Release 3.7.3

Signed-off-by: Daiki Ueno <ueno@gnu.org>

5 files changed, 56 insertions, 70 deletions

diff --git a/NEWS b/NEWS
index ae494e1e40..673d1c7e94 100644
--- a/NEWS
+++ b/NEWS
@@ -5,29 +5,69 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
 Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
 See the end for copying conditions.
 
-* Version 3.7.3 (unreleased)
+* Version 3.7.3 (released 2022-01-17)
 
 ** libgnutls: The allowlisting configuration mode has been added to the system-wide
    settings. In this mode, all the algorithms are initially marked as insecure
    or disabled, while the applications can re-enable them either through the
    [overrides] section of the configuration file or the new API (#1172).
 
-** certtool: Certtool can now generate, manipulate, and evaluate x25519 and
-   x448 public keys, private keys, and certificates.
+** The build infrastructure no longer depends on GNU AutoGen for generating
+   command-line option handling, template file parsing in certtool, and
+   documentation generation (#773, #774). This change also removes run-time or
+   bundled dependency on the libopts library, and requires Python 3.6 or later
+   to regenerate the distribution tarball.
 
-** libgnutls: disabling a hashing algorithm through "insecure-hash"
-   configuration directive now also disables TLS ciphersuites that use it
-   as a PRF algorithm.
+   Note that this brings in known backward incompatibility in command-line
+   tools, such as long options are now case sensitive, while previously they
+   were treated in a case insensitive manner: for example --RSA is no longer a
+   valid option of certtool. The existing scripts using GnuTLS tools may need
+   adjustment for this change.
 
 ** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
-   used as a gnutls_privkey_t. The code was originally written for the
-   OpenConnect VPN project by David Woodhouse. To generate such blobs,
-   use the tpm2tss-genkey tool from tpm2-tss-engine:
+   used as a gnutls_privkey_t (#594). The code was originally written for the
+   OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
+   tpm2tss-genkey tool from tpm2-tss-engine:
    https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
+   or the tpm2_encodeobject tool from unreleased tpm2-tools.
+
+** libgnutls: The library now transparently enables Linux KTLS
+   (kernel TLS) when the feature is compiled in with --enable-ktls configuration
+   option (#1113). If the KTLS initialization fails it automatically falls back
+   to the user space implementation.
+
+** certtool: The certtool command can now read the Certificate Transparency
+   (RFC 6962) SCT extension (#232).  New API functions are also provided to
+   access and manipulate the extension values.
+
+** certtool: The certtool command can now generate, manipulate, and evaluate
+   x25519 and x448 public keys, private keys, and certificates.
+
+** libgnutls: Disabling a hashing algorithm through "insecure-hash"
+   configuration directive now also disables TLS ciphersuites that use it as a
+   PRF algorithm.
+
+** libgnutls: PKCS#12 files are now created with modern algorithms by default
+   (!1499).  Previously certtool used PKCS12-3DES-SHA1 for key derivation and
+   HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
+   PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
+   default PBKDF2 iteration count has been increased to 600000.
 
 ** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
-   HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for
-   integrity, to conform with the latest TC-26 requirements
+   HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
+   conform with the latest TC-26 requirements (#1225).
+
+** libgnutls: The library now provides a means to report the status of approved
+   cryptographic operations (!1465). To adhere to the FIPS140-3 IG 2.4.C., this
+   complements the existing mechanism to prohibit the use of unapproved
+   algorithms by making the library unusable state.
+
+** gnutls-cli: The gnutls-cli command now provides a --list-config option to
+   print the library configuration (!1508).
+
+** libgnutls: Fixed possible race condition in
+   gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
+   among multiple threads (#1277). [GNUTLS-SA-2022-01-17, CVSS: low]
 
 ** API and ABI modifications:
 GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
@@ -43,6 +83,8 @@ gnutls_fips140_push_context: New function
 gnutls_fips140_pop_context: New function
 gnutls_fips140_get_operation_state: New function
 gnutls_fips140_operation_state_t: New enum
+gnutls_transport_is_ktls_enabled: New function
+gnutls_get_library_configuration: New function
 
 * Version 3.7.2 (released 2021-05-29)
 
diff --git a/configure.ac b/configure.ac
index 895f845872..eed499ca94 100644
--- a/configure.ac
+++ b/configure.ac
@@ -23,7 +23,7 @@ dnl Process this file with autoconf to produce a configure script.
 AC_PREREQ(2.64)
 
 dnl when updating version also update LT_REVISION in m4/hooks.m4
-AC_INIT([GnuTLS], [3.7.2], [bugs@gnutls.org])
+AC_INIT([GnuTLS], [3.7.3], [bugs@gnutls.org])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_MACRO_DIRS([m4 src/gl/m4 lib/unistring/m4])
 AC_CANONICAL_HOST
diff --git a/devel/abi-dump b/devel/abi-dump
-Subproject e1d454e4f76653ae786f882526fed74c094c9cf
+Subproject c0cd665948fb958951280a6d40cd1072a430dfc
diff --git a/devel/libgnutls.abignore b/devel/libgnutls.abignore
index 8c7e7f2abe..c19dce38e1 100644
--- a/devel/libgnutls.abignore
+++ b/devel/libgnutls.abignore
@@ -70,59 +70,3 @@ name = drbg_aes_reseed
 
 # The following should be removed in the new release, after updating the
 # abi-dump repository:
-[suppress_function]
-name = gnutls_digest_set_secure
-
-[suppress_function]
-name = gnutls_ecc_curve_set_enabled
-
-[suppress_function]
-name = gnutls_protocol_set_enabled
-
-[suppress_function]
-name = gnutls_sign_set_secure
-
-[suppress_function]
-name = gnutls_sign_set_secure_for_certs
-
-[suppress_function]
-name = gnutls_x509_ext_ct_scts_init
-
-[suppress_function]
-name = gnutls_x509_ext_ct_scts_deinit
-
-[suppress_function]
-name = gnutls_x509_ext_ct_import_scts
-
-[suppress_function]
-name = gnutls_x509_ext_ct_export_scts
-
-[suppress_function]
-name = gnutls_x509_ct_sct_get_version
-
-[suppress_function]
-name = gnutls_x509_ct_sct_get
-
-[suppress_function]
-name = gnutls_transport_is_ktls_enabled
-
-[suppress_function]
-name = gnutls_fips140_context_init
-
-[suppress_function]
-name = gnutls_fips140_context_deinit
-
-[suppress_function]
-name = gnutls_fips140_push_context
-
-[suppress_function]
-name = gnutls_fips140_pop_context
-
-[suppress_function]
-name = gnutls_fips140_get_operation_state
-
-[suppress_type]
-name = gnutls_fips140_operation_state_t
-
-[suppress_function]
-name = gnutls_get_library_config
diff --git a/m4/hooks.m4 b/m4/hooks.m4
index f0efe52cf6..d2e9a653de 100644
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -40,9 +40,9 @@ AC_DEFUN([LIBGNUTLS_HOOKS],
   #     in CONTRIBUTION.md for more info.
   #
   # Interfaces removed:                           AGE=0 (+bump all symbol versions in .map)
-  AC_SUBST(LT_CURRENT, 60)
+  AC_SUBST(LT_CURRENT, 61)
   AC_SUBST(LT_REVISION, 0)
-  AC_SUBST(LT_AGE, 30)
+  AC_SUBST(LT_AGE, 31)
 
   AC_SUBST(LT_SSL_CURRENT, 27)
   AC_SUBST(LT_SSL_REVISION, 2)