1# zxid/Changes
2# $Id: Changes,v 1.39 2010-01-08 02:10:09 sampo Exp $
3# Change log, minor credits, release history, and To do list (TODO)
4
5Usual suspects: zxid.user@lists.unh.edu
6
7mini_httpd: server does not support RFC 5746, see CVE-2009-3555
8
9To Do: User+Passwd --> Authorization Required
10
11To do:
12    - Wishlist of built-in attributes
13      1. HTTP method (GET, POST, HEAD, etc.)
14      2. Full URL including the hostname part (currently only local URL is passed)
15      3. Indication of which virtual server
16      4. If SOAP, the name of the first direct child element of the SOAP Body
17      5. Any SOAP Action header, from SOAP message or from HTTP header.
18    - (Local) logout should either return to referer, or to configurable page
19    - Depend logging in validate, az response, emit logging in decorate, azreq
20    - Static linking, dynamic linking libzxid
21    - IdP initiated SLO
22    - IdP should include URL for correcting information
23    - Add persona support to IdP
24    - Add attribute editor support to IdP
25
26    - Support Danish profiles: http://digitaliser.dk/resource/516724
27    - Support http://saml2int.org/ (interoperability profile and club)
28
29    - Rule names by URN or URL to be logged to ab
30    - mod_auth_saml_ws module
31    - Using Apache frontend todo TAS3 for java apps
32    - PDS with DITA (OASIS)
33    - Partial XML parsing: stop after header
34      - Header removal / unwrapping vs. header extraction, but still passing through
35    - Pentaho investigation, use dwh as the backing store of the PDS
36    - The FEDUSERNAME attribute should include both succinct EntityID
37      and the persistent pseudonym. Also, make mail interface for this
38      to work (run a script that fishes the stuff out).
39
40To do from EIC 2012:
41    - Scopes in AuthnRequests
42    - SAML2INT.org profiles, including branding icons
43    = http://openidtest.uninett.no/connect-provider
44    - http://tinyurl.com/umav1
45    - osis.idcommons.net
46    - Chat April 25: http://tinyurl.com/umachat
47
48Regarding mod_perl stability: I would assume most of that has to do
49with underlying memory allocator. All allocation activity in zxid code
50goes through zx_alloc() (in zxlib.c:55). I should fix zx_alloc() to use it.
51Anyway, all this is in place to ensure that you could replace malloc()
52with an alternative allocator, such as Apache pool allocator.
53
54In playing with allocators, important caveat: OpenSSL has similar
55vectorable allocator. You should use same allocator for OpenSSL and
56ZXID (and perl). libcurl documentation is not entirely clear regarding
57its allocator usage, but I assume it uses malloc() so that would be
58yet another worry.
59
60https://idp.testshib.org/idp/shibboleth
61
62Google Apps Integration
63http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html
64Here are example docs for SimpleSAMLPHP, or Shibboleth:
65* http://simplesamlphp.org/docs/1.5/simplesamlphp-googleapps
66* https://shibboleth.usc.edu/docs/google-apps/
67
68    - SP attr token: special attribute at IdP. The token is issued by the SP to
69      pass in reliable way attributes to SP. Signed to tie to pseudonym.
70    - Use SAML2 a7n as "sticky policy" envelope, standardizing some attribute names to convey metadata such as acceptable use or purpose, obligations, right-of-access-correction-and-deletion-URL, and the authorative source.
71    - zxcot should have idpdimd listing mode
72    - zxpasswd should have user federation listing mode
73    - zxid_pw_authn() should not report scary error when checking .ykspent in not spent case
74    - zxid_select_tgt() (?)
75    - X509 attr certs (some code is in place, but does not work correctly)
76    - Use post screen as confirmation screen, option for federation confirmation question
77    - Config option for redirection after SLO
78    - WSP_LOCALPDP_OBL_REQ processing
79    - WSC_LOCALPDP_OBL_ACCEPT processing
80    - IdP: Display Relay State in hopes of giving user more context
81    - IdP: Interpret the attribute request authn ctx query string approach and show
82      to the user what attributes were requested by the SP.
83    - IdP: If SP does not specify attribute list, display "SP did not request any
84      specific attributes. Only authentication and default attributes will be sent."
85    - AuthnReq QS option for SP to request that consent is explicitly seeked
86    - AuthnReq QS option for SP to request that attribute list is not shown up front
87    - Consider removing zx_scan_pi_or_comment() from most tags, only leaving for top level.
88    - Show whether SP wants a persistent or transient, or some other type of Id for the user.
89    - Clarify signature validation error codes, e.g. <SignedInfo> canon fail vs. bad cert
90    - Instantiation of declared prefix that only appears in innards of the XML (e.g. xs)
91    - Merge Jeroen's mega patch
92    - Idea: authorization through interaction service, get it logged to audit trail as evidence
93    - Idea: discovery and consent questions up-front in the beginning of the business process
94    - Improve 2 factor authn: the pin should be a hashed password
95    - Paper scratch list based OTP
96    - Coordinates based authn (challenge response)
97    - Changing QR code based OTP
98    - AuthnCtx comparison or matching
99    - Proxy IdP AuthnCtx, RequesterID mapping
100    - Config option to turn off audience restriction
101    - U-Prove (https://connect.microsoft.com/site1188  /t/U-Prove_CTP_R2_Whitepaper.pdf) support
102    - Idemix support http://www.zurich.ibm.com/security/idemix/
103    - AuthnSvc (AS) should check caller credential, in addition to the login credential, see comment on AS_ENA in zxidconf.h
104    - Add support for multiple $ separated button_url's, see zxidmeta.c:zxid_org_desc()
105    - IdP CDC registration support: in IdP login screen, display 1x1.gif from the CDC domain
106    - Per SP User Data Key (udk) support (generated by IdP on per SP basis, distinct from
107      pseudonym, and used by SP to encrypt and decrypt the SP local data about user. SP pledges
108      by policy to not store the udk anywhere locally. Thus SP will be able to handle
109      udk only when it has received it during session from the IdP (or discovery?) (solve
110      problem of it being kept in audit trail, such as in logged signed message)
111    - Slow mode: pause for 2 seconds on every web service call and offer user
112      opportunity to interact
113    - Delegation to job coaches
114    - Distressed authentication, persona selection at authentication by using prefix (pin)
115    - Support BrowserID https://developer.mozilla.org/en-US/docs/persona
116    - BUG: Passing qs args in RelayState
117    - BANGBANG_PAT to enable bang bang expansion of outputs, even in mini_httpd_zxid
118    - Expected namespaces feature for effective suppression of warnings about payload namespaces
119    - mod_auth_saml: Apache 2.4 does not recognize authentication as having happened
120    - l0 causes pr_ix == 0 error at zxidpsso.c:196, at least on Marcin's machine
121    - Upgrade zxid_psobj_enc() and zxid_psobj_dec() to AES256GCM
122
123No authentication done but request not allowed without authentication for Authentication not configured?
124
125zxid-1.42:: 27.2.2016
126    - Ran through full test suite
127    - Made signature and hash algorithms more configurable
128
129zxid-1.41:: 18.12.2015
130    - applied patch from soconnor, perceptyx, including detection of
131      signature algorithm from certificate. --Sampo
132
133zxid-1.40:: 8.6.2015
134    - Fixed bug relating to unset HTTP Action header (manifested as segv inside libcurl)
135
136zxid-1.39:: 1.6.2015
137    - Upgrade cipher suites to aes-256-gcm and RSA-OAEP
138    - Added PIN+Yubikey two factor authentication
139    - Added mobile pairing authentication
140
141zxid-1.38:: 11.4.2015
142    - Added UNIX_GRP_AZ_MAP
143    - Added special case handling of protocol urls based on BURL
144
145zxid-1.30:: 19.2.2015
146    - UMA and OAUTH work
147    - Fixed Action header detection in the non-XML body case
148    - NOT RELEASED YET
149
150zxid-1.22:: 9.10.2014
151    - Added to Local PDP multivalued role attribute matching
152
153zxid-1.21:: 27.5.2014
154    - Changed "http://www.w3.org/2005/03/addressing/role/anonymous" to "http://www.w3.org/2005/08/addressing/anonymous" to be better WSA spec compliant. Seems Liberty SOAP binding has an error in this.
155    - Omitted ReplyTo SOAP header whose value is anonymous
156    - Added OPTIONAL_LOGIN_PAT feature
157    - Added redirafter feature for local IdP logins (e.g. zxidatsel.pl)
158    - Added partial mime multipart support
159    - Added to zxid_httpd Range support (for download resume)
160    - Improved nth progessing in zxid_find_epr()
161    - Added feature to stop parsing after end of first top level tag has been seen.
