[pkgsrc/trunk]: pkgsrc/security/gnutls Update gnutls to 3.6.2

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/security/gnutls Update gnutls to 3.6.2
From: prlw1 <prlw1%pkgsrc.org@localhost>
Date: Fri, 06 Jul 2018 17:21:58 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/67470a62e78a
branches:  trunk
changeset: 310149:67470a62e78a
user:      prlw1 <prlw1%pkgsrc.org@localhost>
date:      Fri Jul 06 16:15:28 2018 +0000

description:
Update gnutls to 3.6.2

* Version 3.6.2 (released 2018-02-16)

** libgnutls: When verifying against a self signed certificate ignore issuer.
   That is, ignore issuer when checking the issuer's parameters strength, resolving
   issue #347 which caused self signed certificates to be additionally marked as of
   insufficient security level.

** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
   MTU calculation now, it correctly accounts for the fixed overhead due to
   padding (as 1 byte), while at the same time considers the rest of the
   padding as part of data MTU.

** libgnutls: Address issue of loading of all PKCS#11 modules on startup
   on systems with a PKCS#11 trust store (as opposed to a file trust store).
   Introduced a multi-stage initialization which loads the trust modules, and
   other modules are deferred for the first pure PKCS#11 request.

** libgnutls: The SRP authentication will reject any parameters outside
   RFC5054. This protects any client from potential MitM due to insecure
   parameters. That also brings SRP in par with the RFC7919 changes to
   Diffie-Hellman.

** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
   for SRP authentication.

** libgnutls: Addressed issue in the accelerated code affecting interoperability
   with versions of nettle >= 3.4.

** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.

** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
   Vitezslav Cizek).

** srptool: the --create-conf option no longer includes 1024-bit parameters.

** p11tool: Fixed the deletion of objects in batch mode.

** API and ABI modifications:
gnutls_srp_8192_group_generator: Added
gnutls_srp_8192_group_prime: Added


* Version 3.6.1 (released 2017-10-21)

** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
   used. Resolves gitlab issue #259.

** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
   gnutls_x509_crq_sign, were modified to sign with a better algorithm than
   SHA1. They will now sign with an algorithm that corresponds to the security
   level of the signer's key.

** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
   accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
   the function to auto-detect an appropriate hash algorithm to use.

** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
   TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
   in TLS 1.2. As such, no reason to keep supporting it.

** libgnutls: Refuse to use client certificates containing disallowed
   algorithms for a session. That reverts a change on 3.5.5, which allowed
   a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
   to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
   The previous approach was to allow a smooth move for client infrastructure
   after the DSA algorithm became disabled by default, and is no longer necessary
   as DSA is now being universally deprecated.

** libgnutls: Refuse to resume a session which had a different SNI advertised. That
   improves RFC6066 support in server side. Reported by Thomas Klute.

** p11tool: Mark all generated objects as sensitive by default.

** p11tool: added options --sign-params and --hash. This allows testing
   signature with multiple algorithms, including RSA-PSS.

** API and ABI modifications:
No changes since last version.

diffstat:

 security/gnutls/Makefile                                       |   6 +-
 security/gnutls/distinfo                                       |  17 +--
 security/gnutls/patches/patch-fuzz_Makefile.in                 |  16 ----
 security/gnutls/patches/patch-lib_Makefile.in                  |  11 +--
 security/gnutls/patches/patch-lib_accelerated_x86_x86-common.c |   6 +-
 security/gnutls/patches/patch-lib_atomic.h                     |  38 ----------
 security/gnutls/patches/patch-tests_suite_Makefile.in          |  16 ----
 7 files changed, 14 insertions(+), 96 deletions(-)

diffs (172 lines):

diff -r 7503ade95b3d -r 67470a62e78a security/gnutls/Makefile
--- a/security/gnutls/Makefile  Fri Jul 06 15:39:24 2018 +0000
+++ b/security/gnutls/Makefile  Fri Jul 06 16:15:28 2018 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.182 2018/06/04 16:12:52 wiz Exp $
+# $NetBSD: Makefile,v 1.183 2018/07/06 16:15:28 prlw1 Exp $
 
