pcp/ChangeLog

0.4.1
    Merged upstream patch:
    https://github.com/zeromq/libzmq/pull/2322,
    which fixes:
    https://github.com/zeromq/libzmq/issues/903:
    Problem: zmq_z85_decode does not validate its
    input. Solution: added checks for invalid
    characters and overflows.

0.4.0
	Changed -C again: doesnt support a key argument
	anymore, instead I use the facilities I already
	have in place (-x and -X). Also, I don't generate
	an extra hash for the key anymore.

	Removed libpcp/getpass.c, not used anymore.

	Added --extpass (implementation from encfs, but
	somewhat modified).

	Moved src/readpass.c to libpcp/.

	Added check for weak passphrases using entropy
	test. Used with -k.

	Removed support for unencrypted secret key storage
	so, pcp aims to be secure by default and fails
	safely.

	Using cst_time_memcpy by Christophe Meessen instead
	of libc's memcpy: constant time memcpy is much more
	secure than the default, especially in our context.

	Anonymous encrypted files are now signed with primary
	secret key, so that the recipient will be able to
	verify the signature.

	Added -v support for -d and -e.

	Removed endian conversion stuff. see util.c for details.

	Fixed: use key signatures for vault checksum calc as well.

0.3.0
	Changed publuc key signature storage, previously
	I didn't add the actual signature, therefore a
	public key could have been verified only during
	import but never thereafter. This affects exported
	public keys (32 byte larger) and vault storage,
	but is backwards compatible.

	Added JSON output support using libjansson (-j),
	supported by -t, -p, -s and -K.

	Abandoned YAML, perl and C key export support,
	better doing one external format but doing it
	good. Also, I had no importers for those formats.

	Removed -y for YAML vault export as well. Maybe
	I'll add a parameter to -p or -s so one can
	select which key[s] to export.

	removed hand-written padding stuff and using
	libsodiums _easy() functions for crypto now
	instead of the raw nacl ones. instead we use
	the _easy variants of the crypto_*box functions,
	which libsodium provides. I didn't use them so
	far because I wasn't aware of their existence.

	using secure memory where applicable.

	changed encryption protocol, now we're using
	counter mode for stream encryption. we use the
	nonce, which is required by crypto_secretbox
	anyway, as a counter. our counter has a variable
	size and starts with one byte. the first byte
	of the nonce signifies the counter size and the
	following byte(s) are used as the counter. if it
	is larger than one byte, it will be converted to
	big endian. maximum possible counter size is 184
	bit, current maximum implemented counter size is
	64 bit.

	removed CBC mode support, it wasn't enabled by
	default anyway.

	using libsodium memory protection facilities where
	applicable (keys, passwords, hashes).

	fixed compilation failure when using clang.

	fixed self-mode crypto. now -m enables symmetric
	encryption, while -M adds the senders primary pub
	key to the list of recipients in asymmetric mode.

	added automated tests using travis-ci:
	https://travis-ci.org/TLINDEN/pcp/

	fixed several use-after-free bugs in encryption
	code.

	made configure more portable, esp. fixed finding
	of libsodium.

	replaced star's incorporated scrypt() with the
	one libsodium now provides. breaks compatibility
	to older pcp versions, but is more portable and
	removes to burden to keep this code up to date.

	added option -X (read passphrase from file).

	Symmetric decryption doesn't require a vault
	anymore.

	Added -C: create a blake2 checksum of one or
	more files.

0.2.4	fixed compiler macro misplacement (github#4).

	fixed invalid free (github#5).

	fixed invalid memset(0) in ps_close().

	added python binding, not enabled by default,
	use --with-python-binding to turn it on.

	certain generated files are no more generated by
	autogen.sh, but manually by myself and put into
	git, because the generation isn't portable. also
	fixes github#3.

	disabled conftests when cross compiling.


0.2.3   Z85 block encoding changed. 4 bytes are appended
	to each input block to denote if and how many
	zeroes have been used for padding, necessary
	since z85 doesn't have any native padding scheme,
	and only padding with zeroes is insuffucient. This
	change breaks - currently - compatibility to pbp.

	Added new option --anonymous (-A) which uses a
	generated keypair for encryption and puts the
	public part into the encrypted message.

	Fixed lots of memory leaks.

0.2.2   Enhanded --edit-key a little, it's now possible to
	make a secret the primary one.

	Added new option -v (the previous -v has moved to
	--version only) for verbose. Currently only supported
	by --list-keys. In this mode more details will be
	printed. Also added a couple of alias options for
	existing ones (e.g. -a for armor which is an alias
	for -z).

	Removed options -P and -S, replaced by -K (long:
	--import-key) used to import a key. The key type
	is now determined automatically as well as the
	encoding.