162
163zxid-1.20:: 11.12.2013
164    - Fixed segv on bad decrypt and improved error messages
165    - Fixed ordering of Header and Body in zxid_call() with inputs already containing elements
166    - Added WSC_ACTION_HDR option to control the SOAP header <a:Action>
167    - Added SOAP_ACTION_HDR option to control the HTTP header SOAPAction
168
169zxid-1.19:: 8.12.2013
170    - Fixed setting ses and ptm cookies in mod_auth_saml redirect and internal content cases
171    - Added OPT_INCLUDE and INCLUDE features to config file parsing
172    - Added and documented REM, ECHO, INFO, WARN, and DIE config options
173    - Support config file [SECTION] headers (introduced by opening square braket) as comments
174    - Added support for PRAGMA config option
175    - Cleaned up so valgrind does not complain
176    - Fixed XML parser boundary condition with read 1 past end (found by valgrind)
177    - Changed URL to BURL (Base URL)
178    - Fixed setting Action header in the case that SOAP Body does not begin with tag
179    - Added EPR ranking in discovery
180
181zxid-1.18:: 20.11.2013
182    - More bug fixing in mini_httpd_zxid
183    - Generalized redir_to_content and moved it to zxid_simple()
184    - Moved defaultqs feature feature to zxid_simple()
185    - Added %d expansion for VURL
186    - Port mini_httpd to mingw
187    - Refactored mini_httpd to zxid_httpd
188
189zxid-1.17:: 16.11.2013
190    - More bug fixing in mini_httpd_zxid
191
192zxid-1.16:: 11.11.2013
193    - Remodelled the Makefile
194    - Tested TARGET=xmingw64 builds
195    - Fixed some SOAP header ordering bugs
196    - Fixed handling of NULL returns in Net::SAML module
197    - Fixed serious bugs in mini_httpd_zxid
198
199zxid-1.15:: 26.10.2013
200    - Added wsp_pat option
201    - Added mini_httpd_zxid (derived from original by Jeff Poskanzer, see acme.com)
202    - Improved error reporting of the credential (assertion) expired situation
203
204zxid-1.13:: 14.3.2013
205    - Added language/skin dependent templates
206
207zxid-1.12:: 21.11.2012
208    - Added sketchy kqueue support based on FreeBSD man page, but did not test
209    - Fixed compile errors and warnings on MacOS per Michael Dondrup at uni.no
210    - Added better obligations support
211
212zxid-1.11:: 30.9.2012
213    - Added audit bus infrastructure (not yet universally propagated)
214    - Added simplistic yubikey 2 factor authentication (pin+yubikey)
215    - Fixed templ query string arg, enabling tabbed UI to work
216    - Audit bus receipt confirmation signature bus-confirm: B64FORSIGNEDRECEIPT
217    - Added PTM support
218
219zxid-1.10:: 21.4.2012
220    - Added support for OAUTH2 / OpenID-Connect1 Minimal / Basic Profile (both RP and IdP) (the support is still very preliminary)
221    - Adapted SAML2 metadata to support OAUTH2, using Binding="urn:zxid:OAUTH:2.0:bindings:HTTP-Redirect" (OAUTH2-REDIR)
222    - Corrected the OrganizationURL to be absolute
223    - VPATH and VURL processing tweaks
224    - Improved error reporting in zxididp and zxidhlo
225    - Eliminate coordinates from the end of the branding login buttons
226    - Added use of ZXIDConf <init-param> (you define it in web.xml) to servlets
227    - Refactored virtual hosting code in zxidwspleaf.java and zxidwspdemo.java
228    - Added -r option to zxdecode for decoding encrypted messages from the audit trail
229    - Fixed buffer overrun by one in processing zxid_simple() POST
230    - Obsoleted PATH=/var/zxid/idp convention. From now on, just use /var/zxid/ or VPATH for IdP
231
232zxid-1.06:: 10.12.2011
233    - Merged improvements (CDC, sol8x86, free functions, mem leak fixes) by grubba@@grubba.org from git://github.com/grubba/zxid.git
234    - Added VURL for virtual hosting
235    - Added support for OrganizationURL as button_url for branding buttons (per symlabs-saml-displayname-2008.pdf submitted to OASIS SSTC)
236    - Deleted ORG_URL config option. Use BUTTON_URL instead.
237
238zxid-1.05:: 7.12.2011
239    - Added DEBUG and DEBUG_LOG options to manipulate debug level from config file
240
241zxid-1.04:: 5.12.2011
242    - Added VPATH for virtual hosting support, documented ZXID_CONF environment variable
243
244zxid-1.03:: 12.8.2011
245    - Fixed timestamp generation in pep call
246
247zxid-1.02:: 22.7.2011
248    - Fixed a file name folding bug that could lead to failure to discover a service
249    - Added curl_easy_reset() to zxid_http_post_raw(), reportedly fixing a segv
250
251zxid-1.01:: 21.6.2011
252    - Added to zxidhlo a possibility of giving CONF using -D at compile time
253    - Fixed long int argument to %d warnings (happened with x86_64 architecture build)
254    - Fixed null pointer check in zxid_extract_body()
255    - improved error reporting to show cwd in vopen_fd_from_path()
256    - Fixed mod_auth_saml to add to the cookies, not to replace them (replacement caused apps behind it to misbehave)
257
258zxid-1.0:: 31.5.2011
259    - Promoted to 1.0 status
260
261zxid-0.83:: 11.3.2011
262    - Fixed ordering of EPRs returned by zxid_get_epr() to always to be same as with zxid_find_epr().
263    - Made private key reading more robust by tolerating omission of RSA or DSA designation
264
265zxid-0.82:: 10.3.2011
266    - Added Proxy IdP support
267    - Fixed supplying Destination attribute in AuthnReq, restoring Shib compatibility
268    - Fixed artifact binding on SP
269    - Fixed XML crash due to malformed close tag
270    - Tinkered with order of SOAP headers to silence some warnings
271
272zxid-0.81:: 8.3.2011
273    - Eliminate empty valued and duplicate attributes from XACML requests
274    - Fixed return value of zxid_az() family to be null upon deny.
275
276zxid-0.80:: 2.3.2011
277    - Fixed out of memory in zxidwsc.c caused by malformed fault input.
278
279zxid-0.79:: 1.3.2011
280    - Enhanced zxidhlo to show attributes
281    - Added ability comment out AAMAP directives
282    - Fixed timegm bug
283
284zxid-0.78:: 23.2.2011
285    - Fixed processing (by ignoring it) of whitespace in metadata (and elsewhere)
286    - Improved fault handing in zxid_call()
287    - Fixed segv caused by other side returning illegal XML in zxid_call()
288
289zxid-0.77:: 16.2.2011
290    - upgraded for php-5.3 support (patch from Jeroen Asselman)
291    - Improved -at handling in zxpasswd
292    - curl_easy_reset() patch from Jeroen Asselman (fixes crash on Win32)
293    - Applied zxid_saml2_map_nid_fmt() patch by Cal Heldenbrand
294    - Robustified error processing in cases where encryption certificate is missing
295    - Fixed NAMEID_ENC=0 missing a NameID element (TAS3 bug #493, found by Stijn)
296    - Fixed IdP crash due to null pointer in zx_alloc() (TAS3 bug #494, found by Stijn)
297
298zxid-0.76:: 26.1.2011
299    - Added error checks
300    - Fixed ordering of RelatesTo header
301    - Fixed leakage of unknown namespaces to decoder
302    - Made memory allocators really use function pointers
303
304zxid-0.75:: 24.1.2011
305    - MINGW fixes
306    - User supplied MessageID duplicate fix
307    - Fixed XML encoding of empty namespace prefixes
308    - Fixed Brian's ordering problem (risaris-bad.xml)
309
310zxid-0.74:: 22.1.2011
311    - Changed 0 to fileno(stdin) in calls to read_all_fd() for better Windows portability
312    - Included Axis2ZXIDModule.zip
313    - Added Trust PDP call to discovery
314    - Added Credentials and Privacy Negotiation capability to discovery
315
316zxid-0.73:: 19.12.2010
317    - Added ssoa7n and tgta7n attributes (TAS3 feature req #484)
318    - Added optional sessionwide idpsesid attribute (TAS3 feature req #419)
319    - Added IDWSF SOAP headers to discovery and as responses
320    - Fixed a problem with copy_file(). This could cause lost audit trail when copy instead of deletion was chosen on platform that does not use links.
321    - Fixed element ordering in zxcot generated EPRs
322    - Added IdP side AAMAP capability to transform attributes, including a7n wrap
323    - Each credential as its own a7n
324    - Added <ns:foo/> close tag tail optimization to encoder, controlled by c->enc_tail_opt flag
325    - Added preliminary DSA support
326    - Crude and preliminary X509 attribute cert support
327    - Fixed excessive content-length in CGI output
328    - Fixed XML valued attributes (TAS3 bug #385)
329    - If generic XML content is seen as attribute value, it should be reserialized as safe_base64 so it can be returned to app layer as attribute (e.g. via LDIF).
330    - Added MessageID and RelatesTo headers to discovery queries.
331    - Test coverage 63%
332
333zxid-0.72:: 5.12.2010
334    - Major rewrite: Eliminated SO encoders entirely, enhancing WO encoder to do their job
335    - Sort unknown attributes wrt known attributes in enc
336
337zxid-0.71:: 22.11.2010
338    - Moved back to global elems hash, but with separate namespace hash
339    - Created elem descriptors that hang from elem hash buckets
340    - Optimized the decoders to be elem descriptor and function pointer driven
341    - Changed NEW contructors to macros
342
343zxid-0.70:: 13.11.2010
344    - zxdecode: assertion decode and decryption support
345    - zxdecode: sha1 validation without sig validation using -s -s
346    - Fix canonicalization of attribute names with namespace prefixes
347    - Fix detection of namespace of an XML attribute, see t/shib-a7n2.xml
348    - Some optimizations based on gcov and gprof
349    - Moved to per namespace elem hashes and namespace hash
350    - Fairly complete re-engineering/re-factoring of the generated enc/dec code
351    - Fix SO encoder
352    - Added more test cases
353
354zxid-0.69:: 20.10.2010
355    - Added DeployingZxidServlets.txt, ZxidSSOFilter.java, and ZxidServlet.java by Stijn Lievens
356    - Added missing file zxidjava/zxidtok.java
357
358zxid-0.68:: 18.10.2010
359    - zxpasswd hash problems fixed
360    - Pairwise session indexes (encrypt master index and SP entid with IdP sym key)
361    - Primitive support for passing identity token in XACML request
362
363zxid-0.67:: 13.10.2010
364    - Fixed buffer bugs introduced by removal of ZXID_MAX_USER limit
365
366zxid-0.66:: 12.10.2010
367    - zxpasswd: be tolerant of newline in input
368    - Add to IdP metadata the NameIDMapping end point
369    - Removed ZXID_MAX_USER limit from .at files. Removed many other limits, too.
370    - Added zxid_epr_set_token() and other accessor functions
371    - Fixed Solaris support (unwarranted -o option to ar)
372
373zxid-0.65:: 10.10.2010
374    - zxididp: added ID Mapper (to be used by Delegation Service)
375    - zxididp: added some aspects of People Service (to be used by Delegation Service)
376    - zxididp: added SSOS
377    - Added zxid_map_identity_token()
378    - Added zxid_set_delegated_discovery_epr()
379    - Added psobj encryption for privacy preservation of people referenced by ObjectIDs
380    - Added zxid_attach_sol1_usage_directive()
381    - Added WSC_LOCALPDP_OBL_PLEDGE config option
382    - Added WSP_LOCALPDP_OBL_REQ config option
383    - Added WSP_LOCALPDP_OBL_EMIT config option
384    - Added WSC_LOCALPDP_OBL_ACCEPT config option
385    - Shortened the before and after slops from 1 day to about 2 hours
386    - Improved zxid_get_fault_status() by adding a first level status code
387    - Added -at option to zxpasswd
388    - Fixed zxpasswd -l directory listing
389    - zxid_simple():: Added handler for resolving invitation
390    - Templatized idp selection
391    - Templatized POST screen
392    - WIN32CL (MSVC CL compiler) port can now create zxidjni.dll, callable from Java on Windows
393    - Fixed truncated log bug (premature nul termination) in zxlog.
394    - Added CANON_INOPT=1 option to ignore InclusiveNamespaces/@PrefixList as needed to work around Shib 2.1.5 IdP bug
395    - Added patch  by Eric Rybinski for XML ENC padding problem reported by Sampo as OpenSSL bug 1067 back in 2005.
396    - Changed treatment of InclusiveNamespaces PrefixList to be more tolerant of undefined prefixes
397    - Fixed mktime(3) timezone bug, found by Cal
398zxid-0.64:: 16.9.2010
399    - Improved WIN32CL (MSVC CL compiler) port
400    - Added extern "C" markers to headers to force C calling convention even in C++, promoting binary compatibility of libraries
401    - zxcall: added sso only mode
402    - zxcall: added discovery only mode and iteration option
403    - zxcall: added EPR cache and session listing mode -s SID -l
404    - Added Unix crypt hash to zxpasswd and zxid_pw_authn()
405    - Added zxid_get_fault_status() method
406    - Renamed struct zx_e_Fault_s to zxid_fault (for cleaner Java Class generation)
407    - Added mockpdp.pl
408    - Improved (fixed?) compatibility with SiteMinder version is R12 SP1 CR3 based on CRNL canonicalization analysis by Steve Kinzler
409zxid-0.63:: 29.7.2010
410    - Added mandatory attribute contactType to Contact element in metadata
411    - Supply AuthnInstant
412    - Removed sed(1) dependency
413    - Improved win32cl target
414    - Added SubjectConfirmation
415    - Added possibility of using nested EncryptedKey (Shib 2010) instead of RetrievalMethod
416    - Added Recipient hint in sibling EncryptedKey case. This is sufficient to get Shib 2010 working.
417    - Added SubjectConfirmationData fields to support bearer subject confirmation method
418    - Added RelayState field decoding to POST profile
419    - Added double quote detection inside RelayState value
420    - Store authentication instant in session and use it in zxid_mk_an_stmt()
421    - Reworked/created az_base() family of functions to incorporate ideas from patch by Stijn Lievens
422    - Make nested EncryptedKey a config option
423    - Added support for fedusername and urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (aka eduPersonPrincipalName)
424    - Tweaked the az requests to separate ses az from resource az (TAS3 bug #381)
425zxid-0.62:: 1.7.2010
426    - Fix IdP authentication template (runaway HTML comment)
427zxid-0.61:: 25.6.2010
428    - Fixed a crash in case NOSIG_FATAL and indeed no sig
429zxid-0.60:: 23.6.2010
430    - TAS3 package version number synchronization
431zxid-0.59:: 22.6.2010
432    - Added zxcot -m to generate our own metadata (previously only available using WKL method)
433    - Fixed segv on signature validation when wsc_meta is missing, but NOSIG_FATAL=0
434    - Improved zxidcot.pl with metadata and registration listings
435    - Tightened cgi parsing to check lengths of options (avoids false detection)
436    - Add Az calls to zxid_wsp_validate() and zxid_wsp_decorate()
437zxid-0.58:: 25.5.2010
438    - Make add-envelope processing more tolerant of different namespaces
439    - Added SOAP fault and tas3:Status
440    - Improved XML parse error formatting
441    - Fixed seg fault in zxid_wsc_prepare() in case the EPR lacks Metadata
442    - Do proper signature validation in zxid_wsp_validate() and zxid_wsc_validate_resp_env()
443    - Do proper timestamp check in zxid_wsp_validate() and zxid_wsc_validate_resp_env()
444    - Added RelatesTo correlation check in  zxid_wsc_validate_resp_env()
445    - Added concept of current fault and current tas3 status
446    - Added accessor functions for faults and tas3 status
447    - Added local PDP call to all 4 web service call control points
448    - Added remote PDP call to all 4 web service call control points
449zxid-0.57:: 18.5.2010
450    - Introduced .jar and .war as std binary distribution items
451    - Check for empty PDP_URL and disable Az in that case
452    - Added to session localpath, tgtpath, sespath so that application layer can uses ZXID storage for its own purposes.