-DISTNAME=      gnutls-3.6.0
-PKGREVISION=   3
+DISTNAME=      gnutls-3.6.2
 CATEGORIES=    security devel
 MASTER_SITES=  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/
 EXTRACT_SUFX=  .tar.xz
@@ -21,6 +20,7 @@
 CONFIGURE_ARGS+=               --disable-guile
 CONFIGURE_ARGS+=               --disable-libdane
 CONFIGURE_ARGS+=               --without-tpm
+CONFIGURE_ARGS+=               --disable-destructive-tests
 CONFIGURE_ARGS+=               --disable-valgrind-tests
 CONFIGURE_ARGS+=               --with-libintl-prefix=${BUILDLINK_PREFIX.gettext}
 CONFIGURE_ARGS+=               --enable-local-libopts
diff -r 7503ade95b3d -r 67470a62e78a security/gnutls/distinfo
--- a/security/gnutls/distinfo  Fri Jul 06 15:39:24 2018 +0000
+++ b/security/gnutls/distinfo  Fri Jul 06 16:15:28 2018 +0000
@@ -1,16 +1,13 @@
-$NetBSD: distinfo,v 1.128 2017/09/06 13:41:26 wiz Exp $
+$NetBSD: distinfo,v 1.129 2018/07/06 16:15:28 prlw1 Exp $
 
-SHA1 (gnutls-3.6.0.tar.xz) = 7526804877a555b0bd136dfaa8a2ade738018301
-RMD160 (gnutls-3.6.0.tar.xz) = e2346506096e63a5a622a18c72c4269302ec4003
-SHA512 (gnutls-3.6.0.tar.xz) = e5f36d7e8d64e8432098e30549c321745d3605eeb85aba2a04bfa92146ca771961f0e2f3682bcae36be5b6095acd25996104a4213ce7b3466d61332a5188dc03
-Size (gnutls-3.6.0.tar.xz) = 8024972 bytes
-SHA1 (patch-fuzz_Makefile.in) = 8123ed5ac06c338a7ce0fb6da9533defaf93169f
-SHA1 (patch-lib_Makefile.in) = 3320a7ffa6252d116037974b6de8f5d9cd3bc610
-SHA1 (patch-lib_accelerated_x86_x86-common.c) = 7a46ef6892b3a06ff4c949a965073c720a2491a4
-SHA1 (patch-lib_atomic.h) = c59748108d6379fe09d2b5f7c2e31b2616ff40cb
+SHA1 (gnutls-3.6.2.tar.xz) = 24e5a416ce320945a2515619f3c2f0f6f2290ddc
+RMD160 (gnutls-3.6.2.tar.xz) = 8f08c2f8e4957338b5efcb40d3584870a53741e1
+SHA512 (gnutls-3.6.2.tar.xz) = 6a574d355226bdff6198ab3f70633ff2a3cff4b5d06793bdaf19d007063bd4dd515d1bd3f331a9eb1a9ad01f83007801cfa55e5fd16c1cd3461ac33d1813fb06
+Size (gnutls-3.6.2.tar.xz) = 8093304 bytes
+SHA1 (patch-lib_Makefile.in) = c9a6bbe6238ccd9de41c708012e36b202d2a86e7
+SHA1 (patch-lib_accelerated_x86_x86-common.c) = eaf3c473b1ca83c5b15be26f8c06a82d7961420c
 SHA1 (patch-src_libopts_autoopts_options.h) = 9202c55314fe8764ac82c95bbfabfa1b031e9ba4
 SHA1 (patch-src_libopts_compat_compat.h) = 240fbfc0ba20af35e0634ba873fe9e34bfbcc921
 SHA1 (patch-src_libopts_libopts.c) = ce5e7681def882e95ed5ab770564d1f999b97039
 SHA1 (patch-src_libopts_makeshell.c) = e5b7d66caaec45e12ae5490d515fc9fc75de3d92
 SHA1 (patch-src_libopts_proto.h) = 78f845bdcbac8de74953a3cee0b77fa9c5b05386
-SHA1 (patch-tests_suite_Makefile.in) = 69aac0ebae7fa8b755497d3ebe6145be118c6a52
diff -r 7503ade95b3d -r 67470a62e78a security/gnutls/patches/patch-fuzz_Makefile.in
--- a/security/gnutls/patches/patch-fuzz_Makefile.in    Fri Jul 06 15:39:24 2018 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,16 +0,0 @@
-$NetBSD: patch-fuzz_Makefile.in,v 1.1 2017/09/06 13:41:26 wiz Exp $
-
-Use autoconf variable for libdl.
-https://gitlab.com/gnutls/gnutls/issues/270
-
---- fuzz/Makefile.in.orig      2017-09-06 12:15:06.271496815 +0000
-+++ fuzz/Makefile.in
-@@ -1797,7 +1797,7 @@ gnutls_srp_client_fuzzer_SOURCES = gnutl
- gnutls_srp_server_fuzzer_SOURCES = gnutls_srp_server_fuzzer.c main.c fuzzer.h mem.h srp.h
- gnutls_set_trust_file_fuzzer_SOURCES = gnutls_set_trust_file_fuzzer.c main.c fuzzer.h
- gnutls_x509_parser_fuzzer_SOURCES = gnutls_x509_parser_fuzzer.c main.c fuzzer.h
--gnutls_set_trust_file_fuzzer_LDADD = $(LDADD) -ldl
-+gnutls_set_trust_file_fuzzer_LDADD = $(LDADD) $(LIBDL)
- TESTS = $(FUZZERS)
- LCOV_INFO = coverage.info
- all: all-am
diff -r 7503ade95b3d -r 67470a62e78a security/gnutls/patches/patch-lib_Makefile.in
--- a/security/gnutls/patches/patch-lib_Makefile.in     Fri Jul 06 15:39:24 2018 +0000
+++ b/security/gnutls/patches/patch-lib_Makefile.in     Fri Jul 06 16:15:28 2018 +0000
@@ -1,18 +1,9 @@
-$NetBSD: patch-lib_Makefile.in,v 1.8 2017/09/06 13:41:26 wiz Exp $
+$NetBSD: patch-lib_Makefile.in,v 1.9 2018/07/06 16:15:28 prlw1 Exp $
 
