Hello, I've just released gnutls 3.5.6. This is an enhancements and bugfix release for the 3.5.x branch.
* Version 3.5.6 (released 2016-11-04) ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old (pre-rfc5652) structures with arbitrary encapsulated content. ** libgnutls: Introduced a function group to set known DH parameters using groups from RFC7919. ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding. Now the generated textual DN is in reverse order according to RFC4514, and functions which generate a DN from strings such gnutls_x509_crt_set_*dn() set the expected DN (reverse of the provided string). ** libgnutls: Introduced time and constraints checks in the end certificate in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct() functions. ** libgnutls: Set limits on the maximum number of alerts handled. That is, applications using gnutls could be tricked into an busy loop if the peer sends continuously alert messages. Applications which set a maximum handshake time (via gnutls_handshake_set_timeout) will eventually recover but others may remain in a busy loops indefinitely. This is related but not identical to CVE-2016-8610, due to the difference in alert handling of the libraries (gnutls delegates that handling to applications). ** libgnutls: Reverted the change which made the gnutls_certificate_set_*key* functions return an index (introduced in 3.5.5), to avoid affecting programs which explicitly check success of the function as equality to zero. In order for these functions to return an index an explicit call to gnutls_certificate_set_flags with the GNUTLS_CERTIFICATE_API_V2 flag is now required. ** libgnutls: Reverted the behavior of sending a status request extension even without a response (introduced in 3.5.5). That is, we no longer reply to a client's hello with a status request, with a status request extension. Although that behavior is legal, it creates incompatibility issues with releases in the gnutls 3.3.x branch. ** libgnutls: Delayed the initialization of the random generator at the first call of gnutls_rnd(). This allows applications to load on systems which getrandom() would block, without blocking until real random data are needed. ** certtool: --get-dh-params will output parameters from the RFC7919 groups. ** p11tool: improvements in --initialize option. ** API and ABI modifications: GNUTLS_CERTIFICATE_API_V2: Added GNUTLS_NO_TICKETS: Added gnutls_pkcs7_get_embedded_data_oid: Added gnutls_anon_set_server_known_dh_params: Added gnutls_certificate_set_known_dh_params: Added gnutls_psk_set_server_known_dh_params: Added gnutls_x509_crt_check_key_purpose: Added Getting the Software ==================== GnuTLS may be downloaded directly from <ftp://ftp.gnutls.org/gcrypt/gnutls/>. A list of GnuTLS mirrors can be found at <http://www.gnutls.org/download.html>. Here are the XZ compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.6.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.6.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos <nmav <at> gnutls.org> uid Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at> gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
