From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] gnutls: Update to version 3.8.2 Date: Sat, 30 Dec 2023 07:38:00 +0000 Message-ID: <65eba5ef-f2b3-4f71-8884-7584b81480c5@ipfire.org> In-Reply-To: <20231218172911.2531726-3-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4637752914606777091==" List-Id: --===============4637752914606777091== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Completely missed this. :-( Thank you as always! Reviewed-by: Peter M=C3=BCller > - Update from version 3.8.0 to 3.8.2 > - Update of rootfile > - Changelog > 3.8.2 (released 2023-11-14) > ** libgnutls: Fix timing side-channel inside RSA-PSK key exchange. > [GNUTLS-SA-2023-10-23, CVSS: medium] [CVE-2023-5981] > ** libgnutls: Add API functions to perform ECDH and DH key agreement > The functionality has been there for a long time though they were > not available as part of the public API. This enables applications > to implement custom protocols leveraging non-interactive key > agreement with ECDH and DH. > ** libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452) > The new algorithms GNUTLS_CIPHER_AES_128_SIV_GCM and > GNUTLS_CIPHER_AES_256_SIV_GCM have been added to be used through > the AEAD interface. Note that, unlike > GNUTLS_CIPHER_AES_{128,256}_SIV_GCM, the authentication tag is > appended to the ciphertext, not prepended. > ** libgnutls: transparent KTLS support is extended to FreeBSD kernel > The kernel TLS feature can now be enabled on FreeBSD as well as > Linux when compiled with the --enable-ktls configure option. > ** gnutls-cli: New option --starttls-name > Depending on deployment, application protocols such as XMPP may > require a different origin address than the external address to be > presented prior to STARTTLS negotiation. The --starttls-name can > be used to specify specify the addresses separately. > ** API and ABI modifications: > gnutls_pubkey_import_dh_raw: New function > gnutls_privkey_import_dh_raw: New function > gnutls_pubkey_export_dh_raw: New function > gnutls_privkey_export_dh_raw: New function > gnutls_x509_privkey_import_dh_raw: New function > gnutls_privkey_derive_secret: New function > GNUTLS_KEYGEN_DH: New enum member of gnutls_keygen_types_t > GNUTLS_CIPHER_AES_128_SIV_GCM: Added > GNUTLS_CIPHER_AES_256_SIV_GCM: Added > 3.8.1 (released 2023-08-03) > ** libgnutls: ClientHello extensions are randomized by default > To make fingerprinting harder, TLS extensions in ClientHello > messages are shuffled. As this behavior may cause compatibility > issue with legacy applications that do not accept the last > extension without payload, the behavior can be reverted with the > %NO_SHUFFLE_EXTENSIONS priority keyword. > ** libgnutls: Add support for RFC 9258 external PSK importer. > This enables to deploy the same PSK across multiple TLS versions > (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application > needs to set up a callback that formats the PSK identity using > gnutls_psk_format_imported_identity(). > ** libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to > %GNUTLS_NO_DEFAULT_EXTENSIONS. > ** libgnutls: Add additional PBKDF limit checks in FIPS mode as > defined in SP 800-132. Minimum salt length is 128 bits and > minimum iterations bound is 1000 for PBKDF in FIPS mode. > ** libgnutls: Add a mechanism to control whether to enforce extended > master secret (RFC 7627). FIPS 140-3 mandates the use of TLS > session hash (extended master secret, EMS) in TLS 1.2. To enforce > this, a new priority keyword %FORCE_SESSION_HASH is added and if > it is set and EMS is not set, the peer aborts the connection. This > behavior is the default in FIPS mode, though it can be overridden > through the configuration file with the "tls-session-hash" option. > In either case non-EMS PRF is reported as a non-approved operation > through the FIPS service indicator. > ** New option --attime to specify current time. > To make testing with different timestamp to the system easier, the > tools doing certificate verification now provide a new option > --attime, which takes an arbitrary time. > ** API and ABI modifications: > gnutls_psk_client_credentials_function3: New typedef > gnutls_psk_server_credentials_function3: New typedef > gnutls_psk_set_server_credentials_function3: New function > gnutls_psk_set_client_credentials_function3: New function > gnutls_psk_format_imported_identity: New function > GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags >=20 > Signed-off-by: Adolf Belka > --- > config/rootfiles/common/gnutls | 11 ++++++++++- > lfs/gnutls | 4 ++-- > 2 files changed, 12 insertions(+), 3 deletions(-) >=20 > diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls > index 508596906..cc6c90194 100644 > --- a/config/rootfiles/common/gnutls > +++ b/config/rootfiles/common/gnutls > @@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1 > #usr/lib/libgnutls.la > #usr/lib/libgnutls.so > usr/lib/libgnutls.so.30 > -usr/lib/libgnutls.so.30.35.0 > +usr/lib/libgnutls.so.30.37.0 > #usr/lib/libgnutlsxx.la > #usr/lib/libgnutlsxx.so > usr/lib/libgnutlsxx.so.30 > @@ -629,6 +629,8 @@ usr/lib/libgnutlsxx.so.30.0.0 > #usr/share/man/man3/gnutls_privkey_decrypt_data.3 > #usr/share/man/man3/gnutls_privkey_decrypt_data2.3 > #usr/share/man/man3/gnutls_privkey_deinit.3 > +#usr/share/man/man3/gnutls_privkey_derive_secret.3 > +#usr/share/man/man3/gnutls_privkey_export_dh_raw.3 > #usr/share/man/man3/gnutls_privkey_export_dsa_raw.3 > #usr/share/man/man3/gnutls_privkey_export_dsa_raw2.3 > #usr/share/man/man3/gnutls_privkey_export_ecc_raw.3 > @@ -645,6 +647,7 @@ usr/lib/libgnutlsxx.so.30.0.0 > #usr/share/man/man3/gnutls_privkey_get_seed.3 > #usr/share/man/man3/gnutls_privkey_get_spki.3 > #usr/share/man/man3/gnutls_privkey_get_type.3 > +#usr/share/man/man3/gnutls_privkey_import_dh_raw.3 > #usr/share/man/man3/gnutls_privkey_import_dsa_raw.3 > #usr/share/man/man3/gnutls_privkey_import_ecc_raw.3 > #usr/share/man/man3/gnutls_privkey_import_ext.3 > @@ -681,6 +684,7 @@ usr/lib/libgnutlsxx.so.30.0.0 > #usr/share/man/man3/gnutls_psk_allocate_client_credentials.3 > #usr/share/man/man3/gnutls_psk_allocate_server_credentials.3 > #usr/share/man/man3/gnutls_psk_client_get_hint.3 > +#usr/share/man/man3/gnutls_psk_format_imported_identity.3 > #usr/share/man/man3/gnutls_psk_free_client_credentials.3 > #usr/share/man/man3/gnutls_psk_free_server_credentials.3 > #usr/share/man/man3/gnutls_psk_server_get_username.3 > @@ -689,10 +693,12 @@ usr/lib/libgnutlsxx.so.30.0.0 > #usr/share/man/man3/gnutls_psk_set_client_credentials2.3 > #usr/share/man/man3/gnutls_psk_set_client_credentials_function.3 > #usr/share/man/man3/gnutls_psk_set_client_credentials_function2.3 > +#usr/share/man/man3/gnutls_psk_set_client_credentials_function3.3 > #usr/share/man/man3/gnutls_psk_set_params_function.3 > #usr/share/man/man3/gnutls_psk_set_server_credentials_file.3 > #usr/share/man/man3/gnutls_psk_set_server_credentials_function.3 > #usr/share/man/man3/gnutls_psk_set_server_credentials_function2.3 > +#usr/share/man/man3/gnutls_psk_set_server_credentials_function3.3 > #usr/share/man/man3/gnutls_psk_set_server_credentials_hint.3 > #usr/share/man/man3/gnutls_psk_set_server_dh_params.3 > #usr/share/man/man3/gnutls_psk_set_server_known_dh_params.3 > @@ -701,6 +707,7 @@ usr/lib/libgnutlsxx.so.30.0.0 > #usr/share/man/man3/gnutls_pubkey_encrypt_data.3 > #usr/share/man/man3/gnutls_pubkey_export.3 > #usr/share/man/man3/gnutls_pubkey_export2.3 > +#usr/share/man/man3/gnutls_pubkey_export_dh_raw.3 > #usr/share/man/man3/gnutls_pubkey_export_dsa_raw.3 > #usr/share/man/man3/gnutls_pubkey_export_dsa_raw2.3 > #usr/share/man/man3/gnutls_pubkey_export_ecc_raw.3 > @@ -716,6 +723,7 @@ usr/lib/libgnutlsxx.so.30.0.0 > #usr/share/man/man3/gnutls_pubkey_get_preferred_hash_algorithm.3 > #usr/share/man/man3/gnutls_pubkey_get_spki.3 > #usr/share/man/man3/gnutls_pubkey_import.3 > +#usr/share/man/man3/gnutls_pubkey_import_dh_raw.3 > #usr/share/man/man3/gnutls_pubkey_import_dsa_raw.3 > #usr/share/man/man3/gnutls_pubkey_import_ecc_raw.3 > #usr/share/man/man3/gnutls_pubkey_import_ecc_x962.3 > @@ -1227,6 +1235,7 @@ usr/lib/libgnutlsxx.so.30.0.0 > #usr/share/man/man3/gnutls_x509_privkey_get_spki.3 > #usr/share/man/man3/gnutls_x509_privkey_import.3 > #usr/share/man/man3/gnutls_x509_privkey_import2.3 > +#usr/share/man/man3/gnutls_x509_privkey_import_dh_raw.3 > #usr/share/man/man3/gnutls_x509_privkey_import_dsa_raw.3 > #usr/share/man/man3/gnutls_x509_privkey_import_ecc_raw.3 > #usr/share/man/man3/gnutls_x509_privkey_import_gost_raw.3 > diff --git a/lfs/gnutls b/lfs/gnutls > index 7336528f6..19f79c6db 100644 > --- a/lfs/gnutls > +++ b/lfs/gnutls > @@ -24,7 +24,7 @@ > =20 > include Config > =20 > -VER =3D 3.8.0 > +VER =3D 3.8.2 > =20 > THISAPP =3D gnutls-$(VER) > DL_FILE =3D $(THISAPP).tar.xz > @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_BLAKE2 =3D 64784e9c0ac4dcab2c9e90d7d17d0bd8a0021224be285c12a536= 73f3a52aa3f189152b1b0b4aaae5a8fb41951361af1fd04a5b535774c4a26c26eb895519af40 > +$(DL_FILE)_BLAKE2 =3D d70524f17919bc02fefc610ede948d209e50e3276fc1e2d40aae= d5c208265455da220d948f4a3f21db57f9d253c103f3a1b9a6daa2229d02c7c224448acc2777 > =20 > install : $(TARGET) > =20 --===============4637752914606777091==--