From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] gnutls: Update to version 3.8.2
Date: Sat, 30 Dec 2023 07:38:00 +0000 [thread overview]
Message-ID: <65eba5ef-f2b3-4f71-8884-7584b81480c5@ipfire.org> (raw)
In-Reply-To: <20231218172911.2531726-3-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 9338 bytes --]
Completely missed this. :-( Thank you as always!
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
> - Update from version 3.8.0 to 3.8.2
> - Update of rootfile
> - Changelog
> 3.8.2 (released 2023-11-14)
> ** libgnutls: Fix timing side-channel inside RSA-PSK key exchange.
> [GNUTLS-SA-2023-10-23, CVSS: medium] [CVE-2023-5981]
> ** libgnutls: Add API functions to perform ECDH and DH key agreement
> The functionality has been there for a long time though they were
> not available as part of the public API. This enables applications
> to implement custom protocols leveraging non-interactive key
> agreement with ECDH and DH.
> ** libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452)
> The new algorithms GNUTLS_CIPHER_AES_128_SIV_GCM and
> GNUTLS_CIPHER_AES_256_SIV_GCM have been added to be used through
> the AEAD interface. Note that, unlike
> GNUTLS_CIPHER_AES_{128,256}_SIV_GCM, the authentication tag is
> appended to the ciphertext, not prepended.
> ** libgnutls: transparent KTLS support is extended to FreeBSD kernel
> The kernel TLS feature can now be enabled on FreeBSD as well as
> Linux when compiled with the --enable-ktls configure option.
> ** gnutls-cli: New option --starttls-name
> Depending on deployment, application protocols such as XMPP may
> require a different origin address than the external address to be
> presented prior to STARTTLS negotiation. The --starttls-name can
> be used to specify specify the addresses separately.
> ** API and ABI modifications:
> gnutls_pubkey_import_dh_raw: New function
> gnutls_privkey_import_dh_raw: New function
> gnutls_pubkey_export_dh_raw: New function
> gnutls_privkey_export_dh_raw: New function
> gnutls_x509_privkey_import_dh_raw: New function
> gnutls_privkey_derive_secret: New function
> GNUTLS_KEYGEN_DH: New enum member of gnutls_keygen_types_t
> GNUTLS_CIPHER_AES_128_SIV_GCM: Added
> GNUTLS_CIPHER_AES_256_SIV_GCM: Added
> 3.8.1 (released 2023-08-03)
> ** libgnutls: ClientHello extensions are randomized by default
> To make fingerprinting harder, TLS extensions in ClientHello
> messages are shuffled. As this behavior may cause compatibility
> issue with legacy applications that do not accept the last
> extension without payload, the behavior can be reverted with the
> %NO_SHUFFLE_EXTENSIONS priority keyword.
> ** libgnutls: Add support for RFC 9258 external PSK importer.
> This enables to deploy the same PSK across multiple TLS versions
> (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application
> needs to set up a callback that formats the PSK identity using
> gnutls_psk_format_imported_identity().
> ** libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to
> %GNUTLS_NO_DEFAULT_EXTENSIONS.
> ** libgnutls: Add additional PBKDF limit checks in FIPS mode as
> defined in SP 800-132. Minimum salt length is 128 bits and
> minimum iterations bound is 1000 for PBKDF in FIPS mode.
> ** libgnutls: Add a mechanism to control whether to enforce extended
> master secret (RFC 7627). FIPS 140-3 mandates the use of TLS
> session hash (extended master secret, EMS) in TLS 1.2. To enforce
> this, a new priority keyword %FORCE_SESSION_HASH is added and if
> it is set and EMS is not set, the peer aborts the connection. This
> behavior is the default in FIPS mode, though it can be overridden
> through the configuration file with the "tls-session-hash" option.
> In either case non-EMS PRF is reported as a non-approved operation
> through the FIPS service indicator.
> ** New option --attime to specify current time.
> To make testing with different timestamp to the system easier, the
> tools doing certificate verification now provide a new option
> --attime, which takes an arbitrary time.
> ** API and ABI modifications:
> gnutls_psk_client_credentials_function3: New typedef
> gnutls_psk_server_credentials_function3: New typedef
> gnutls_psk_set_server_credentials_function3: New function
> gnutls_psk_set_client_credentials_function3: New function
> gnutls_psk_format_imported_identity: New function
> GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/common/gnutls | 11 ++++++++++-
> lfs/gnutls | 4 ++--
> 2 files changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls
> index 508596906..cc6c90194 100644
> --- a/config/rootfiles/common/gnutls
> +++ b/config/rootfiles/common/gnutls
> @@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1
> #usr/lib/libgnutls.la
> #usr/lib/libgnutls.so
> usr/lib/libgnutls.so.30
> -usr/lib/libgnutls.so.30.35.0
> +usr/lib/libgnutls.so.30.37.0
> #usr/lib/libgnutlsxx.la
> #usr/lib/libgnutlsxx.so
> usr/lib/libgnutlsxx.so.30
> @@ -629,6 +629,8 @@ usr/lib/libgnutlsxx.so.30.0.0
> #usr/share/man/man3/gnutls_privkey_decrypt_data.3
> #usr/share/man/man3/gnutls_privkey_decrypt_data2.3
> #usr/share/man/man3/gnutls_privkey_deinit.3
> +#usr/share/man/man3/gnutls_privkey_derive_secret.3
> +#usr/share/man/man3/gnutls_privkey_export_dh_raw.3
> #usr/share/man/man3/gnutls_privkey_export_dsa_raw.3
> #usr/share/man/man3/gnutls_privkey_export_dsa_raw2.3
> #usr/share/man/man3/gnutls_privkey_export_ecc_raw.3
> @@ -645,6 +647,7 @@ usr/lib/libgnutlsxx.so.30.0.0
> #usr/share/man/man3/gnutls_privkey_get_seed.3
> #usr/share/man/man3/gnutls_privkey_get_spki.3
> #usr/share/man/man3/gnutls_privkey_get_type.3
> +#usr/share/man/man3/gnutls_privkey_import_dh_raw.3
> #usr/share/man/man3/gnutls_privkey_import_dsa_raw.3
> #usr/share/man/man3/gnutls_privkey_import_ecc_raw.3
> #usr/share/man/man3/gnutls_privkey_import_ext.3
> @@ -681,6 +684,7 @@ usr/lib/libgnutlsxx.so.30.0.0
> #usr/share/man/man3/gnutls_psk_allocate_client_credentials.3
> #usr/share/man/man3/gnutls_psk_allocate_server_credentials.3
> #usr/share/man/man3/gnutls_psk_client_get_hint.3
> +#usr/share/man/man3/gnutls_psk_format_imported_identity.3
> #usr/share/man/man3/gnutls_psk_free_client_credentials.3
> #usr/share/man/man3/gnutls_psk_free_server_credentials.3
> #usr/share/man/man3/gnutls_psk_server_get_username.3
> @@ -689,10 +693,12 @@ usr/lib/libgnutlsxx.so.30.0.0
> #usr/share/man/man3/gnutls_psk_set_client_credentials2.3
> #usr/share/man/man3/gnutls_psk_set_client_credentials_function.3
> #usr/share/man/man3/gnutls_psk_set_client_credentials_function2.3
> +#usr/share/man/man3/gnutls_psk_set_client_credentials_function3.3
> #usr/share/man/man3/gnutls_psk_set_params_function.3
> #usr/share/man/man3/gnutls_psk_set_server_credentials_file.3
> #usr/share/man/man3/gnutls_psk_set_server_credentials_function.3
> #usr/share/man/man3/gnutls_psk_set_server_credentials_function2.3
> +#usr/share/man/man3/gnutls_psk_set_server_credentials_function3.3
> #usr/share/man/man3/gnutls_psk_set_server_credentials_hint.3
> #usr/share/man/man3/gnutls_psk_set_server_dh_params.3
> #usr/share/man/man3/gnutls_psk_set_server_known_dh_params.3
> @@ -701,6 +707,7 @@ usr/lib/libgnutlsxx.so.30.0.0
