From 68c744abfd4aad720a7ae93b31674ee7a267bad1 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 17 Jan 2022 16:48:10 +0100 Subject: Release 3.7.3 Signed-off-by: Daiki Ueno --- NEWS | 64 +++++++++++++++++++++++++++++++++++++++--------- configure.ac | 2 +- devel/abi-dump | 2 +- devel/libgnutls.abignore | 56 ------------------------------------------ m4/hooks.m4 | 4 +-- 5 files changed, 57 insertions(+), 71 deletions(-) diff --git a/NEWS b/NEWS index ae494e1e40..673d1c7e94 100644 --- a/NEWS +++ b/NEWS @@ -5,29 +5,69 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2019 Nikos Mavrogiannopoulos See the end for copying conditions. -* Version 3.7.3 (unreleased) +* Version 3.7.3 (released 2022-01-17) ** libgnutls: The allowlisting configuration mode has been added to the system-wide settings. In this mode, all the algorithms are initially marked as insecure or disabled, while the applications can re-enable them either through the [overrides] section of the configuration file or the new API (#1172). -** certtool: Certtool can now generate, manipulate, and evaluate x25519 and - x448 public keys, private keys, and certificates. +** The build infrastructure no longer depends on GNU AutoGen for generating + command-line option handling, template file parsing in certtool, and + documentation generation (#773, #774). This change also removes run-time or + bundled dependency on the libopts library, and requires Python 3.6 or later + to regenerate the distribution tarball. -** libgnutls: disabling a hashing algorithm through "insecure-hash" - configuration directive now also disables TLS ciphersuites that use it - as a PRF algorithm. + Note that this brings in known backward incompatibility in command-line + tools, such as long options are now case sensitive, while previously they + were treated in a case insensitive manner: for example --RSA is no longer a + valid option of certtool. The existing scripts using GnuTLS tools may need + adjustment for this change. ** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and - used as a gnutls_privkey_t. The code was originally written for the - OpenConnect VPN project by David Woodhouse. To generate such blobs, - use the tpm2tss-genkey tool from tpm2-tss-engine: + used as a gnutls_privkey_t (#594). The code was originally written for the + OpenConnect VPN project by David Woodhouse. To generate such blobs, use the + tpm2tss-genkey tool from tpm2-tss-engine: https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations + or the tpm2_encodeobject tool from unreleased tpm2-tools. + +** libgnutls: The library now transparently enables Linux KTLS + (kernel TLS) when the feature is compiled in with --enable-ktls configuration + option (#1113). If the KTLS initialization fails it automatically falls back + to the user space implementation. + +** certtool: The certtool command can now read the Certificate Transparency + (RFC 6962) SCT extension (#232). New API functions are also provided to + access and manipulate the extension values. + +** certtool: The certtool command can now generate, manipulate, and evaluate + x25519 and x448 public keys, private keys, and certificates. + +** libgnutls: Disabling a hashing algorithm through "insecure-hash" + configuration directive now also disables TLS ciphersuites that use it as a + PRF algorithm. + +** libgnutls: PKCS#12 files are now created with modern algorithms by default + (!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and + HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with + PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the + default PBKDF2 iteration count has been increased to 600000. ** libgnutls: PKCS#12 keys derived using GOST algorithm now uses - HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for - integrity, to conform with the latest TC-26 requirements + HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to + conform with the latest TC-26 requirements (#1225). + +** libgnutls: The library now provides a means to report the status of approved + cryptographic operations (!1465). To adhere to the FIPS140-3 IG 2.4.C., this + complements the existing mechanism to prohibit the use of unapproved + algorithms by making the library unusable state. + +** gnutls-cli: The gnutls-cli command now provides a --list-config option to + print the library configuration (!1508). + +** libgnutls: Fixed possible race condition in + gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared + among multiple threads (#1277). [GNUTLS-SA-2022-01-17, CVSS: low] ** API and ABI modifications: GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t @@ -43,6 +83,8 @@ gnutls_fips140_push_context: New function gnutls_fips140_pop_context: New function gnutls_fips140_get_operation_state: New function gnutls_fips140_operation_state_t: New enum +gnutls_transport_is_ktls_enabled: New function +gnutls_get_library_configuration: New function * Version 3.7.2 (released 2021-05-29) diff --git a/configure.ac b/configure.ac index 895f845872..eed499ca94 100644 --- a/configure.ac +++ b/configure.ac @@ -23,7 +23,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.64) dnl when updating version also update LT_REVISION in m4/hooks.m4 -AC_INIT([GnuTLS], [3.7.2], [bugs@gnutls.org]) +AC_INIT([GnuTLS], [3.7.3], [bugs@gnutls.org]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIRS([m4 src/gl/m4 lib/unistring/m4]) AC_CANONICAL_HOST diff --git a/devel/abi-dump b/devel/abi-dump index e1d454e4f7..c0cd665948 160000 --- a/devel/abi-dump +++ b/devel/abi-dump @@ -1 +1 @@ -Subproject commit e1d454e4f76653ae786f882526fed74c094c9cf9 +Subproject commit c0cd665948fb958951280a6d40cd1072a430dfcb diff --git a/devel/libgnutls.abignore b/devel/libgnutls.abignore index 8c7e7f2abe..c19dce38e1 100644 --- a/devel/libgnutls.abignore +++ b/devel/libgnutls.abignore @@ -70,59 +70,3 @@ name = drbg_aes_reseed # The following should be removed in the new release, after updating the # abi-dump repository: -[suppress_function] -name = gnutls_digest_set_secure - -[suppress_function] -name = gnutls_ecc_curve_set_enabled - -[suppress_function] -name = gnutls_protocol_set_enabled - -[suppress_function] -name = gnutls_sign_set_secure - -[suppress_function] -name = gnutls_sign_set_secure_for_certs - -[suppress_function] -name = gnutls_x509_ext_ct_scts_init - -[suppress_function] -name = gnutls_x509_ext_ct_scts_deinit - -[suppress_function] -name = gnutls_x509_ext_ct_import_scts - -[suppress_function] -name = gnutls_x509_ext_ct_export_scts - -[suppress_function] -name = gnutls_x509_ct_sct_get_version - -[suppress_function] -name = gnutls_x509_ct_sct_get - -[suppress_function] -name = gnutls_transport_is_ktls_enabled - -[suppress_function] -name = gnutls_fips140_context_init - -[suppress_function] -name = gnutls_fips140_context_deinit - -[suppress_function] -name = gnutls_fips140_push_context - -[suppress_function] -name = gnutls_fips140_pop_context - -[suppress_function] -name = gnutls_fips140_get_operation_state - -[suppress_type] -name = gnutls_fips140_operation_state_t - -[suppress_function] -name = gnutls_get_library_config diff --git a/m4/hooks.m4 b/m4/hooks.m4 index f0efe52cf6..d2e9a653de 100644 --- a/m4/hooks.m4 +++ b/m4/hooks.m4 @@ -40,9 +40,9 @@ AC_DEFUN([LIBGNUTLS_HOOKS], # in CONTRIBUTION.md for more info. # # Interfaces removed: AGE=0 (+bump all symbol versions in .map) - AC_SUBST(LT_CURRENT, 60) + AC_SUBST(LT_CURRENT, 61) AC_SUBST(LT_REVISION, 0) - AC_SUBST(LT_AGE, 30) + AC_SUBST(LT_AGE, 31) AC_SUBST(LT_SSL_CURRENT, 27) AC_SUBST(LT_SSL_REVISION, 2) -- cgit v1.2.1