[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gsasl-2.1.0 released [beta]

From: Simon Josefsson
Subject: gsasl-2.1.0 released [beta]
Date: Fri, 05 Aug 2022 21:21:03 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

The GNU SASL 2.1.x branch is NOT what you want for your stable system.
It is intended for developers and experienced users.

* Noteworthy changes in release 2.1.0 (2022-08-05) [beta]

** Support new "tls-exporter" channel binding.
The "tls-exporter" channel binding is specified in RFC 9266
<>.  Now we can support
SCRAM-*-PLUS over TLS 1.3 channels, and address some of the security
problems with "tls-unique".

The library add new callback property GSASL_CB_TLS_EXPORTER and error
code GSASL_NO_CB_TLS_EXPORTER.  These are documented in the manual.

The 'gsasl' command-line tool set it if system GnuTLS has
GNUTLS_CB_TLS_EXPORTER, which was introduced with GnuTLS 3.7.2
released on 2021-05-29.

** SCRAM: Support for "tls-exporter".
The SCRAM client will now query the application for
GSASL_CB_TLS_EXPORTER before it query for GSASL_CB_TLS_UNIQUE.  Supply
it to support TLS 1.3.  The SCRAM server will query the application
for the channel binding type requested by the client (tls-unique or
tls-exporter), and it is up to the application to decide what to do.

** SCRAM: Fix memory leaks on incremental application usage.
See tests/scram-incremental.c for application behaviour that trigger
the leaks.  We run valgrind --leak-check=full to catch future

** Tests: New tests/ & tests/
These perform integration checks between GNU SASL and Dovecot
(GSS-API) and GNU MailUtils imapd (CRAM-MD5, DIGEST-MD5, SCRAM-SHA-*).
They can be used externally from the GNU SASL build environment to
perform system integration tests, see .gitlab-ci.yml for inspiration.

** API and ABI modifications.

Here are the compressed sources and a GPG detached signature:

Use a mirror for higher download bandwidth:

Here are the SHA1 and SHA256 checksums:

6f1103adddbec36c9301ce6a5ff497e0898be56a  gsasl-2.1.0.tar.gz
amEKugQb5sXqwbWL6Iee8mtCjzhcpEpw+jui0QuC0zA  gsasl-2.1.0.tar.gz

The SHA256 checksum is base64 encoded, instead of the
hexadecimal encoding that most checksum tools default to.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify gsasl-2.1.0.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   ed25519 2019-03-20 [SC]
        B1D2 BD13 75BE CB78 4CF4  F8C4 D73C F638 C53C 06BE
  uid   Simon Josefsson <>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key

  gpg --recv-keys 51722B08FE4745A2

  wget -q -O- 
'' | 
gpg --import -

As a last resort to find the key, you can try the official GNU

  wget -q
  gpg --keyring gnu-keyring.gpg --verify gsasl-2.1.0.tar.gz.sig

This release was bootstrapped with the following tools:
  Autoconf 2.71
  Automake 1.16.5
  Libtoolize 2.4.6
  Gnulib v0.1-5282-g5d2d12d7b
  Makeinfo 6.7
  Help2man 1.48.1
  Gperf 3.1
  Gengetopt 2.23
  Gtkdocize 1.33.1
  Tar 1.34
  Gzip 1.10

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]