1Revision history for Authen-SCRAM
2
30.011     2018-06-23 22:32:32-04:00 America/New_York
4
5    [Fixed]
6
7    - Fixed circular reference in nonce generator closure
8
90.010     2018-06-13 09:47:13-04:00 America/New_York
10
11    [Changed]
12
13    - Removed String::Compare::ConstantTime as a dependency. This
14      is a temporary measure until warnings on older Perls are
15      addressed and released.
16
170.009     2018-03-26 15:33:59-04:00 America/New_York
18
19    [Fixed]
20
21    - Fixed tests for older Perls
22
230.008     2018-03-26 14:43:49-04:00 America/New_York
24
25    [Fixed]
26
27    - Correctly handles wide characters in usernames without mojibaking the
28      auth signature.  Previously undetected in roundtrip tests as the
29      error was symmetric between client and server.  Cross-checked via a
30      test conversation generated from http://github.com/xdg/scram.
31
320.007     2018-01-28 00:00:56-05:00 America/New_York
33
34    [Added]
35
36    - Public 'computed_keys' method on the client object to get
37      stored/server keys that a server needs to keep to authenticate a
38      user.
39
40    [Changed]
41
42    - Added 'minimum_iteration_count' on clients, defaulting to 4096, to
43      mitigate downgrade attacks.
44
45    [Tests]
46
47    - Added a SCRAM-SHA-256 test.
48
490.006     2017-11-22 10:45:58-05:00 America/New_York
50
51    [Added]
52
53    - Expensive digested password computation is cached in clients and
54      reused for future authentication where salt and iteration count
55      is the same.
56
57    [Fixed]
58
59    - Applies "stored strings" normalization when doing SASLprep,
60      as required by https://tools.ietf.org/html/rfc5802#section-2.2
61
620.005     2014-10-15 17:30:07-04:00 America/New_York
63
64    [Fixed]
65
66    - Prevent test failures due to warnings in other modules
67      (which we can't control)
68
690.004     2014-10-14 11:45:09-04:00 America/New_York
70
71    [Fixed]
72
73    - Fixed warnings from length() on Perls before 5.12
74
75    [Prereqs]
76
77    - Bumped Moo prereq to 1.001000 for non-ref default value support
78
790.003     2014-10-07 22:05:31-04:00 America/New_York
80
81    [Added]
82
83    - Added 'skip_saslprep' attribute, in case applications insist on
84      deviating from RFC 5802 in this regard
85
860.002     2014-10-06 12:09:01-04:00 America/New_York
87
88    [Fixed]
89
90    - Fixed handling of character encodings for non-ASCII characters in
91      usernames and passwords
92
93    [Documented]
94
95    - Clarified that all inputs/outputs are expected to be character
96      strings and that users are responsible for UTF-8 encoding/decoding
97      during transmission and reception
98
990.001     2014-10-04 13:25:37-04:00 America/New_York
100
101    - First release
102
103