl: Include the curl strerror in debug when a connection fails
doc: Improvement in documentation, README files and command help
=== Version 2.0.0
lib: Fix issue with session creation if the authentication key ID is too high
lib: Fix a potential issue with memory operations
lib: Fix a potential issue with data left after previous transactions or connections
lib: Better documentation of arguments
lib: Better handling of errors
lib: Rename object types, algorithms, capabilities, commands, command options and errors
lib: API improvements
lib: Add a feature to derive an authentication key from a password
lib: Add a feature to change an authentication key
pkcs11: Added support for C_DeriveKey()
shell: More efficient use of the keepalive function
shell: More efficient handling of sessions when a connection is terminated
shell: Change keepalive command to a toggle (on/off)
tests: Make code examples compile
tests: Add support for running tests using direct USB connection
all: Drop unused files
all: Re-organization of file structure
doc: Drop documentation from the code base and moved the content to Yubico's developers website (https://developers.yubico.com/YubiHSM2/)
=== Version 1.0.4
pkcs11: Fix a potential issue with RSA bit calculation in C_GetMechanismInfo()
pkcs11: Fix a case where we return the wrong error from C_GetMechanismList()
pkcs11: Add a way for users to pass in options over the API to C_Initialize()
connector: Fix a race condition when the usb state was re-created.
connector: Better error reporting in some failure cases.
connector: Fix issues where the connector could hang on Windows.
connector: Fix an issue where the connector would not reconnect on Windows.
shell: Fix an issue with importing HMAC keys.
=== Version 1.0.3
shell: Handle return values from reset correctly on windows.
connector: Return HTTP errors when operations fail.
lib: Handle HTTP errors correctly on windows.
lib: Fix printing of time in debug on windows.
pkcs11: Fix a problem in C_FindObjects() where not all items would be returned
=== Version 1.0.2
lib: Fix connect timeout on windows
lib: Fix debugging to file
lib/pkcs11/shell: Openssl 1.1 compatibility
lib: Mark internal symbols as hidden correctly
pkcs11: Fix an error case leaving the session in a broken state
pkcs11: Start session IDs from 1, not 0
pkcs11: Add option to set connect timeout
pkcs11: Accept C_SetAttributeValue() for CKA_ID and CKA_LABEL if unchanged
setup: Fix broken debian package
shell: Implement decrypt-ecdh in non-interactive mode
connector: On Windows use internal USB libraries instead of libusb
connector: Implement Host header allow listing (Use to prevent DNS rebinding attacks in applicable environments, e.g., if there is an absolute need to use a web browser on the host where the Yubihsm2 is installed to connect to untrusted web sites on the Internet. This is not a recommended practice.)
=== Version 1.0.1
shell: Fix hashing so signing from windows shell works
shell: Sorted output
pkcs11: Handle ecdsa with longer hash than key
pkcs11: Correct error for trying to extract EC key
pkcs11: Fix native locking on windows
pkcs11: Correct linking on macos
lib: Fix logic in session re-use
lib: Mark all internal symbols as hidden
ksp: Handle passwords longer than 8 characters
all: Provide deb packages on debian/ubuntu
=== Version 0.2.1
doc: add Compatibility.adoc
doc: fixup GET LOGS text
doc: fixup GET LOGS stanza
doc: fixup GET OBJECT INFO text
doc: add text about pkcs11 configuration
examples/attest: add reading out of cert after loading it
examples/import_rsa: change import_rsa example to use pss signing
examples: add wrap_data example
examples: change all examples to use yh_parse_domains
lib/tool/doc: add blink command
log: add yh_set_connector_option for transport options
lib: give create_session functions a reopen option
lib: add OBJECT_EXISTS error
lib: allow yh_util_get_object_info to not fill in an object
lib: implement yh_util_reset
lib: new function for setting debug output: yh_set_debug_output
pkcs11: add CKA_ENCRYPT and CKA_VERIFY to public keys
pkcs11: add an offset to the vendor defined values
pkcs11: add checks for boolean attributes we just accept
pkcs11: add configfile options for setting verbosity
pkcs11: add debug output file to pkcs11 config
pkcs11: don't set CKF_DECRYPT for pkcs+hash mechanisms
pkcs11: fix verify for CKM_RSA_PKCS_PSS
pkcs11: fixup for C_FindObjectsInit being called without logging in
pkcs11: fixup session release in C_CloseSession
pkcs11: ignore CKA_APPLICATION in object filtering
pkcs11: ignore CKA_KEY_TYPE in C_FindObjectsInit
pkcs11: in C_FindObjectsInit make more initial state earlier
pkcs11: in C_FindObjectsInit set operation type as late as possible
pkcs11: in C_GetSlotList detect overflow more reliably
pkcs11: move CKA_ENCRYPT and CKA_VERIFY from hard true on pubkey
pkcs11: move CKA_VERIFY and CKA_ENCRYPT from hard true for ec pubkey
pkcs11: move wrap/unwrap on rsa generate to unchecked
pkcs11: never try to delete a public key, lie and say it's fine instead
pkcs11: print more debug info on OAEP mechanism error
pkcs11: remove some skipped pkcs11test tests, we fail them correctly
pkcs11: return CKR_ATTRIBUTE_SENSITIVE on CKA_PRIVATE_EXPONENT
pkcs11: truncate CKA_ID to two bytes if it's longer
pkcs11: when closing the debug output file, reset it to stderr
tool: drop local connector spawn code
tool: add decrypt ecdh command
tool: add decrypt oaep command
tool: add output for decrypt pkcs1v15
tool: cleanup created objects after benchmark
tool: fixup otp decrypt that has to hex decode the otp
tool: for ecdh benchmarks delete the temporary key
tool: print a message when doing benchmark setup
tool: make the reset command print nicer messages
yhwrap: add hmac key pre-split