Archive for the ‘Releases’ Category

SoftHSM 2.0.0b2

Version 2.0.0b2 of SoftHSM has been released.

Updates:

  • SOFTHSM-50: OpenSSL FIPS support.
  • SOFTHSM-64: Updated build script for Windows.
  • SOFTHSM-100: Use –free with softhsm2-util to initialize the first free token.
  • SOFTHSM-103: Allow runtime configuration of log level.
  • SOFTHSM-107: Support for CKM__CBC_PAD.
  • Add support for CKM_RSA_PKCS_OAEP key un/wrapping. (Patch from Petr Spacek)
  • Use OpenSSL EVP interface for AES key wrapping. (Patch from Petr Spacek)
  • Allow reading configuration file from user’s home directory. (Patch from Nikos Mavrogiannopoulos)

Bugfixes:

  • SOFTHSM-102: C_DeriveKey() uses OBJECT_OP_GENERATE.
  • Coverity found a number of issues.

Download:

 

OpenDNSSEC 1.4.7

Version 1.4.7 of OpenDNSSEC has now been released.

Bugfixes:

  • SUPPORT-147: Zone updating via zone transfer can get stuck (Håvard Eidnes)
  • Crash on ‘retransfer command when not using DNS adapters.

Download:

  • https://dist.opendnssec.org/source/opendnssec-1.4.7.tar.gz
  • https://dist.opendnssec.org/source/opendnssec-1.4.7.tar.gz.sig
  • Checksum SHA256: 8f757ca9e88d6a6dc8f9b6e46a3da5e3a2881b3311fb91c428bcf906683ac41f

SoftHSM 2.0.0b1

Version 2.0.0b1 of SoftHSM has been released.

Updates:

  • SOFTHSM-84: Check that all mandatory attributes are given during the creation process.
  • SOFTHSM-92: Enable -fvisibility=hidden on per default
  • SUPPORT-137: Implement C_EncryptUpdate and C_EncryptFinal (Patch from Martin Paljak)
  • Add support for CKM_RSA_PKCS key un/wrapping (Patch from Petr Spacek)

Bugfixes:

  • SOFTHSM-66: Attribute handling when using multiple threads
  • SOFTHSM-93: Invalid C++ object recycling.
  • SOFTHSM-95: umask affecting the calling application.
  • SOFTHSM-97: Check if Botan has already been initialized.
  • SOFTHSM-98: Handle mandatory attributes for DSA, DH, and ECDSA correctly.
  • SOFTHSM-99: Binary encoding of GOST values.
  • SUPPORT-136: softhsm2-keyconv creates files with sensitive material in insecure way.

Download:

 

OpenDNSSEC 1.4.6

Version 1.4.6 of OpenDNSSEC has now been released:

Updates:

  • Signer Engine: Print secondary server address when logging notify reply errors.
  • Build: Fixed various OpenBSD compatibility issues found by Patrik Lundin <patrik.lundin.swe@gmail.com>.
  • OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and signer, and <SocketFile> for the signer.
  • New tool: ods-getconf: to retrieve a configuration value from conf.xml given an expression.

Bugfixes:

  • OPENDNSSEC-469: ods-ksmutil: ‘zone add’ command when zonelist.xml.backup can’t be written zone is still added to database, solved it by checking the zonelist.xml.backup is writable before adding zones, and add error message when add zone failed.
  • OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone the first time due to RFC 1982 serial arethmetic.
  • OPENDNSSEC-619: memory leak when signer failed, solved it by add ldns_rr_free(signature) in libhsm.c
  • OPENDNSSEC-627: Signer Engine: Unable to update serial after restart when the backup files has been removed.
  • OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed from debug to info.
  • OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone.
  • libhsm: Fixed a few other memory leaks.
  • simple-dnskey-mailer.sh: Fix syntax error. (by Patrik Lundin https://github.com/eest)

Documentation:

Download:

 

OpenDNSSEC 1.3.18

Version 1.3.18 of OpenDNSSEC has now been released:

Updates:

  • OPENDNSSEC-620: conf.xml: New options: <PidFile> for both enforcer and signer, and <SocketFile> for the signer.
  • Build: Fixed various OpenBSD compatibility issues found by Patrik Lundin <patrik.lundin.swe@gmail.com>.
  • New tool: ods-getconf: to retrieve a configuration value from conf.xml given an expression.

Bugfixes:

  • OPENDNSSEC-632: ods-ksmutil: ‘zone add’ command when zonelist.xml.backup can’t be written zone is still added to database, solved it by checking the zonelist.xml.backup is writable before adding zones, and add error message when add zone failed.
  • OPENDNSSEC-624: memory leak when signer failed, solved it by add ldns_rr_free(signature) in libhsm.c
  • simple-dnskey-mailer.sh: Fix syntax error. (by Patrik Lundin https://github.com/eest)
  • libhsm: Fixed a few other memory leaks.

Documentation:

Download:

 

SoftHSM 1.3.7

Version 1.3.7 of SoftHSM has been released.

Bugfixes:

  • SOFTHSM-94: umask affecting the calling application.
  • SOFTHSM-96: Check if Botan has already been initialised.