453    - Fixed SSO failure case
454    - Added to session sigres and ssores.
455    - Added SP local attribute authority, see zxid_ses_to_pool()
456    - Added local EPR feature to SP local attribute authority, i.e. upon SSO local EPRs get copied to the new session's EPR cache (see zxid_copy_user_eprs_to_ses())
457zxid-0.56:: 14.5.2010
458    - Re-tested Windows compile
459zxid-0.55:: 26.4.2010
460    - Fixes in zxididp code
461zxid-0.54:: 22.4.2010
462    - Add ability to absorb multiple EntityDescriptor elements from EntitiesDescriptor, as often happens in Shibboleth federations
463    - Fixed an infinite loop in zxcot -n -a
464    - Removed from zxid.h unused functions zxid_idp_soap_dispatch(), zxid_idp_soap_parse(), zxid_sha1_file(). Reported by Eric Rybski
465zxid-0.53:: 23.3.2010
466    - Fixed case where last item (null return) of cached multi discovery would trigger yet another discovery
467    - Added logging of the issued discovery messages
468    - Feature improvements to zxidappdemo.java
469    - Added ENA_PG and coverage targets to the Makefile (current coverage 47%)
470    - Process session in validate
471    - Added more Shibboleth metadata extensions. I claim Shibboleth metadata parses w/o warnings.
472    - Added SAML idp-discovery extention to metadata
473    - Changed templating system for IdP an page (other pages may be changed later to use the same)
474    - Added zxidnewuser.pl and other IdP mangement web GUI scripts
475    - Added zxid_wsc_prepare_call() and zxid_wsc_valid_resp() APIs, see zxidwscprepdemo.java for usage
476zxid-0.52:: 15.2.2010
477    - Log session create and destroy
478    - Relax error checking in SLO: missing NameID ok if sesix supplied
479    - Better session populate in zxid_wsp_validate()
480    - Fixed virtual host (URL autodetect) code in zxidwspdemo.java
481zxid-0.51:: 15.2.2010
482    - LOAD_COT_CACHE=file feature. The cache is concatenation of the metadata of CoT
483    - Change zxid_az() to return string containing XACML obligations
484    - Eliminate UI clutter: show_tech config flag with default off
485    - Thread safety: cf->ipport, key loading, cf->curl, cf->cot
486    - Thread safety: decoding contexts
487zxid-0.50:: 9.2.2010
488    - Fixed missing prefix in case of unknown tag/namespace
489    - Fixed ordering of unknown tags
490    - Added beginnings of a test suite, see zxtest.pl
491    - Added WSP tool: zxidwspcgi
492zxid-0.49:: 1.2.2010
493    - Added AuthnSvc client and zxcall tool, which allows shellscript wsc
494    - The zxcall tool also allows shell script az
495    - Removed arbitrary 64KB limits from metadata, SOAP, and EPR processing. Now dynamically reallocated as needed.
496    - Added zxid_ses_to_{ldif|json|qs}() family of functions
497    - Added zxid_add_attr_to_ses() and zxid_add_qs_to_ses()
498zxid-0.48:: 18.1.2010
499    - Fixed reversed WO rendering of parsed unknown elements
500    - Definititve path sanity fix for zxcot -bs
501    - Fixed ses check in case of no ses in zxid_cache_epr()
502    - Fixed iterations other than n==1 in zxid_get_epr()
503    - Added in zxiddi ability to compare ProviderID to EPR Address
504zxid-0.47:: 14.1.2010
505    - Refactored zxcot to support -bs
506    - Fixed recursive bootstrap infinite recursion and defined policy re recursive bootstrap level
507zxid-0.46:: 13.1.2010
508    - Moved project under git at zxidrepo, still learning.
509    - Fixed nameid memory allocation problem
510    - Added missing Java files to manifest
511zxid-0.45:: 7.1.2010
512    - Fixed error handling when unable to decrypt an assertion
513    - Fixed mod_auth_saml redirect_to_content when no relay state
514    - Do proper signing in zxid_wsf_call() and zxid_wsp_decorate()
515zxid-0.44:: 16.12.2009
516    - Fixed transient always on bug
517    - Fixed memory free bug in case where defederation is not supported
518zxid-0.43:: 29.11.2009
519    - Fix PHP support for zxid_wsp_validate() and zxid_wsp_decorate()
520    - Renamed hexdec to zx_hexdec to avoid risking conflicts
521zxid-0.42:: 22.11.2009
522    - Added service file name computator: zxcot -n -b <epr.xml
523    - Expose assertion path
524    - zxid_call() reengineering
525    - Added support for urn:mace:shibboleth:metadata:1.0
526    - Added support for TAS3 Credentials and Simple Obligations Language (SOL)
527    - Added zxid_wsp_validate() and zxid_wsp_decorate()
528    - zxidhrxmlwsc and zxidhrxmlwsp tested to work
529zxid-0.41:: 20.11.2009
530    - Yubikey support in zxiduser.c and zxpasswd
531    - config dump screen (o=d)
532    - OpenSSL_add_all_algorithms() fix from Stefan @ Koblenz
533    - di_Query support
534    - ID-WSF 2.0 AuthnSvc support
535    - Bootstrap support, improved
536    - SAML2 IdP support with attributes and bootstraps
537    - zxid-idp.pd documentation
538    - Added 403 Denied error response to SSO servlet (zxidsrvlet.java)
539    - Various bug fixes to zxididp and zxidjava
540    - First winbin release in long time (zxid-0.41-win32-bin.zip)
541zxid-0.40:: 14.11.2009
542    - Shib2 interop testing
543    - XACML cd1 support (sending policies in request)
544    - Populate both OID and FriendlyName variants of attributes from assertion
545    - Extensively tested java servlet configuration with zxidjni.az()
546    - Greatly improved zxid-java.pd documentation
547    - Fixed and tested mod_php configuration with zxid_az()
548    - Fixed and tested mod_perl configuration with Net::SAML::az()
549    - Retested mod_auth_saml
550zxid-0.39:: 5.11.2009
551    - Added zxidsrvlet and zxidappdemo
552zxid-0.38:: 16.10.2009
553    - Added better integrated zxidsrvlet
554zxid-0.36:: 14.10.2009
555    - Added building war files (from Brian Reynolds <leitrim_94@yahoo.com>)
556    - Removed duplicate cn from Auto-Cert generated self signed certs and CSRs
557    - Fixed gcc 4.2 specific compile problem re cast as lvalue (thanks Brian)
558zxid-0.35:: 11.10.2009
559    - fixed Solaris compile problems
560zxid-0.34:: 17.9.2009
561    - Added TAS3 package targets for Java and PHP
562zxid-0.33:: 9.9.2009
563    - Removed Apache check from default make
564    - Continued refactoring README.zxid to separate documents
565    - Changed configuration file reading so that config file is (re)read
566      whenever PATH is supplied, but not if PATH is supplied in file itself.
567    - Added dummy PDP
568    - Added zxcot tool
569    - Fixed zxdecode tool and added html parsing support
570    - Added xml-pretty.pl tool
571    - Added Auto-Cert feature to generate self signed certificates on the fly
572    - Added optional HMAC chaning code to the log format (but not implementation)
573    - Added attribute broker and PEP features
574    - Fixed relay state handling in mod_auth_saml so you land on right protected content page
575    - Added support for zxid_simple() returing JSON or Query String in addition to traditional LDIF
576    - Added preliminary and incomplete CARML support (see Identity Governance Framework - IGF)
577    - Fixed innumerous bugs in mod_auth_saml
578    - Added setting REMOTE_USER to mod_auth_saml
579zxid-0.32:: 25.3.2009
580    - Fixed Java compile
581zxid-0.31:: 15.11.2008
582    - Fixed validation of signatures in redirect binding
583    - Added logging of relied upon information in redirect binding
584    - Fixed memory leak in SLO and MNI
585    - Refactored dispatch functions so CGI and others use same code
586    - Fixed redirect binding signature validation
587zxid-0.30:: 28.9.2008
588    - Fixed some type warnings
589    - Fixed core dump in mod_auth_saml  without query string
590    - Fixed redirect hack to cope with the query string
591zxid-0.29:: 24.9.2008
592    - Fixed bug in redirect hack
593    - Added ANON_OK
594    - Added REQUIRED_AUTHNCTX
595    - Added IDP_SEL_PAGE
596    - Debugged and tested the mod_auth_saml Real World Example
597zxid-0.28:: 18.9.2008
598    - Fixed some Apache documentation issues
599    - Added redirect hack to allow mapping imposed URLs to ZXID native URLs)
600zxid-0.27:: 17.9.2008
601    - Added BSDmakefile hack, suggested by Slaven Rezic (slaven at rezic.de)
602    - Added NON_STANDARD_ENTITYID option
603    - Added precheck to quickly check main compliation and linking problems
604zxid-0.26:: 9.5.2008
605    - Fixed Auto-CoT bug due to form field name conflict
606    - Added missing .java files to Manifest
607zxid-0.25:: 17.4.2008
608    - Added support for SAML POST-SimpleSign binding
609    - Added preliminary draft support for Orange Personal APIs
610    - Added default-cot - ship metadata for some IdPs
611    - Updated documentation about joining OpenLiberty.org
612zxid-0.24:: 22.2.2008
613    - Added mod_auth_saml
614    - Many fixes from testing against commercial products
615zxid-0.23:: 12.10.2007
616    - Support MNI to change NameID
617    - Support EncryptedID on outbound traffic (MNI, SLO)
618zxid-0.22:: 10.10.2007
619    - Added log levels 1 and 2
620    - Added @Destination handling
621    - Ensured preservation of whitespace in XML parsing and exc-xml-canon
622    - Fixed alphabetization of attributes in exc-xml-canon
623    - Added signing ArtifactResolve, LogoutRequest, and ManageNameIDRequest over SOAP
624    - Improved handling of empty ns prefix for XML attributes
625    - Print source IP to logs
626zxid-0.21:: 8.10.2007
627    - Fixed missing Content-type header, reported by Damien Laniel <dlaniel@@entrouvert_com>
628    - Segregated prototypes that use va_list to zxidnoswig.h to avoid problem on Redhat
629    - Created cygwin target
630    - Changed the USE_LOCK handling to allow dummy on cygwin
631    - Fixed MGMT auto flag
632    - Fixed handling of InclusiveNamespaces/@PrefixList
633zxid-0.20:: 1.10.2007
634    - EncryptedAssertion, EncryptedAttribute, and EncryptedID support
635    - Fixed signing of redirect URLs
636    - Fixed indigestion over processing instructions and comments
637    - Fixed encoding of attribute namespaces
638    - Added xs and xsi namespaces
639    - Fixed lookup of attribute tokens without namespace (mismatching id symptom)
640zxid-0.19:: 11.8.2007
641    - fixed php support
642    - bug and documentation fixes
643zxid-0.18:: 17.7.2007
644    - Added HR-XML WSC and WSP support
645    - Much stabilization of ID-WSF code
646zxid-0.17:: 6.3.2007
647    - bug fixes
648zxid-0.16:: 4.3.2007
649    - Added ID-DAP support
650    - Added ID-MM7 support
651    - Added Contact Book support
652    - Added Geo Location support
653    - Added People Service support
654    - Added ID Mapping support
655    - Added Authentication Service support
656    - Added DST and Subscriptions support
657    - Added XACML2 support
658    - Added WS-Trust 1.3 support
659zxid-0.15:: 22.2.2007
660    - JAVAC_FLAGS tweak to avoid insufficient heap from Sean Doyle
661    - Fixed zxid_fed_mgmt_cf() unimplemented warning
662    - Documented fix for __init_array_start linking problem
663    - Annotated sources with call graph information, added call-anal.pl
664zxid-0.14:: 21.2.2007
665    - zxidhlo.java and Tomcat example perfected
666zxid-0.13:: 20.2.2007
667    - Java interface cleanup
668    - Mac compile fixes
669    - minor bug fixes
670zxid-0.12:: 10.2.2007
671    - WSF bootstrap handling
672    - rework of session system
673    - bug fixes
674zxid-0.11:: 1.2.2007
675    - MinGW DLL fixes
676zxid-0.10:: 31.1.2007
677    - MinGW DLL production works
678zxid-0.9:: 26.1.2007
679    - fixed compilation
680    - preliminary Windows support using MinGW
681zxid-0.8:: 1.12.2006
682    - Improved signature checking
683    - New logging infrastructure, document logging
684    - Support config files, document the format
685zxid-0.7:: 25.9.2006
686    - WO encoding with namespace support
687    - First cut of XMLDSIG validation (very early signing, too)
688    - Fixes to PHP, mod_php, Perl, and mod_perl support
689zxid-0.6:: 18.9.2006
690    - PHP support, including mod_php
691zxid-0.5:: 15.9.2006
692    - Encoders and decoders for ID-WSF and ID-FF (various versions)
693zxid-0.4:: 4.9.2006
694    - mod_perl/Net::SAML SP
695zxid-0.3:: Late Ago 2005
696    - First fully functional release
697zxid-0.2:: Ago 2005
698    - SAML 2.0 encoders and decoders, metadata import works
699zxid-0.1:: Ago 2005
700    - Project founded.
701
702# EOF
703