	Made libpcp threadsafe by removing all global vars
	and putting that stuff into the new PCP Context
	class (ptx.h), which now holds errors and key hashes.

	Use 64bit integers for time values in exported
	keys (we use 64 bit internaly already), to be
	year 2038 safe.

	Added a new file type (PCP_ASYM_CIPHER_SIG) which
	marks encrypted+signed files. This is incompatible
	to pbp, but it doesn't support that feature anyway.
	To decrypt encrypted+signed files the option -c
	is therefore no more required, since pcp2 can now
	determine the file mode itself.

0.2.1   My crypt+sign implementation were wrong (better:
	defect). It worked but a legal recipient could
	re-encrypt the message and attach the original
	signature, fooling a third party. Now the signature
	is being made of the encrypted recipient list,
	the cleartext content (both hashed together) and
	encrypted afterwards.

	Re-implemented pcp_readz85string() function, it's
	now much more fault tolerant and flexible and
	save against overflows. It is able to catch a
	multitude of z85 encoded inputs, such as multiline
	z85 data, oneline z85 data, including or without
	headers/footers and it considers any single line
	of content which ends with [\r]\n and contains
	a whitespace as comment.

	Added Buffer 'class' internal api to make it easier
	to work with binary data in various, flexible and
	error prone ways. Cribbed from the code in
	openssh/buffer.c.

	Import and export of keys is now being done in the
	lib and no more in src. Src only opens files and
	asks for passwords and stuff like this.

	Changed public key export format to RFC4880, see
	include/pcp/mgmt.h for details. Pcp uses only a
	small subset of what the rfc provides, I left out
	most of the bloat. Also our keys are incompatible
	with OpenPGP of course, since our ciphers are
	different. But it's a standardized format, easy
	to work with and flexible. From this point on
	it should be possible to import old public keys
	even if the internal structure changed. This wasn't
	possible in the past.

	The secret key export format changed as well. It
	is proprietary but more flexible than the old one
	as well. It now only contains static data, whatever
	can be calculated later isn't stored. Everything
	is being put into one stream and completely encrypted
	symmetrically. As with the new pubkey export format
	this one as well is independent of internal structs
	in pcp and should therefore be future proof.

	Internal api change: added pcpstream, which is a
	wrapper around file i/o or buffer i/o. It's used
	in libpcp/crypto.c (more to follow), so it depends
	on the caller if it works on files or on buffers.
	Pcpstreams also automatically encode/decode Z85.

	Due to the new pcpstream class pcp now supports
	armored encrypted files, which it didn't previously.

	Lots of refactoring have been done to clear things
	out and make the system work with the changes
	above.

	Added various convenience pubkey export formats,
	beside pbp and pcp also supported are now perl,
	c and yaml code. A programmer can use this to
	put a public key in a small program.

	Finally found the bug that leaded to the unittests
	sometimes fail as previously described in the TODO
	file: the function libpcp/z85.c:_buffer_is_binary()
	shall return a non-zero value if it finds a binary
	character in the input. However, if the first char
	of the input was binary it returned 0, which was then
	interpreted later such that the input is ascii.
	To fix this, the function now starts at position 1
	to search.

	Added API doc for libpcp, generated using doxygen
	in man/html/. Latest API docs can be found on
	http://www.daemon.de/libpcp/.

	At this point I'd like to thank Liquid Soul. Only
	thanks to their music I was able to do those heavy
	changes. It's like a drug boosting the brain. Love
	U, man!




0.2.0	ED25519 and Curve25519 keys are now generated
	separately (previously they were generated from
	one random seed, the curve had been derived from
	the ed key).

	To encrypt the secret keys, we're now using a key
	derived from the user passphrase generated using
	the scrypt() function, incorporated from tarsnap
	via scrypt-1.1.6.

	The "derived pcp key" feature has been dropped.

	Encrypted file format/scheme changed. Previously
	I included the sender's key-id with the encrypted
	cipher as a hash. So, encrypted message do no more
	contain pk material.

	Changed signature scheme completely. Binary signature
	follow the pbp scheme: calculate blake2 hash of the
	content, sign the hash, write out original content,
	add "\nnacl-", add the signature, add the hash.
	Armored signatures are calculated the same way but
	output follows the pgp scheme instead.

	Detached signatures are still supported as before,
	for the user everything with them is as known, but
	the commandline option -f (--sigfile) have to be
	applied. Internally, however, inputs will be read in
	32k blockwise as well. Detached signatures are now
	z85 encoded always.

	Now you can also crypt+sign files with pcp1. Signatures
	of encrypted files are always binary appended as is,
	no offset designator. This leads to a couple of
	problems which need to be solved somehow in the
	future: recipient doesn't know whether to decrypt
	the file or to decrypt and verify it. Also it's unclear
	how to behave if decryption works but the signature
	doesn't verify. Currently pcp1 failes in this case,
	but leaves the decrypted result on disk. Hm...

	The default encryption mode with pcp (and pbp as of
	this writing) is ECB. Each 32k block is encrypted
	independently. While ECB is generally a bad choice,
	the 32k blocksize compensates for it. However, just
	to have to option, if we decide to use CBC instead,
	I already implemented it. It must be enabled at
	compile time with ./configure --enable-cbc. CBC mode
	in PCP uses a blocksize of 1k.

	Added PBP public key import and export compatibility
	(untested against pbp yet), use -b when exporting a
	public key, or when importing one.

0.1.5   Fixed a segmentation fault when using pcp1 -t on a
	public key. I added a double free() there by purpose
	to test segfault catching I added in unittest.pl
	and forgot to remove it. The good news is, that
	I found the double free() immediately thanks to the
	segfault catching of unittest.pl :)

	Fixed use of unencrypted secret keys, added proper
	unittests for this case. Note: a secret key will
	be stored unencrypted if the user doesn't enter
	a password when asked. In addition to the fix I
	added a question if the user is sure about what
	he does.

	Moved config.h to include/pcp/ so it will be
	installed as well. Removed the conditional include
	of config.h in platform.h, that was stupid.

	Added generation of a pkg-config configuration
	in libpcp/libpcp1.pc.in.

	Added -O support to -k. So now you can generate
	a new secret key and export it directly into a
	file. In this case the key will not be stored to
	the vault.

	The -t option now accepts an inputfile (-I) and
	determines what kind of file that might be and
	if it finds out, prints some info about it to
	stdout. Useful if you've got a z85 encoded file
	without headers and comments and don't know what
	it is.

	Moved all uthash (key lists) related code into
	keyhash.c, so nowhere will be used any HASH*
	macros directly.

	Fixed various malloc/free errors. Found them on
	the gcc compilefarm, thanks to the gcc guys
	providing access to it.

	Fixed alternate arc4random*() implementation in
	platform.h, now we just use the random functions
	of libsodium if they're not available.

	Added C++ language binding (bindings/cpp/), look
	at tests/cpptest.cpp for usage examples.

	Fixed problem under big-endian platforms where
	encryption didn't work due a missing sodium_init()
	call. Thanks to Frank Denis. See
	https://github.com/jedisct1/libsodium/issues/100

0.1.4   Changed key format (again), now the main secret
	is the ED25519 secret key, which will be encrypted.
	Everything else will be derived from that. Thanks
	to S.Neives and "CodesInChaos" from the libsodium
	mailinglist for clarifying it and helping me to
	understand it.

0.1.3   Added signature support using ED25519.

	Key format has changed it now contains the ed25519
	public key part as well, required for signing. Key
	version is now 0x2 and vault version 0x2. There's
	no backwards compatibility, since this is still beta.

	Re-organized header files.

	Added support for self encryption using the users
	own key pair for encryption and decryption.

	Backport of issue https://github.com/zeromq/zeromq4-x/issues/29

	Fixed key export, now uses big endianess as well.

	Updated POD documentation.

	Fixed a couple of minor bugs which lead to crashes.

	Options -r and -R exchanged: -R = remove key, -r =
	recipient.

	Added support for derived keys (using -r).

	Added more precautions when writing to the vault,
	we now always use a tmp vault for writing and if that
	works, we copy it back. In case something fails on
	the way, the tmp file will be retained or the original
	vault will not be altered.

0.1.2   Fixed bug in pcp_derivekey() which derives encryption
	keys. it generated collisions due coding error, e.g.
	passphase 'a' resulted in the same encryptionkey as
	passphase 'r'. Now uses SHA256 witout the xor stuff,
	which was the cause for the bug. This also fixes a
	segmentation fault which occured invariably by entering
	an invalid passphrase.

	Added support for derived public keys using the -R
	option, which allows two peers to encrypt messages
	without the need to reveal their primary public keys.
	That way each peer will have another public key of
	the same source.

	Added more unit tests to reflect the above changes.

0.1.1   Changed output format of encrypted keys. now we
        encode it properly with the Z85 encoding and add
        a header and footer to it:

         -----BEGN CURVE25519 SECRET KEY-----
         0q<1MspXp=x>mBZsUJF:2#)o*!.nTKR8SK}0IfuMBmC1a&*?)JD4%$%I5<J2jj%m/k&$?lck
         EIKTfhPnSR8Vvcu9i7Znf/v+ZvU<}K#v@+t#5]i{9FGgJT$Lu*i+<-we&P9+)6LjN=NW(PLYt
         EU]wBzf{UrCgBNSHcGBT
         -----END CURVE25519 SECRET KEY-----

0.0.1   Initial version