- build eapol_test, it's a useful way to test RADIUS servers + EAP
- rather than using a whole new build config file, copy and patch the
upstream default, making it easier to incorporate upstream changes in new
versions, and see what we have/haven't enabled
- replace /dev/urandom with arc4random_buf
25 March 2019
- Fix a socket issue when pcscd is used inside LXC container
- pcsc-spy: always provide a total time of execution
- Fix resource leak if SCardEstablishContext() fails
- Fix realloc(3) error handling (possible memory leak)
- Remove usage of function chmod(2) to use fchmod(2) (fix race condition)
1.8.24
12 October 2018
- the project moved to https://pcsclite.apdu.fr/
- SCardGetStatusChange(): Fix a rare race condition
- SCardReleaseContext(): do not release a lock owned by another context
- SCardReconnect(): suspend card auto power off
- Allow "=" in serial driver filenames
- Add the thread id in the pcscd log lines
- pcsc-spy: correctly handle incomplete log file
- Simclist: avoid to divide by zero in list_findpos()
- Some other minor improvements
No problems with a Yubikey NEO.
The pyscard smartcard library is a framework for building smart card
aware applications in Python.
the PCSC API Python wrapper module.
- smartcard.scard, an extension module wrapping the WinSCard API (smart
card base components) also known as PC/SC
- smartcard, a higher level Python framework built on top of the raw
PC/SC API
Version 1.9.9
From Lucas Rabb
Input and tweaks from myself and sthen
OK sthen
Crypt::PKCS10 parses PKCS #10 requests and provides accessor methods to
extract the requested data. First, the request will be parsed using the
included ASN.1 definition. Common object identifiers will be translated to
their corresponding names. Additionally, accessor methods allow to extract
single data fields. Bit Strings like signatures will be printed in their
hexadecimal representation.
From henning@; ok sthen@ afresh1@
The Crypt::LE module provides the functionality necessary to use Let's
Encrypt API and generate free SSL certificates for your domains. It can
also be used to generate private RSA and ECC keys or Certificate Signing
Requests without resorting to openssl command line. Crypt::LE is shipped
with a self-sufficient client for obtaining SSL certificates, le.pl.
Both ACME v1 and ACME v2 protocols and wildcard certificate issuance are
supported.
From henning@; ok sthen@ afresh1@
* The cvtsudoers command will now reject non-LDIF input when converting
from LDIF format to sudoers or JSON formats.
* The new log_allowed and log_denied sudoers settings make it possible
to disable logging and auditing of allowed and/or denied commands.
* The umask is now handled differently on systems with PAM or login.conf.
If the umask is explicitly set in sudoers, that value is used regardless
of what PAM or login.conf may specify. However, if the umask is not
explicitly set in sudoers, PAM or login.conf may now override the default
sudoers umask. Bug #900.
* For "make install", the sudoers file is no longer checked for syntax
errors when DESTDIR is set. The default sudoers file includes the
contents of /etc/sudoers.d which may not be readable as non-root.
Bug #902.
* Sudo now sets most resource limits to their maximum value to avoid
problems caused by insufficient resources, such as an inability to
allocate memory or open files and pipes.
* Fixed a regression introduced in sudo 1.8.28 where sudo would refuse
to run if the parent process was not associated with a session.
This was due to sudo passing a session ID of -1 to the plugin.
Mbed TLS 2.16.3 is a maintenance release of the Mbed TLS 2.16 branch,
and provides bug fixes and minor enhancements. Overview of changes can
be found at
https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.16.3.
Minor of mbedcrypto has been bumped as symbols have been added.
OK sthen@
vex is amd64-only and there is no point in attempting to build packages
only to have them fail when the RDEP on vex cannot be resolved (e.g. on
i386 as reported by sthen).
prompted by sthen@
ok kn@
* Export UID, which is stripped by env -i; used by checks if user is root.
* Run tests with bash. Various scripts use bash features.
* Replace unportable grep expression.
ok landry@
clang-based platform like amd64. This commit makes Ghidra build with clang by:
* Adding a clang toolChains block in nativeBuildProperties.gradle
* Adding COMPILER="base-clang ports-clang"
* Updating WANTLIB by replacing libstdc++ with ${COMPILER_LIBCXX}
In addition, honor CXX by setting tools.cppCompiler.executable and
tools.linker.executable in nativeBuildProperties.gradle to ${CXX}. Also print
those variables so that we can confirm that they are set properly.
Lastly, add --stacktrace to the gradle command to facilitate future debugging.
Thanks to daniel@ for bringing this to my attention, naddy@ for his detailed
report of the g++ and CXX issues, and sthen@ for suggesting a possible fix.
ok naddy@ sthen@
ghc and the hs-packages now simply include the necessary (haskell)
package description files in lib/ghc/package.conf.d and update the
package.cache by running ghc-pkg recache at the end. register and
unregister scripts are no longer needed.
- out of bounds write in NSIS bzip2 library
- improvements to the zip bomb mitigations added in 0.101.3, there is now
a maximum scan time limit, defaulting to 2 minutes
* Support for UNIX domain socket connections. A backend endpoint can now
be specified as a UNIX domain socket, via backend = "/path/to/socket".
* New configuration file settings pem-dir and pem-dir-glob. pem-dir can
be used to specify a directory for loading certificates, without
specifying each file individually.
* Support for TLS 1.3. Thanks to Lasse Karstensen.
* Fixed a bug that would cause a crash on reload if ocsp-dir was changed.
* Add log-level. This supersedes the previous quiet setting,
which is now deprecated.
* Add proxy-tlv. This enables extra reporting of cipher and protocol as
part of the PROXYv2 protocol.
