1Revision history for Authen-SCRAM 2 30.011 2018-06-23 22:32:32-04:00 America/New_York 4 5 [Fixed] 6 7 - Fixed circular reference in nonce generator closure 8 90.010 2018-06-13 09:47:13-04:00 America/New_York 10 11 [Changed] 12 13 - Removed String::Compare::ConstantTime as a dependency. This 14 is a temporary measure until warnings on older Perls are 15 addressed and released. 16 170.009 2018-03-26 15:33:59-04:00 America/New_York 18 19 [Fixed] 20 21 - Fixed tests for older Perls 22 230.008 2018-03-26 14:43:49-04:00 America/New_York 24 25 [Fixed] 26 27 - Correctly handles wide characters in usernames without mojibaking the 28 auth signature. Previously undetected in roundtrip tests as the 29 error was symmetric between client and server. Cross-checked via a 30 test conversation generated from http://github.com/xdg/scram. 31 320.007 2018-01-28 00:00:56-05:00 America/New_York 33 34 [Added] 35 36 - Public 'computed_keys' method on the client object to get 37 stored/server keys that a server needs to keep to authenticate a 38 user. 39 40 [Changed] 41 42 - Added 'minimum_iteration_count' on clients, defaulting to 4096, to 43 mitigate downgrade attacks. 44 45 [Tests] 46 47 - Added a SCRAM-SHA-256 test. 48 490.006 2017-11-22 10:45:58-05:00 America/New_York 50 51 [Added] 52 53 - Expensive digested password computation is cached in clients and 54 reused for future authentication where salt and iteration count 55 is the same. 56 57 [Fixed] 58 59 - Applies "stored strings" normalization when doing SASLprep, 60 as required by https://tools.ietf.org/html/rfc5802#section-2.2 61 620.005 2014-10-15 17:30:07-04:00 America/New_York 63 64 [Fixed] 65 66 - Prevent test failures due to warnings in other modules 67 (which we can't control) 68 690.004 2014-10-14 11:45:09-04:00 America/New_York 70 71 [Fixed] 72 73 - Fixed warnings from length() on Perls before 5.12 74 75 [Prereqs] 76 77 - Bumped Moo prereq to 1.001000 for non-ref default value support 78 790.003 2014-10-07 22:05:31-04:00 America/New_York 80 81 [Added] 82 83 - Added 'skip_saslprep' attribute, in case applications insist on 84 deviating from RFC 5802 in this regard 85 860.002 2014-10-06 12:09:01-04:00 America/New_York 87 88 [Fixed] 89 90 - Fixed handling of character encodings for non-ASCII characters in 91 usernames and passwords 92 93 [Documented] 94 95 - Clarified that all inputs/outputs are expected to be character 96 strings and that users are responsible for UTF-8 encoding/decoding 97 during transmission and reception 98 990.001 2014-10-04 13:25:37-04:00 America/New_York 100 101 - First release 102 103