gsasl-2.2.1 released [stable]

[Simon Josefsson]

This is to announce gsasl-2.2.1, a stable release.

GNU SASL is a modern C library that implement the network security
protocol Simple Authentication and Security Layer (SASL).  The framework
itself and a couple of common SASL mechanisms are implemented.  GNU SASL
can be used by network applications for IMAP, SMTP, XMPP and other
protocols to provide authentication services.  Supported mechanisms
include CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID,
DIGEST-MD5, SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), GS2-KRB5, SAML20,
OPENID20, LOGIN, and NTLM.

The project's web page is available at:
  https://www.gnu.org/software/gsasl/

All manuals are available from:
  https://www.gnu.org/software/gsasl/manual/
  https://www.gnu.org/software/gsasl/manual/gsasl.html - HTML format
  https://www.gnu.org/software/gsasl/manual/gsasl.pdf - PDF format

API Reference manual:
  https://www.gnu.org/software/gsasl/reference/ - GTK-DOC HTML

Doxygen documentation:
  https://www.gnu.org/software/gsasl/doxygen/ - HTML format
  https://www.gnu.org/software/gsasl/doxygen/gsasl.pdf - PDF format

For development snapshot artifacts see:
  https://gsasl.gitlab.io/gsasl/reference/
  https://gsasl.gitlab.io/gsasl/coverage/
  https://gsasl.gitlab.io/gsasl/cyclo/
  https://gsasl.gitlab.io/gsasl/clang-analyzer/

If you need help to use GNU SASL, or want to help others, you are
invited to join our help-gsasl mailing list, see:
  https://lists.gnu.org/mailman/listinfo/help-gsasl

See the NEWS below for a brief summary.

For a summary of changes and contributors, see:
  https://git.sv.gnu.org/gitweb/?p=gsasl.git;a=shortlog;h=v2.2.1
or run this command from a git-cloned gsasl directory:
  git shortlog v2.2.0..v2.2.1

Here are the compressed sources and a GPG detached signature:
  https://ftpmirror.gnu.org/gsasl/gsasl-2.2.1.tar.gz
  https://ftpmirror.gnu.org/gsasl/gsasl-2.2.1.tar.gz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA1 and SHA256 checksums:

  c238b3af05af3804808cbf734f049a06840d787c  gsasl-2.2.1.tar.gz
  1FtWLhO9E7n8ILNy9LUyaXQM9iefg28JzhG50yvO4HU=  gsasl-2.2.1.tar.gz

Verify the base64 SHA256 checksum with cksum -a sha256 --check
from coreutils-9.2 or OpenBSD's cksum since 2007.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify gsasl-2.2.1.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   ed25519 2019-03-20 [SC]
        B1D2 BD13 75BE CB78 4CF4  F8C4 D73C F638 C53C 06BE
  uid   Simon Josefsson <simon@josefsson.org>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key simon@josefsson.org

  gpg --recv-keys 51722B08FE4745A2

  wget -q -O- 
'https://savannah.gnu.org/project/release-gpgkeys.php?group=gsasl&download=1' | 
gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify gsasl-2.2.1.tar.gz.sig

This release was bootstrapped with the following tools:
  Autoconf 2.72
  Automake 1.16.5
  Libtoolize 2.4.7
  Gnulib 1cec7095fa
  Makeinfo 6.8
  Help2man 1.49.1
  Gperf 3.1
  Gengetopt 2.23
  Gtkdocize 1.33.1
  Tar 1.34
  Gzip 1.10

NEWS

* Noteworthy changes in release 2.2.1 (2024-01-02) [stable]

** Base64 encoding/decoding now rejects non-conforming data.

** SCRAM server: Add support for GSASL_SCRAM_SALTED_PASSWORD.
If the server knows GSASL_SCRAM_SALTED_PASSWORD with matching
GSASL_SCRAM_ITER and GSASL_SCRAM_SALT values, it can avoid having to
compute the expensive PBKDF2 operation.  The SCRAM client already
supports this mode.  It is recommended for servers to store
GSASL_SCRAM_SERVERKEY and GSASL_SCRAM_STOREDKEY values in a database,
but sometimes storing GSASL_SCRAM_SALTED_PASSWORD, GSASL_SCRAM_ITER
and GSASL_SCRAM_SALT has other advantages.

** gsasl: Added --scram-salted-password=STRING for test purposes.
Based on idea from Manvendra Bhangui <mbhangui@gmail.com> in
<https://lists.gnu.org/archive/html/help-gsasl/2022-11/msg00000.html>.

** tests: Resolve spurious 'Improper format of Kerberos configuration'.
The gsasl-dovecot-gssapi.sh and gsasl-mailutils-gs2krb5-gssapi.sh
self-tests configures a local Kerberos KDC running as non-root with
configuration and database in local temporary directories.  The
kadmin.local tool will read and parse all files under the directory
pointed to by KRB5_KDC_PROFILE assuming it contain configuration
files.  We accidentally put the KDC internal database in that
directory.  Normally reading these binary files (databases with
encryption keys) is harmless, the garbage content is just ignored.
However once in a while the encryption key or database will contain a
line feed followed by the [ character, causing the configuration file
parser to look for a balancing ] character, and if this cannot be
found the tool fails.  Since this only happened once in a while it was
challenging to debug.  Thanks to Andreas Metzler for report, for more
background see
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057285> and
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017638>.

** Reasonable compiler warnings are now enabled by default.
You may disable this using --disable-gcc-warnings (old behaviour) or
turn them into fatal build errors using --enable-gcc-warnings=error to
enable -Werror.  Based on gnulib's manywarnings module, see
<https://www.gnu.org/software/gnulib//manual/html_node/manywarnings.html>.

** Various minor bug fixes and improvements.

Happy hacking,
Simon

signature.asc
Description: PGP signature