1.2.5

Changes since 1.2.4:

• Update dukpt-tool to use GPLv3 license instead of LGPLv2
• Use unsigned literals for bit shift operations to prevent overflow
• Fix integer oddness checks for dukpt-ui
• Prefer C++ headers, functions and types for dukpt-ui
• Allow trailing whitespace in hex input values for dukpt-tool
• Use gmtime_r() when available
• Update to tr31-0.6.5
• Build improvements:
  • Add Github Actions workflows for CodeQL analysis
  • Add build option DUKPT_ENABLE_SANITIZERS for compiler sanitizers (-fsanitize)
  • Add build option DUKPT_ENABLE_HARDENING for runtime security hardening (-fstack-protector-strong, _FORTIFY_SOURCE=2)
  • Use parallel builds for Github Actions
  • Remove builds for Fedora 41 and add builds for Fedora 43
• Update to latest OpenEMV common crypto submodule:
  • Clear AES KCV ciphertext on error
  • Let FetchMbedTLS.cmake use MbedTLS 3.6.5 LTS
  • Update MbedTLS patch to remove unused 3rd party components
• Update to latest OpenEMV pinblock submodule:
  • Cleanse all 12 bytes of the PIN buffer when decoding fails
  • Improve PIN block format 3 encoding
  • Validate PIN digits before encoding and randomise PIN block on error
  • Validate PAN digits before encoding
  • Improve testing
  • Refactor PAN field encoding for PIN block format 4
  • Validate pinblock_get_format() parameters
  • Improve nonce validation for PIN block format 1
  • Use crypto_memcmp_s() instead of memcmp()
• Update to latest libargp:
  • Fix C99 format specifiers when using MinGW
  • Add -Wall option for both Clang and AppleClang
  • Ensure that POSIX make is available
  • Reduce unnecessary reconfiguration of autotools

This is a maintenance and hardening release that includes various parsing, validation and arithmetic improvements.

Note

See README for installation instructions. MacOS users that already use Homebrew should favour using that to install this project using brew install openemv/tap/dukpt instead of using the provided .dmg installer due to the lack of notarization.

Ubuntu release builds are provided as .deb files inside .zip files because Github mangles the file names.

This release is signed with key 4096R/27195F153817DAF955B0CF9FCA0466CD90C50572.

1.2.4

Changes since 1.2.3:

• Update to latest OpenEMV common crypto submodule:
  • Only build tests for crypto libraries that are relevant for this project
  • Support MbedTLS 3.6.4 LTS for self-contained builds
  • Fix memory leak for random number generation using MbedTLS
• Use Qt's MinGW toolchain to build Windows releases. See 761f90d for details.
• Update to tr31-0.6.4

The main reason for this release, and the reason to upgrade from a previous 1.2.x version, is because it fixes a memory leak when using MbedTLS. Currently all release builds use MbedTLS.

NOTE: See README for installation instructions. MacOS users that already use Homebrew should favour using that to install this project using brew install openemv/tap/dukpt instead of using the provided .dmg installer due to the lack of notarization.

1.2.3

Changes since 1.2.2:

• Update to latest OpenEMV common crypto submodule:
  • Support MbedTLS 3.6.2 LTS for self-contained builds
  • Patch downloaded MbedTLS for newer CMake versions
• Let dukpt-tool set binary mode for stdin and stdout on Windows
• Use a docker image for Ubuntu 20.04 release builds because Github deprecated the Ubuntu 20.04 runner
• Remove builds for Fedora 40 and add builds for Fedora 42

NOTE: See README for installation instructions. MacOS users that already use Homebrew should favour using that to install this project using brew install openemv/tap/dukpt instead of using the provided .dmg installer due to the lack of notarization.

1.2.2

Changes since 1.2.1:

• Various CMake improvements
• Minor code cleanups for dukpt-ui
• Minor improvement to cmdline option parsing for dukpt-tool
• Update to latest OpenEMV common crypto submodule:
  • Support MbedTLS 3.6.1 LTS for self-contained builds
  • Update MbedTLS download for CMake policy CMP0169
  • Improve memory cleansing
• Use MacOS 13 for release builds
• Fix code signing and packaging for MacOS release builds
• Remove builds for Fedora 39 and add builds for Fedora 41

NOTE: See README for installation instructions. MacOS users that already use Homebrew should favour using that to install this project instead of using the provided .dmg installer due to the lack of notarization.

