From nmav at gnutls.org Thu Jul 25 22:39:37 2019 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 25 Jul 2019 22:39:37 +0200 Subject: [gnutls-help] gnutls 3.6.9 Message-ID: Hello, I've just released gnutls 3.6.9. This is a bug fix release on the stable 3.6.x branch. I'd like to thank everyone who contributed in this release: Andreas Metzler, Daiki Ueno, Dmitry Eremin-Solenikov, Karsten Ohme, Ludovic Court?s and Tim R?hsen. The detailed list of changes follows; they can be seen in more detail in our milestone tracker: https://gitlab.com/gnutls/gnutls/milestones/22 Changes ======= * Version 3.6.9 (released 2019-07-25) ** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy of digest or MAC context. Copying contexts for externally-registered digest and MAC contexts is unupported (#787). ** Marked the crypto implementation override APIs as deprecated. These APIs are rarely used, are for a niche use case, but have significant side effects, such as preventing any internal re-organization and extension of the internal cipher API. The APIs remain functional though a compiler warning will be issued, and a future minor version update may transform them to a no-op while keeping ABI compatibility (#789). ** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781). ** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash(). ** libgnutls: Added support for Generalname registeredID. ** The priority configuration was enhanced to allow more elaborate system-wide configuration of the library (#587). The following changes were included: - The file is read as an ini file with '#' indicating a comment. - The section "[priorities]" or global follows the existing semantics of the configuration file, and allows to specify system-wide priority strings which are accessed with the '@' prefix. - The section "[overrides]" is added with the parameters "insecure-hash", "insecure-sig", "insecure-sig-for-cert", "disabled-curve", "disabled-version", "min-verification-profile", "tls-disabled-cipher", "tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit specific algorithms or options globally. Existing algorithms in the library can be marked as disabled and insecure, but no hard-coded insecure algorithm can be marked as secure (so that the configuration cannot be abused to make the system vulnerable). - Unknown sections or options are skipped with a debug message, unless the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is set to 1. ** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE - 0x20: Enable SHA_NI instruction set ** API and ABI modifications: gnutls_crypto_register_cipher: Deprecated gnutls_crypto_register_aead_cipher: Deprecated gnutls_crypto_register_digest: Deprecated gnutls_crypto_register_mac: Deprecated gnutls_get_system_config_file: Added gnutls_hash_copy: Added gnutls_hmac_copy: Added GNUTLS_MAC_AES_GMAC_128: Added GNUTLS_MAC_AES_GMAC_192: Added GNUTLS_MAC_AES_CMAC_256: Added GNUTLS_SAN_REGISTERED_ID: Added Getting the Software ==================== GnuTLS may be downloaded directly from Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.9.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.9.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos