gsasl-2.2.0 released [stable]

[Simon Josefsson]

GNU SASL is a modern C library that implement the network security
protocol Simple Authentication and Security Layer (SASL).  The framework
itself and a couple of common SASL mechanisms are implemented.  GNU SASL
can be used by network applications for IMAP, SMTP, XMPP and other
protocols to provide authentication services.  Supported mechanisms
include CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID,
DIGEST-MD5, SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), GS2-KRB5, SAML20,
OPENID20, LOGIN, and NTLM.

The project's web page is available at:
  https://www.gnu.org/software/gsasl/

All manuals are available from:
  https://www.gnu.org/software/gsasl/manual/

The main manual:
  https://www.gnu.org/software/gsasl/manual/gsasl.html - HTML format
  https://www.gnu.org/software/gsasl/manual/gsasl.pdf - PDF format

API Reference manual:
  https://www.gnu.org/software/gsasl/reference/ - GTK-DOC HTML

Doxygen documentation:
  https://www.gnu.org/software/gsasl/doxygen/ - HTML format
  https://www.gnu.org/software/gsasl/doxygen/gsasl.pdf - PDF format

For development snapshot artifacts see:
  https://gsasl.gitlab.io/gsasl/reference/
  https://gsasl.gitlab.io/gsasl/coverage/
  https://gsasl.gitlab.io/gsasl/cyclo/
  https://gsasl.gitlab.io/gsasl/clang-analyzer/

If you need help to use GNU SASL, or want to help others, you are
invited to join our help-gsasl mailing list, see:
  https://lists.gnu.org/mailman/listinfo/help-gsasl

Here are the compressed sources and a GPG detached signature:
  https://ftpmirror.gnu.org/gsasl/gsasl-2.2.0.tar.gz
  https://ftpmirror.gnu.org/gsasl/gsasl-2.2.0.tar.gz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA1 and SHA256 checksums:

903b70ecb4eef304521add85310c2df0a7675bd1  gsasl-2.2.0.tar.gz
ebho47mXbcSE1ZspygroiXvpbOTTbTKu1dk1p6Mwd1k  gsasl-2.2.0.tar.gz

The SHA256 checksum is base64 encoded, instead of the
hexadecimal encoding that most checksum tools default to.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify gsasl-2.2.0.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   ed25519 2019-03-20 [SC]
        B1D2 BD13 75BE CB78 4CF4  F8C4 D73C F638 C53C 06BE
  uid   Simon Josefsson <simon@josefsson.org>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key simon@josefsson.org

  gpg --recv-keys 51722B08FE4745A2

  wget -q -O- 
'https://savannah.gnu.org/project/release-gpgkeys.php?group=gsasl&download=1' | 
gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify gsasl-2.2.0.tar.gz.sig


This release was bootstrapped with the following tools:
  Autoconf 2.71
  Automake 1.16.5
  Libtoolize 2.4.6
  Gnulib v0.1-5400-g416872ced
  Makeinfo 6.7
  Help2man 1.48.1
  Gperf 3.1
  Gengetopt 2.23
  Gtkdocize 1.33.1
  Tar 1.34
  Gzip 1.10

NEWS

* Noteworthy changes in release 2.2.0 (2022-09-03) [stable]

** Fix build error with too old GnuTLS.

** Tests: New tests/gsasl-mailutils-tls.sh.
It performs integration checks between GNU SASL and GNU MailUtils
imapd with TLS enabled, thereby testing TLS support in the 'gsasl'
command line tool.

** Various minor bug fixes and improvements.
Mainly to pacify improved CI/CD checking.

* Noteworthy changes in release 2.1.1 (2022-08-16) [beta]

** Tests: New tests/gsasl-mailutils-gs2krb5-gssapi.sh.
It perform integration checks between GNU SASL and GNU MailUtils imapd
(GSSAPI and GS2-KRB5).  They can be used externally from the GNU SASL
build environment to perform system integration tests, see
.gitlab-ci.yml for inspiration.

** Various minor bug fixes and improvements.
Fix two crashes in 'gsasl' introduced in 2.1.0.

* Noteworthy changes in release 2.1.0 (2022-08-05) [beta]

** Support new "tls-exporter" channel binding.
The "tls-exporter" channel binding is specified in RFC 9266
<https://datatracker.ietf.org/doc/html/rfc9266>.  Now we can support
SCRAM-*-PLUS over TLS 1.3 channels, and address some of the security
problems with "tls-unique".

The library add new callback property GSASL_CB_TLS_EXPORTER and error
code GSASL_NO_CB_TLS_EXPORTER.  These are documented in the manual.

The 'gsasl' command-line tool set it if system GnuTLS has
GNUTLS_CB_TLS_EXPORTER, which was introduced with GnuTLS 3.7.2
released on 2021-05-29.

** SCRAM: Support for "tls-exporter".
The SCRAM client will now query the application for
GSASL_CB_TLS_EXPORTER before it query for GSASL_CB_TLS_UNIQUE.  Supply
it to support TLS 1.3.  The SCRAM server will query the application
for the channel binding type requested by the client (tls-unique or
tls-exporter), and it is up to the application to decide what to do.

** SCRAM: Fix memory leaks on incremental application usage.
See tests/scram-incremental.c for application behaviour that trigger
the leaks.  We run valgrind --leak-check=full to catch future
regressions.

** Tests: New tests/gsasl-dovecot-gssapi.sh & tests/gsasl-mailutils-cram.sh.
These perform integration checks between GNU SASL and Dovecot
(GSS-API) and GNU MailUtils imapd (CRAM-MD5, DIGEST-MD5, SCRAM-SHA-*).
They can be used externally from the GNU SASL build environment to
perform system integration tests, see .gitlab-ci.yml for inspiration.

** API and ABI modifications.
GSASL_CB_TLS_EXPORTER: Added.
GSASL_NO_CB_TLS_EXPORTER: Added.

signature.asc
Description: PGP signature