#12317: gnutls-3.6.9
-------------------------+-----------------------
Reporter: bdubbs | Owner: bdubbs
Type: enhancement | Status: assigned
Priority: normal | Milestone: 9.0
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+-----------------------
Comment (by bdubbs):
* Version 3.6.9 (released 2019-07-25)
{{{
** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will
create a copy
of digest or MAC context. Copying contexts for externally-registered
digest and MAC
contexts is unupported (#787).
** Marked the crypto implementation override APIs as deprecated. These
APIs are rarely
used, are for a niche use case, but have significant side effects, such
as preventing
any internal re-organization and extension of the internal cipher API.
The APIs remain
functional though a compiler warning will be issued, and a future minor
version update
may transform them to a no-op while keeping ABI compatibility (#789).
** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC
algorithm (#781).
** libgnutls: gnutls_privkey_sign_hash2 now accepts the
GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
flag as documented. This makes it a complete replacement of
gnutls_privkey_sign_hash().
** libgnutls: Added support for Generalname registeredID.
** The priority configuration was enhanced to allow more elaborate
system-wide configuration of the library (#587).
The following changes were included:
- The file is read as an ini file with '#' indicating a comment.
- The section "[priorities]" or global follows the existing semantics
of
the configuration file, and allows to specify system-wide priority
strings
which are accessed with the '@' prefix.
- The section "[overrides]" is added with the parameters "insecure-
hash",
"insecure-sig", "insecure-sig-for-cert", "disabled-curve",
"disabled-version", "min-verification-profile", "tls-disabled-
cipher",
"tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which
prohibit
specific algorithms or options globally. Existing algorithms in the
library can be marked as disabled and insecure, but no hard-coded
insecure algorithm can be marked as secure (so that the
configuration
cannot be abused to make the system vulnerable).
- Unknown sections or options are skipped with a debug message, unless
the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is
set to 1.
** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE
- 0x20: Enable SHA_NI instruction set
** API and ABI modifications:
gnutls_crypto_register_cipher: Deprecated
gnutls_crypto_register_aead_cipher: Deprecated
gnutls_crypto_register_digest: Deprecated
gnutls_crypto_register_mac: Deprecated
gnutls_get_system_config_file: Added
gnutls_hash_copy: Added
gnutls_hmac_copy: Added
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
GNUTLS_SAN_REGISTERED_ID: Added
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/12317#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