* Drop TLSv1.1 from the default TLS protocols list.
Use Python 3 during build and make tests depend on the current version while
here.
py-Rijndael is python2-only, has no consumers, and hasn't been
updated since 2009
py-crack is python2-only, has no consumers, and hasn't been updated
since 2009
py-cryptkit is python2-only, has no consumers, and hasn't been updated
since it was imported in 2002
OK sthen@
on i386; link with -Wl,-z,notext for now (this knocks out a large chunk
of the ports tree). ok aja@
ld: error: can't create dynamic relocation R_386_32 against symbol: _gnutls_x86_cpuid_s in readonly segment; recompile object files with -fPIC or pass '-Wl,-z,notext' to allow text relocations in the output
angrop is a tool to automatically generate ROP chains.
It is built on top of angr's symbolic execution engine, and uses constraint
solving for generating chains and understanding the effects of gadgets.
angrop should support all the architectures supported by angr, although more
testing needs to be done.
Typically, it can generate rop chains (especially long chains) faster than
humans.
It includes functions to generate chains which are commonly used in exploitation
and CTF's, such as setting registers, and calling functions.
join work with and ok kn@
OpenBSD. This is based on a pull request from Jeremy O'Brien at
https://github.com/NationalSecurityAgency/ghidra/pull/490 and the Ghidra
build guide at
https://github.com/NationalSecurityAgency/ghidra/blob/master/DevGuide.md .
In addition, I have made these changes to make Ghidra work better as an OpenBSD
port:
1. I removed the explicit check for Gradle 5.0 because I was able to build
Ghidra with latest versions of Gradle. At the time of commit, our
java/gradle port is 5.5.1 which is the latest version of Gradle.
2. By default, the Ghidra build process tries to fetch dependent files on demand
while building. This will cause the build to fail if the port is built using
the _pbuild user. To fix this, I made the port fetch all the dependent .jar
files prior to building. I also used gradle's --offline flag which
explicitly tells gradle to "Execute the build without accessing network
resources".
3. To prevent the build process from touching $HOME, I made gradle use
${WRKDIR}/gradle as its home and also modified GHelpBuilder.java
(the program that builds help files during build) to log to ${WRKDIR}
instead of $HOME/.ghidra.
4. One of the Gradle scripts (ip.gradle) scans the Ghidra source tree so
I had to explicitly tell it to exclude *.orig and *.beforesubst.
help from bentley@ and Jeremy O'Brien
ok bentley@ rpointel@ (maintainer)
If somebody is removed who actually wants maintainer and either
didn't receive the mail, or didn't bother to reply to it, they are
free to send a diff to reinstate.
ok sthen@, jca@
Minisign is a dead simple tool to sign files and verify signatures.
It is portable, lightweight, and uses the highly secure Ed25519 public-key
signature system.
Signatures written by minisign can be verified using OpenBSD's signify tool:
public key files and signature files are compatible. However, minisign uses
a slightly different format to store secret keys.
Minisign signatures include trusted comments in addition to untrusted
comments. Trusted comments are signed, thus verified, before being
displayed. This adds two lines to the signature files, that signify
silently ignores.
ok sthen@
internal replacement function. Following the changes to make realpath(3) use the
__realpath() syscall these no longer detect broken realpath i.e. produce different
code. Bump REVISION to ensure that users get the new version.
there may be some missing as my unpacked ports source is a little out of date
but this should catch the main things people might run into
the struct was reordered a second time in sysctl.h r1.192 to improve
compatibility but amd64 snapshot packages made it out before that happened
so the bumps are still needed
sn0int is a semi-automatic OSINT framework and package manager. It was built
for IT security professionals and bug hunters to gather intelligence about a
given target or about yourself. sn0int is enumerating attack surface by
semi-automatically processing public information and mapping the results in a
unified format for followup investigations.
port from kpcyrd at rxv cc
OK gonzalo@, bentley@
MODJAVA_VER to 1.8; feedback/ok ian@
While here:
* Add a reminder about checking if future updates will work with jdk 11
(text borrowed from sthen@)
* Switch to the new PERMIT_* markers (thanks to naddy@ for confirming that
this is the right way to do this)
* Change the HOMEPAGE to use https
Added cmake checks for malloc.h and malloc_usable_size(3). Include maloc.h only
if it exists. Fallback to stdlib.h and use malloc_usable_size(3) only if there
is one.
Thanks sthen@ and jca@ for lot of feedback, help and patience,
Tested and ok thfr@, ok jca@
Follow the upstream recommendations for packagers and switch to
multi-packages:
devel/gettext -> devel/gettext,-runtime
devel/gettext-tools -> devel/gettext,-tools
(new) devel/gettext,-textstyle
lang/python port module. I've not yet come up with a port that
would not need this and one can always set MODPY_TESTDEP to "no"
to prevent the module from touching TEST_DEPENDS.
Idea from afresh1 who pointed out the cpan module already does this.
aja "I support this move."
OK sthen@
Pwntools is a CTF framework and exploit development library. Written in
Python, it is designed for rapid prototyping and development, and
intended to make exploit writing as simple as possible.
NB: Only the 'pwn' script has been installed, all other end-user scripts
are available through 'pwn', e.g. 'pwn checksec'.
OK aja@
like the rest of the ports tree. This also allows removing a bunch of
manual setting of PATH="${PORTPATH}" HOME="${PORTHOME}" done in various
ports etc. This also makes sure CFLAGS is passed through (not everything
honours it but it does improve at least some ports).
Remove NO_CCACHE from www/honk that was added because the above problem
resulted in ccache variables not being passed through correctly breaking
the cc calls in this.
ok kmos@