> #usr/share/man/man3/gnutls_pubkey_encrypt_data.3
> #usr/share/man/man3/gnutls_pubkey_export.3
> #usr/share/man/man3/gnutls_pubkey_export2.3
> +#usr/share/man/man3/gnutls_pubkey_export_dh_raw.3
> #usr/share/man/man3/gnutls_pubkey_export_dsa_raw.3
> #usr/share/man/man3/gnutls_pubkey_export_dsa_raw2.3
> #usr/share/man/man3/gnutls_pubkey_export_ecc_raw.3
> @@ -716,6 +723,7 @@ usr/lib/libgnutlsxx.so.30.0.0
> #usr/share/man/man3/gnutls_pubkey_get_preferred_hash_algorithm.3
> #usr/share/man/man3/gnutls_pubkey_get_spki.3
> #usr/share/man/man3/gnutls_pubkey_import.3
> +#usr/share/man/man3/gnutls_pubkey_import_dh_raw.3
> #usr/share/man/man3/gnutls_pubkey_import_dsa_raw.3
> #usr/share/man/man3/gnutls_pubkey_import_ecc_raw.3
> #usr/share/man/man3/gnutls_pubkey_import_ecc_x962.3
> @@ -1227,6 +1235,7 @@ usr/lib/libgnutlsxx.so.30.0.0
> #usr/share/man/man3/gnutls_x509_privkey_get_spki.3
> #usr/share/man/man3/gnutls_x509_privkey_import.3
> #usr/share/man/man3/gnutls_x509_privkey_import2.3
> +#usr/share/man/man3/gnutls_x509_privkey_import_dh_raw.3
> #usr/share/man/man3/gnutls_x509_privkey_import_dsa_raw.3
> #usr/share/man/man3/gnutls_x509_privkey_import_ecc_raw.3
> #usr/share/man/man3/gnutls_x509_privkey_import_gost_raw.3
> diff --git a/lfs/gnutls b/lfs/gnutls
> index 7336528f6..19f79c6db 100644
> --- a/lfs/gnutls
> +++ b/lfs/gnutls
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 3.8.0
> +VER = 3.8.2
>
> THISAPP = gnutls-$(VER)
> DL_FILE = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = 64784e9c0ac4dcab2c9e90d7d17d0bd8a0021224be285c12a53673f3a52aa3f189152b1b0b4aaae5a8fb41951361af1fd04a5b535774c4a26c26eb895519af40
> +$(DL_FILE)_BLAKE2 = d70524f17919bc02fefc610ede948d209e50e3276fc1e2d40aaed5c208265455da220d948f4a3f21db57f9d253c103f3a1b9a6daa2229d02c7c224448acc2777
>
> install : $(TARGET)
>
next prev parent reply other threads:[~2023-12-30 7:38 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-18 17:28 [PATCH] bash: Update the patches applied to bash Adolf Belka
2023-12-18 17:28 ` [PATCH] git: Update to version 2.43.0 Adolf Belka
2023-12-18 17:28 ` [PATCH] gnutls: Update to version 3.8.2 Adolf Belka
2023-12-30 7:38 ` Peter Müller [this message]
2023-12-18 17:28 ` [PATCH] iptables: Update to version 1.8.10 Adolf Belka
2023-12-30 7:36 ` Peter Müller
2023-12-18 17:28 ` [PATCH] lcms2: Update to version 2.16 Adolf Belka
2023-12-18 17:28 ` [PATCH] libnl-3: Update to version 3.9.0 Adolf Belka
2023-12-18 17:28 ` [PATCH] lmdb: Update to version 0.9.31 Adolf Belka
2023-12-18 17:28 ` [PATCH] lsof: Update to version 4.99.3 Adolf Belka
2023-12-18 17:29 ` [PATCH] nfs: Update to version 2.6.4 Adolf Belka
2023-12-18 17:29 ` [PATCH] p11-kit: Update to version 0.25.3 Adolf Belka
2023-12-18 17:29 ` [PATCH] samba: Update to version 4.19.3 Adolf Belka
2023-12-18 17:29 ` [PATCH] sudo: Update to version 1.9.15p4 Adolf Belka
2023-12-30 7:23 ` Peter Müller
2024-01-07 13:47 ` [PATCH] bash: Update the patches applied to bash Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=65eba5ef-f2b3-4f71-8884-7584b81480c5@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox