From: Zoltan Fridrich Date: Thu, 3 Aug 2023 09:52:04 +0000 (+0200) Subject: Release 3.8.1 X-Git-Tag: 3.8.1^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=824bc6db4ecac5a753dbd2ff1322a199ffdfc755;p=thirdparty%2Fgnutls.git Release 3.8.1 Signed-off-by: Zoltan Fridrich --- diff --git a/NEWS b/NEWS index 77aaf17c06..ecf1ad2c21 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,7 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. Copyright (C) 2013-2019 Nikos Mavrogiannopoulos See the end for copying conditions. -* Version 3.8.1 (unreleased) +* Version 3.8.1 (released 2023-08-03) ** libgnutls: ClientHello extensions are randomized by default To make fingerprinting harder, TLS extensions in ClientHello @@ -20,6 +20,23 @@ See the end for copying conditions. needs to set up a callback that formats the PSK identity using gnutls_psk_format_imported_identity(). +** libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to + %GNUTLS_NO_DEFAULT_EXTENSIONS. + +** libgnutls: Add additional PBKDF limit checks in FIPS mode as + defined in SP 800-132. Minimum salt length is 128 bits and + minimum iterations bound is 1000 for PBKDF in FIPS mode. + +** libgnutls: Add a mechanism to control whether to enforce extended + master secret (RFC 7627). FIPS 140-3 mandates the use of TLS + session hash (extended master secret, EMS) in TLS 1.2. To enforce + this, a new priority keyword %FORCE_SESSION_HASH is added and if + it is set and EMS is not set, the peer aborts the connection. This + behavior is the default in FIPS mode, though it can be overridden + through the configuration file with the "tls-session-hash" option. + In either case non-EMS PRF is reported as a non-approved operation + through the FIPS service indicator. + ** New option --attime to specify current time. To make testing with different timestamp to the system easier, the tools doing certificate verification now provide a new option @@ -3025,7 +3042,7 @@ response corresponds to the given certificate. ** libgnutls: In client side gnutls_init() enables the session ticket and OCSP certificate status request extensions by default. The flag -GNUTLS_NO_DEFAULT_EXTENSIONS can be used to prevent that. +GNUTLS_NO_EXTENSIONS can be used to prevent that. ** libgnutls: Several updates in the OpenPGP code. The generating code is fully RFC6091 compliant and RFC5081 support is only supported in client diff --git a/configure.ac b/configure.ac index 410a36791f..8a841ec06e 100644 --- a/configure.ac +++ b/configure.ac @@ -21,7 +21,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.64) dnl when updating version also update LT_REVISION in m4/hooks.m4 -AC_INIT([GnuTLS], [3.8.0], [bugs@gnutls.org]) +AC_INIT([GnuTLS], [3.8.1], [bugs@gnutls.org]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIRS([m4 src/gl/m4 lib/unistring/m4]) AC_CANONICAL_HOST diff --git a/devel/abi-dump b/devel/abi-dump index ea6c698821..36a33a5e38 160000 --- a/devel/abi-dump +++ b/devel/abi-dump @@ -1 +1 @@ -Subproject commit ea6c6988216665cf34a440e6a2cf2e88ef789fc4 +Subproject commit 36a33a5e38fbc648718ae999608f5112d72aa1a8 diff --git a/devel/libgnutls.abignore b/devel/libgnutls.abignore index 7ed194a515..c19dce38e1 100644 --- a/devel/libgnutls.abignore +++ b/devel/libgnutls.abignore @@ -70,15 +70,3 @@ name = drbg_aes_reseed # The following should be removed in the new release, after updating the # abi-dump repository: -[suppress_function] -name = gnutls_psk_set_server_credentials_function3 - -[suppress_function] -name = gnutls_psk_set_client_credentials_function3 - -[suppress_function] -name = gnutls_psk_format_imported_identity - -[suppress_type] -name = gnutls_psk_key_flags -changed_enumerators = GNUTLS_PSK_KEY_EXT diff --git a/m4/hooks.m4 b/m4/hooks.m4 index e34baf6b46..be73a5011f 100644 --- a/m4/hooks.m4 +++ b/m4/hooks.m4 @@ -40,9 +40,9 @@ AC_DEFUN([LIBGNUTLS_HOOKS], # in CONTRIBUTION.md for more info. # # Interfaces removed: AGE=0 (+bump all symbol versions in .map) - AC_SUBST(LT_CURRENT, 65) + AC_SUBST(LT_CURRENT, 66) AC_SUBST(LT_REVISION, 0) - AC_SUBST(LT_AGE, 35) + AC_SUBST(LT_AGE, 36) AC_SUBST(LT_SSL_CURRENT, 27) AC_SUBST(LT_SSL_REVISION, 2)