1.2.1

Changes since 1.2.0:

• Remove 32-bit builds from Windows workflow. MSYS2 has deprecated many 32-bit packages.
• Add Clang builds for Windows workflow
• Update to latest OpenEMV common crypto submodule to support MbedTLS 3.6.0 LTS for self-contained builds
• Add Ubuntu 24.04 builds
• Remove builds for Fedora 37 and Fedora 38 because they are EOL
• Add builds for Fedora 40
• Update MacOS builds to use MacOS 13 and MacOS 14. Note that Github's MacOS 14 runners are arm64, not x86_64.
• Minor Clang and CMake improvements

This is a maintenance release that is mostly aimed at Ubuntu 24.04 and Fedora 40.

NOTE: See README for installation instructions. MacOS users that already use Homebrew should favour using that to install this project instead of using the provided .dmg installer due to the lack of notarization.

1.2.0

Changes since 1.1.1:

• Remove Fedora 36 builds and add Fedora 39 debug and release builds
• Remove MacOS 11 test builds, add MacOS 13 test builds, and use MacOS 12 for release builds
• Update to tr31-0.6.0
• Support CMAC generation and verification for TDES DUKPT (see 9a5d2d8 for details)
• Support for Qt6 (tested with Qt-6.5 and Qt-6.6). All release builds except for Windows will still use Qt5 though. And of course Qt5 remains supported.
• Update CMake package config COMPATIBILITY attribute to match library SOVERSION
• Various fixes and improvements

NOTE: See README for installation instructions. MacOS users that already use Homebrew should favour using that to install this project instead of using the provided .dmg installer due to the lack of notarization.

1.1.2

Changes since 1.1.1:

• Remove Fedora 36 builds and add Fedora 39 debug and release builds
• Remove MacOS 11 test builds, add MacOS 13 test builds, and use MacOS 12 for release builds
• Update to tr31-0.6.0

This is a source-only maintenance release for platforms that don't have robust package version management, such as Homebrew, that require lockstep updates for dependent packages. It is likely that this release will be removed once the next release has been made.

1.1.1

Changes since 1.1.0:

• Reorder TR-31 optional blocks for dukpt-ui to match dukpt-tool and tr31-tool
• Update icon alignment and positioning for dukpt-ui and its packaging
• Allow dukpt-ui output links to open using a browser
• Misc Github Actions improvements for MacOS

NOTE: See README for installation instructions. MacOS users that already use Homebrew should favour using that to install this project instead of using the provided .dmg installer due to the lack of notarization.

1.1.0

Changes since 1.0.0:

• Implement transaction originating algorithms for TDES DUKPT and AES DUKPT
• Implement --dump-state option for dukpt-tool to dump the transaction originating algorithm's state for a specific KSN
• Update to tr31-0.5.1
  • Implement TR-31 optional block LB support for dukpt-tool and dukpt-ui
  • Implement TR-31 optional block TS support for dukpt-tool and dukpt-ui
  • Reorder TR-31 optional blocks for dukpt-tool to match tr31-tool (this has not yet been addressed in dukpt-ui)
• Various improvements to dukpt-tool and dukpt-ui
• Various CMake improvements
• Update to latest OpenEMV common crypto submodule to support MbedTLS 3.x and OpenSSL 3.x
• Update to latest libargp to fix build warnings on MacOS
• Add builds for Microsoft Universal C Runtime (UCRT) using MSYS2's UCRT64 environment to Github Actions workflows for Windows and use UCRT for the Windows release build

NOTE: See README for installation instructions. MacOS users that already use Homebrew should favour using that to install this project instead of using the provided .dmg installer due to the lack of notarization.

1.0.0

Changes since 0.2.5:

• New dukpt-ui application providing:
  • GUI interface (using Qt) for almost all DUKPT functionality, including key derivation, key export using TR-31, PIN encryption/decryption, data encryption/decryption and MAC generation (including AES DUKPT MAC modes)
  • Qt bundling for MacOS and Windows release packages
  • MacOS bundle creation and signing
• Update library soname to use only the major version number to better reflect the intended backward compatibility of these libraries in future
• Update Github actions for Fedora 38
• Various CMake and CTest improvements
• Improve hex parsing for dukpt-tool

NOTE: See README for installation instructions. MacOS users that already use Homebrew should favour using that to install this project instead of using the provided .dmg installer due to the lack of notarization.