Revision history for Authen-SCRAM

0.010     2018-06-13 09:47:13-04:00 America/New_York

    [Changed]

    - Removed String::Compare::ConstantTime as a dependency. This
      is a temporary measure until warnings on older Perls are
      addressed and released.

0.009     2018-03-26 15:33:59-04:00 America/New_York

    [Fixed]

    - Fixed tests for older Perls

0.008     2018-03-26 14:43:49-04:00 America/New_York

    [Fixed]

    - Correctly handles wide characters in usernames without mojibaking the
      auth signature.  Previously undetected in roundtrip tests as the
      error was symmetric between client and server.  Cross-checked via a
      test conversation generated from http://github.com/xdg/scram.

0.007     2018-01-28 00:00:56-05:00 America/New_York

    [Added]

    - Public 'computed_keys' method on the client object to get
      stored/server keys that a server needs to keep to authenticate a
      user.

    [Changed]

    - Added 'minimum_iteration_count' on clients, defaulting to 4096, to
      mitigate downgrade attacks.

    [Tests]

    - Added a SCRAM-SHA-256 test.

0.006     2017-11-22 10:45:58-05:00 America/New_York

    [Added]

    - Expensive digested password computation is cached in clients and
      reused for future authentication where salt and iteration count
      is the same.

    [Fixed]

    - Applies "stored strings" normalization when doing SASLprep,
      as required by https://tools.ietf.org/html/rfc5802#section-2.2

0.005     2014-10-15 17:30:07-04:00 America/New_York

    [Fixed]

    - Prevent test failures due to warnings in other modules
      (which we can't control)

0.004     2014-10-14 11:45:09-04:00 America/New_York

    [Fixed]

    - Fixed warnings from length() on Perls before 5.12

    [Prereqs]

    - Bumped Moo prereq to 1.001000 for non-ref default value support

0.003     2014-10-07 22:05:31-04:00 America/New_York

    [Added]

    - Added 'skip_saslprep' attribute, in case applications insist on
      deviating from RFC 5802 in this regard

0.002     2014-10-06 12:09:01-04:00 America/New_York

    [Fixed]

    - Fixed handling of character encodings for non-ASCII characters in
      usernames and passwords

    [Documented]

    - Clarified that all inputs/outputs are expected to be character
      strings and that users are responsible for UTF-8 encoding/decoding
      during transmission and reception

0.001     2014-10-04 13:25:37-04:00 America/New_York

    - First release