Age | Commit message (Collapse) | Author |
|
- Release buffered-reader 1.0.0, sequoia-openpgp 1.0.0, and
sequoia-sqv 1.0.0.
- Also release sequoia-sop 0.22.0.
|
|
- Fixes build on architectures with unsigned chars.
|
|
- Fixes #630.
|
|
- January 1st is a holiday in much of the world.
- When we disable an algorithm, things will almost certainly break
somewhere.
- Reduce the chance that things break when people are on vacation by
using February 1st as the cutoff day instead of January 1st.
|
|
- A `Policy` now knows whether the use of a hash requires collision
resistance or only second pre-image resistance.
- Extend `StandardPolicy`'s hash policy API to allow a user to
express a more nuanced policy that takes this information into
account.
- See #595.
|
|
- This uses calculated hash algorithm security instead of a hard-coded
value.
|
|
- Adjust `self_signatures`, `certifications`, `self_revocations` and
`other_revocations` to return `impl Iterator` over the signatures.
- Adjust all call-sites including doc tests.
- Adjust downstream projects (sq, autocrypt).
|
|
- The standard policy currently has two policies related to hash
algorithms: when a hash algorithm should be rejected for normal
signatures, and when a hash algorithm should be rejected for
revocation sigantures.
- If we distinguish two security contexts, then we'll have four
policies (the cross product).
- If the currently state is not already unmanageable, then this
certainly is.
- Simplify this by using a single scalar to represent how long a
revocation certificate using a broken hash should continue to be
accepted.
- This is probably sufficiently expressive in practice as this is a
largely inexact science. And, if a more nuanced policy is
required, it is always possible to wrap `StandardPolicy`.
|
|
- Add `Duration::years`.
- This function assumes that there are 365.2425 days in a year,
which is the average number of days in a year in the Gregorian
calendar.
|
|
- Make `Duration::seconds` a const fn.
|
|
- Certificates with a primary key that is not signing capable, and a
subkey that is, are strictly more secure than ones that combine
signing and certification capabilities in the primary key.
- If the owner of a certificate with a signing-capable primary key
can be tricked into creating a binary signature over carefully
chosen attacker-controlled data, this signature can be repurposed
to bind arbitrary attacker-controlled components to the
certificate using a chosen-prefix collision attack on the hash
function (see e.g. "SHA-1 is a Shambles" for a similar attack).
- Having a separate signing-subkey mitigates the attack, because
signatures by the signing subkey cannot bind components to the
certificate.
|
|
|
|
|
|
|
|
- If no data has been read, that may indicate an error. In this
case, even requesting no data may fail.
|
|
|
|
- Remove the function.
- Remove associated tests.
- Cert::revocation_keys does examine all live self-signatures.
- Fixes #629.
|
|
- Avoid the additional `fn f()`.
|
|
- See #480.
|
|
- Fixes #473.
|
|
|
|
- Fixes #622.
|
|
|
|
- Relaxes those dependencies that were unnecessarily strict and
patched by debian.
|
|
- Versions required by feature or API usage:
- anyhow 1.0.18.
- policy::test::reject_seip_packet and
policy::test::reject_cipher' fail
- We use `impl From<anyhow::Error> for Box<dyn std::error::Error +
Send + Sync + 'static>`, introduced in 1.0.5.
- tokio 0.2.19
- We use `tokio::net::tcp::OwnedReadHalf`, introduced in 0.2.19.
- chrono 0.4.10
- We use the `std` feature, introduced in 0.4.10.
- thiserror 1.0.2
- futures and futures-util 0.3.5
- tempfile 3.1
- c_doctests require the same version of rand both as direct
dependency and through tempfile.
- Yanked versions:
- structopt 0.3.11. 0.3.8 to 0.3.10 were yanked.
- socket2 0.3.16. 0.3.0 to 0.3.15 were yanked.
- Update our dependencies to the package versions required by other
dependencies, e.g. structopt requires lazy_static 1.4.0.
- clap 2.33
- lazy_static to 1.4.0
- libc to 0.2.66
- proc-macro2 to 1.0.7
- syn to 1.0.5.
- winapi 0.3.8
|
|
|
|
|
|
- If the signer controls the data that is being signed, then the
hash algorithm only needs second pre-image resistance.
- This observation can be used to extend the life of hash algorithms
that have been weakened, as is the case for SHA-1.
- Introduces a new `enum HashAlgoSecurity`, which is now passed to
`Policy::signature`.
- See #595.
|
|
- See #615.
|
|
- See #615.
|
|
- This way the entire `BufferedReader<C>` will be `Send` and `Sync`.
- Modify all other crates accordingly.
- See #615.
|
|
- Declare trait bounds using a where clause. It looks a bit odd if
there is no bound, but not worse than before.
|
|
- See #615.
|
|
- See #615.
|
|
|
|
- All types that are `Send` and `Sync` are checked now.
- Fixes #627.
|
|
|
|
- With !928 merged more types are `Send` and `Sync` now.
- See #627.
|
|
- This ensures that all types with Policies (`Valid*`) are `Send` and `Sync`.
|
|
- Use generics and the anonmymous lifetime in `assert_send_and_sync!`.
- See 627.
|
|
- See #627.
|
|
- This makes it harder for an attacker to convince a victim to sign
a predetermined text. See Leurent, G. and Peyrin, T., 2020. SHA-1
is a Shambles, Section 7.2:
> [...] if the serial number is unpredictable then the [chosen
> prefix] collision attack is thwarted as a crucial part of the
> hashed input is not controlled by the attacker.
- We use 32 bytes of randomness, which provides plenty of entropy,
yet is way smaller than the block size of the average hash function.
Adding random data that is included in the signature provides an
opportunity to mutate this data to attack the hash function.
Limiting the amount to less than the block size is should avoid
this concern.
- We use a notation to include the data, because this is the least
intrusive way to add it. It is also self-describing.
- Fixes #597.
|
|
|
|
|
|
|
|
|
|
- See #615.
|
|
|
|
|
|
- Fixes #556.
|