Documentation:

Download:

 

OpenDNSSEC 1.3.17

Version 1.3.17 of OpenDNSSEC has now been released:

Updates:

  • SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public key directly if SkipPublicKey is used [OPENDNSSEC-575].
  • Signer Engine: log serial of signed zone in STATS line.
  • OPENDNSSEC-550: Signer Engine: Put NSEC3 records on empty non-terminals derived from unsigned delegations (be compatible with servers that are incompatible with RFC 5155 errata 3441).
  • OPENDNSSEC-569: Build compatibility with SoftHSMv2.
  • Signer Engine: Examine unsigned zone checks for SOA RRset existence.
  • OPENDNSSEC-591: ods-ksmutil: Extend ‘key list’ command with options to filter on key type and state. This allows keys in the GENERATE and DEAD state to be output.

Bugfixes:

  • SUPPORT-116: ods-ksmutil key import. Date validation fails on certain dates [OPENDNSSEC-589].
  • OPENDNSSEC-481: libhsm: Fix an off-by-one length check error.
  • OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
  • OPENDNSSEC-515: Signer Engine: Don’t replace tabs in RRs with whitespace.
  • OPENDNSSEC-538: libhsm: Possible memory corruption in hsm_get_slot_id.
  • Signer Engine: Fix a race condition when stopping daemon.
  • OPENDNSSEC-586: enforcer & ods-ksmutil: Improve logging on key creation and alloctaion.
  • OPENDNSSEC-588: ods-ksmutil: Exported value of <Parent><SOA><TTL> in ‘policy export’ output could be wrong on MySQL.

Documentation:

Download:

 

OpenDNSSEC 1.4.5

Version 1.4.5 of OpenDNSSEC has now been released:

Bugfixes:

  • OPENDNSSEC-607: libhsm not using all mandatory attributes for GOST key generation.
  • OPENDNSSEC-609: ods-ksmutil: ‘key list’ command fails with error in 1.4.4 on MySQL. Reported by Mark Elkins <mje@posix.co.za>

Documentation:

Download:

 

SoftHSM 2.0.0a2

Version 2.0.0a2 of SoftHSM has been released.

Updates:

  • SOFTHSM-68: Display a better configure message when there is a version of Botan with a broken ECC/GOST/OID implementation.
  • SOFTHSM-70: Improved handling of the database backend.
  • SOFTHSM-71: Supporting Botan 1.11.
  • SOFTHSM-76: Do not generate RSA keys smaller than 1024 bit when using the Botan crypto backend.
  • SOFTHSM-83: Support CKA_VALUE_BITS for CKK_DH private key object.
  • SOFTHSM-85: Rename libsofthsm.so to libsofthsm2.so and prefix the command line utilties with softhsm2-.
  • SOFTHSM-89: Use constants and not strings for signaling algorithms.
  • SUPPORT-129: Possible to use an empty template in C_GenerateKey. The class and key type are inherited from the generation mechanism. Some mechanisms do however require a length attribute. [SOFTHSM-88]
  • SUPPORT-131: Support RSA-PSS using SHA1, SHA224, SHA256, SHA384, or SHA512. [SOFTHSM-87]

Bugfixes:

  • SOFTHSM-39: Fix 64 bit build on sparc sun4v.
  • SOFTHSM-69: GOST did not work when you disabled ECC.
  • SOFTHSM-78: Correct the attribute checks for a number of objects.
  • SOFTHSM-80: Prevent segfault in OpenSSL GOST HMAC code.
  • SOFTHSM-91: Fix a warning from static code analysis.
  • Fixed a number of memory leaks.

Documentation:

Download:

 

OpenDNSSEC 1.4.4

Version 1.4.4 of OpenDNSSEC has now been released:

Updates:

  • SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public key directly if SkipPublicKey is used [OPENDNSSEC-574].
  • OPENDNSSEC-358: ods-ksmutil: Extend ‘key list’ command with options to filter on key type and state. This allows keys in the GENERATE and DEAD state to be output.
  • OPENDNSSEC-549: Signer Engine: Put NSEC3 records on empty non-terminals derived from unsigned delegations (be compatible with servers that are incompatible with RFC 5155 errata 3441).

Bugfixes:

  • SUPPORT-86: Fixed build on OS X [OPENDNSSEC-512].
  • SUPPORT-97: Signer Engine: Fix after restart signer thinks zone has expired [OPENDNSSEC-526].
  • SUPPORT-101: Signer Engine: Fix multiple zone transfer to single file bug [OPENDNSSEC-529].
  • SUPPORT-102: Signer Engine: Fix statistics (count can be negative)/
  • SUPPORT-108: Signer Engine: Don’t replace tabs in RRs with whitespace [OPENDNSSEC-520].
  • SUPPORT-116: ods-ksmutil: ‘key import’ date validation fails on certain dates [OPENDNSSEC-553].
  • SUPPORT-128: ods-ksmutil. Man page had incorrect formatting [OPENDNSSEC-576].
  • SUPPORT-127: ods-signer: Fix manpage sections.
  • OPENDNSSEC-457: ods-ksmutil: Add a check on the ‘zone add’ input/output type parameter to allow only File or DNS.
  • OPENDNSSEC-481: libhsm: Fix an off-by-one length check error.
  • OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
  • OPENDNSSEC-531: ods-ksmutil: Exported value of <Parent><SOA><TTL> in ‘policy export’ output could be wrong on MySQL.
  • OPENDNSSEC-537: libhsm: Possible memory corruption in hsm_get_slot_id.
  • OPENDNSSEC-544: Signer Engine: Fix assertion error that happens on an IXFR request with EDNS.
  • OPENDNSSEC-546: enforcer & ods-ksmutil: Improve logging on key creation and alloctaion.
  • OPENDNSSEC-560: Signer Engine: Don’t crash when unsigned zone has no SOA.
  • Signer Engine: Fix a race condition when stopping daemon.

Documentation:

Download: