Re: gsasl-2.1.0 released [beta]

[* Neustradamus *]

Hello Simon,

Thanks a lot for the official support of the RFC9266 few days after the release in GNU SASL 2.1.0 beta.

Regards,

Neustradamus

---

From: Help-gsasl on behalf of Simon Josefsson via Discussion list for GNU Simple Authentication and Security Layer (SASL)
Sent: Friday, August 05, 2022 21:21
To: bug-gsasl@gnu.org
Subject: gsasl-2.1.0 released [beta]

The GNU SASL 2.1.x branch is NOT what you want for your stable system.
It is intended for developers and experienced users.

* Noteworthy changes in release 2.1.0 (2022-08-05) [beta]

** Support new "tls-exporter" channel binding.
The "tls-exporter" channel binding is specified in RFC 9266
<https://datatracker.ietf.org/doc/html/rfc9266>.  Now we can support
SCRAM-*-PLUS over TLS 1.3 channels, and address some of the security
problems with "tls-unique".

The library add new callback property GSASL_CB_TLS_EXPORTER and error
code GSASL_NO_CB_TLS_EXPORTER.  These are documented in the manual.

The 'gsasl' command-line tool set it if system GnuTLS has
GNUTLS_CB_TLS_EXPORTER, which was introduced with GnuTLS 3.7.2
released on 2021-05-29.

** SCRAM: Support for "tls-exporter".
The SCRAM client will now query the application for
GSASL_CB_TLS_EXPORTER before it query for GSASL_CB_TLS_UNIQUE.  Supply
it to support TLS 1.3.  The SCRAM server will query the application
for the channel binding type requested by the client (tls-unique or
tls-exporter), and it is up to the application to decide what to do.

** SCRAM: Fix memory leaks on incremental application usage.
See tests/scram-incremental.c for application behaviour that trigger
the leaks.  We run valgrind --leak-check=full to catch future
regressions.

** Tests: New tests/gsasl-dovecot-gssapi.sh & tests/gsasl-mailutils-cram.sh.
These perform integration checks between GNU SASL and Dovecot
(GSS-API) and GNU MailUtils imapd (CRAM-MD5, DIGEST-MD5, SCRAM-SHA-*).
They can be used externally from the GNU SASL build environment to
perform system integration tests, see .gitlab-ci.yml for inspiration.

** API and ABI modifications.
GSASL_CB_TLS_EXPORTER: Added.
GSASL_NO_CB_TLS_EXPORTER: Added.

Here are the compressed sources and a GPG detached signature:
  https://alpha.gnu.org/gnu/gsasl/gsasl-2.1.0.tar.gz
  https://alpha.gnu.org/gnu/gsasl/gsasl-2.1.0.tar.gz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA1 and SHA256 checksums:

6f1103adddbec36c9301ce6a5ff497e0898be56a  gsasl-2.1.0.tar.gz
amEKugQb5sXqwbWL6Iee8mtCjzhcpEpw+jui0QuC0zA  gsasl-2.1.0.tar.gz

The SHA256 checksum is base64 encoded, instead of the
hexadecimal encoding that most checksum tools default to.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify gsasl-2.1.0.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   ed25519 2019-03-20 [SC]
        B1D2 BD13 75BE CB78 4CF4  F8C4 D73C F638 C53C 06BE
  uid   Simon Josefsson <simon@josefsson.org>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key simon@josefsson.org

  gpg --recv-keys 51722B08FE4745A2

  wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=gsasl&download=1' | gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify gsasl-2.1.0.tar.gz.sig


This release was bootstrapped with the following tools:
  Autoconf 2.71
  Automake 1.16.5
  Libtoolize 2.4.6
  Gnulib v0.1-5282-g5d2d12d7b
  Makeinfo 6.7
  Help2man 1.48.1
  Gperf 3.1
  Gengetopt 2.23
  Gtkdocize 1.33.1
  Tar 1.34
  Gzip 1.10