 Correct path to locale files.
 
 --- lib/Makefile.in.orig       2015-05-03 17:30:56.000000000 +0000
 +++ lib/Makefile.in
-@@ -386,7 +386,7 @@ am__v_lt_0 = --silent
- am__v_lt_1 = 
- libgnutls_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-       $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
--      $(libgnutls_la_LDFLAGS) $(LDFLAGS) -o $@
-+      $(libgnutls_la_LDFLAGS) $(LDFLAGS) -lgmp -o $@
- @ENABLE_CXX_TRUE@libgnutlsxx_la_DEPENDENCIES = libgnutls.la
- am__libgnutlsxx_la_SOURCES_DIST = gnutlsxx.cpp
- @ENABLE_CXX_TRUE@am_libgnutlsxx_la_OBJECTS =  \
 @@ -1443,7 +1443,7 @@ infodir = @infodir@
  install_sh = @install_sh@
  libdir = @libdir@
diff -r 7503ade95b3d -r 67470a62e78a security/gnutls/patches/patch-lib_accelerated_x86_x86-common.c
--- a/security/gnutls/patches/patch-lib_accelerated_x86_x86-common.c    Fri Jul 06 15:39:24 2018 +0000
+++ b/security/gnutls/patches/patch-lib_accelerated_x86_x86-common.c    Fri Jul 06 16:15:28 2018 +0000
@@ -1,12 +1,12 @@
-$NetBSD: patch-lib_accelerated_x86_x86-common.c,v 1.1 2017/04/10 10:43:49 jperkin Exp $
+$NetBSD: patch-lib_accelerated_x86_x86-common.c,v 1.2 2018/07/06 16:15:28 prlw1 Exp $
 
 Avoid unsupported xgetbv instruction on older Darwin assemblers.
 
---- lib/accelerated/x86/x86-common.c.orig      2017-01-22 00:00:30.000000000 +0000
+--- lib/accelerated/x86/x86-common.c.orig      2018-02-12 07:06:04.000000000 +0000
 +++ lib/accelerated/x86/x86-common.c
 @@ -101,6 +101,8 @@ static unsigned check_4th_gen_intel_feat
  
- #if defined(_MSC_VER)
+ #if defined(_MSC_VER) && !defined(__clang__)
        xcr0 = _xgetbv(0);
 +#elif defined(__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__) && __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ < 1070
 +      return 0;
diff -r 7503ade95b3d -r 67470a62e78a security/gnutls/patches/patch-lib_atomic.h
--- a/security/gnutls/patches/patch-lib_atomic.h        Fri Jul 06 15:39:24 2018 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,38 +0,0 @@
-$NetBSD: patch-lib_atomic.h,v 1.1 2017/09/06 13:41:26 wiz Exp $
-
-Fix lock arguments.
-https://gitlab.com/gnutls/gnutls/commit/72d25d427078d3de5c25c3b5406b0313ffd813ab
-
---- lib/atomic.h.orig  2017-07-31 06:22:37.000000000 +0000
-+++ lib/atomic.h
-@@ -47,24 +47,24 @@ typedef struct gnutls_atomic_uint_st *gn
- inline static unsigned gnutls_atomic_val(gnutls_atomic_uint_t x)
- {
-       unsigned int t;
--      gnutls_mutex_lock(x->lock);
-+      gnutls_mutex_lock(&x->lock);
-       t = x->value;
--      gnutls_mutex_unlock(x->lock);
-+      gnutls_mutex_unlock(&x->lock);
-       return t;
- }
- 
- inline static void gnutls_atomic_increment(gnutls_atomic_uint_t x)
- {
--      gnutls_mutex_lock(x->lock);
-+      gnutls_mutex_lock(&x->lock);
-       x->value++;
--      gnutls_mutex_unlock(x->lock);
-+      gnutls_mutex_unlock(&x->lock);
- }
- 
- inline static void gnutls_atomic_decrement(gnutls_atomic_uint_t x)
- {
--      gnutls_mutex_lock(x->lock);
-+      gnutls_mutex_lock(&x->lock);
-       x->value--;
--      gnutls_mutex_unlock(x->lock);
-+      gnutls_mutex_unlock(&x->lock);
- }
- 
- inline static void gnutls_atomic_init(gnutls_atomic_uint_t x)
diff -r 7503ade95b3d -r 67470a62e78a security/gnutls/patches/patch-tests_suite_Makefile.in
--- a/security/gnutls/patches/patch-tests_suite_Makefile.in     Fri Jul 06 15:39:24 2018 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,16 +0,0 @@
-$NetBSD: patch-tests_suite_Makefile.in,v 1.1 2017/09/06 13:41:26 wiz Exp $
-
-Use autoconf variable for libdl.
-https://gitlab.com/gnutls/gnutls/issues/270
-
---- tests/suite/Makefile.in.orig       2017-09-06 12:15:07.888159011 +0000
-+++ tests/suite/Makefile.in
-@@ -1710,7 +1710,7 @@ TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) LC_
-       $(am__append_2) $(am__append_3)
- @MACOSX_FALSE@@WINDOWS_FALSE@noinst_LTLIBRARIES = libecore.la
- @MACOSX_FALSE@@WINDOWS_FALSE@mini_record_timing_LDADD = -lrt $(LDADD)
--@MACOSX_FALSE@@WINDOWS_FALSE@eagain_cli_LDADD = libecore.la -lrt -lm -ldl -lpthread $(LDADD)
-+@MACOSX_FALSE@@WINDOWS_FALSE@eagain_cli_LDADD = libecore.la -lrt -lm $(LIBDL) -lpthread $(LDADD)
- @MACOSX_FALSE@@WINDOWS_FALSE@nodist_eagain_cli_SOURCES = mini-eagain2.c
- prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS)
- TEST_EXTENSIONS = .sh
Prev by Date: [pkgsrc/trunk]: pkgsrc/textproc Update xapian bindings for 1.4.6.
Next by Date: [pkgsrc/trunk]: pkgsrc/doc doc: Updated textproc/xapian-omega to 1.4.6
Previous by Thread: [pkgsrc/trunk]: pkgsrc/textproc Update xapian bindings for 1.4.6.
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: Updated textproc/xapian-omega to 1.4.6
Indexes:
Home | Main Index | Thread Index | Old Index