[gnutls-help] gnutls 3.8.2

Zoltan Fridrich zfridric at redhat.com
Wed Nov 15 14:05:59 CET 2023


We have just released gnutls-3.8.2. This is a bug fix and enhancement 
release on the 3.8.x branch.

We would like to thank everyone who contributed in this release:
Samuel Thibault, Adrian Bunk, Sam James, Miroslav Lichvar, Dimitri 
Papadopoulos Orfanos, Yongye Zhu, xuraoqing, Clemens Lang, Frediano 
Ziglio, Ajit Singh, Daiki Ueno and Zoltan Fridrich

The detailed list of changes follows:

* Version 3.8.2 (released 2023-11-14)

** libgnutls: Fix timing side-channel inside RSA-PSK key exchange. 
[GNUTLS-SA-2023-10-23, CVSS: medium] [CVE-2023-5981]

** libgnutls: Add API functions to perform ECDH and DH key agreement. 
The functionality has been there for a long time though they were not 
available as part of the public API. This enables applications to 
implement custom protocols leveraging non-interactive key agreement with 
ECDH and DH.

** libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452). The new 
algorithms GNUTLS_CIPHER_AES_128_SIV_GCM and 
GNUTLS_CIPHER_AES_256_SIV_GCM have been added to be used through the 
AEAD interface. Note that, unlike GNUTLS_CIPHER_AES_{128,256}_SIV_GCM, 
the authentication tag is appended to the ciphertext, not prepended.

** libgnutls: transparent KTLS support is extended to FreeBSD kernel. 
The kernel TLS feature can now be enabled on FreeBSD as well as Linux 
when compiled with the --enable-ktls configure option.

** gnutls-cli: New option --starttls-name Depending on deployment, 
application protocols such as XMPP may require a different origin 
address than the external address to be presented prior to STARTTLS 
negotiation. The --starttls-name can be used to specify the addresses 

** API and ABI modifications:
gnutls_pubkey_import_dh_raw: New function
gnutls_privkey_import_dh_raw: New function
gnutls_pubkey_export_dh_raw: New function
gnutls_privkey_export_dh_raw: New function
gnutls_x509_privkey_import_dh_raw: New function
gnutls_privkey_derive_secret: New function
GNUTLS_KEYGEN_DH: New enum member of gnutls_keygen_types_t

Getting the Software
GnuTLS may be downloaded directly from
https://www.gnupg.org/ftp/gcrypt/ <https://www.gnupg.org/ftp/gcrypt/>
A list of GnuTLS mirrors can be found at
http://www.gnutls.org/download.html <http://www.gnutls.org/download.html>

Here are the XZ compressed sources:

Here are OpenPGP detached signatures signed using keys:

Note that it has been signed with my openpgp key:
pub   ed25519 2021-12-23 [SC] [expires: 2023-12-23]
uid           [ultimate] Zoltan Fridrich <zfridric at redhat.com>
sub   cv25519 2021-12-23 [E] [expires: 2023-12-23]

and Daiki Uenos openpgp key:
pub rsa4096 2009-07-23 [SC] [expires: 2023-09-25]
uid           [ultimate] Daiki Ueno <ueno at unixuser.org 
uid           [ultimate] Daiki Ueno <ueno at gnu.org 
sub rsa4096 2010-02-04 [E]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20231115/9a89e991/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x7A75A648B3F9220C.asc
Type: application/pgp-keys
Size: 669 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20231115/9a89e991/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20231115/9a89e991/attachment-0001.sig>

More information about the Gnutls-help mailing list