pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/gnutls Updated gnutls to 3.5.4.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/f1d7f80a5b00
branches:  trunk
changeset: 352860:f1d7f80a5b00
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Mon Sep 19 12:33:10 2016 +0000

description:
Updated gnutls to 3.5.4.

* Version 3.5.4 (released 2016-09-08)

** libgnutls: Corrected the comparison of the serial size in OCSP response.
   Previously the OCSP certificate check wouldn't verify the serial length
   and could succeed in cases it shouldn't (GNUTLS-SA-2016-3).
   Reported by Stefan Buehler.

** libgnutls: Added support for IP name constraints. Patch by Martin Ukrop.

** libgnutls: Added support of PKCS#8 file decryption using DES-CBC-MD5. This
   is added to allow decryption of PKCS #8 private keys from openssl prior to 1.1.0.

** libgnutls: Added support for decrypting PKCS#8 files which use HMAC-SHA256
   as PRF. This allow decrypting PKCS #8 private keys generated with openssl 1.1.0.

** libgnutls: Added support for internationalized passwords in PKCS#12 files.
   Previous versions would only encrypt or decrypt using passwords from the ASCII
   set.

** libgnutls: Addressed issue with PKCS#11 signature generation on ECDSA
   keys. The signature is now written as unsigned integers into the DSASignatureValue
   structure. Previously signed integers could be written depending on what
   the underlying module would produce. Addresses #122.

** gnutls-cli: Fixed starttls regression from 3.5.3.

** API and ABI modifications:
GNUTLS_E_MALFORMED_CIDR: Added
gnutls_x509_cidr_to_rfc5280: Added
gnutls_oid_to_mac: Added


* Version 3.5.3 (released 2016-08-09)

** libgnutls: Added support for TCP fast open (RFC7413), allowing
   to reduce by one round-trip the handshake process. Based on proposal and
   patch by Tim Ruehsen.

** libgnutls: Adopted a simpler with less memory requirements DTLS sliding
   window implementation. Based on Fridolin Pokorny's implementation for
   AF_KTLS.

** libgnutls: Use getrandom where available via the syscall interface.
   This works around an issue of not-using getrandom even if it exists
   since glibc doesn't declare such function.

** libgnutls: Fixed DNS name constraints checking in the case of empty
   intersection of domain names in the chain. Report and fix by Martin Ukrop.

** libgnutls: Fixed name constraints checking in the case of chains
   where the higher level certificates contained different types of
   constraints than the ones present in the lower intermediate CAs.
   Report and fix by Martin Ukrop.

** libgnutls: Dropped support for the EGD random generator.

** libgnutls: Allow the decoding of raw elements (starting with #)
   in RFC4514 DN string decoding.

** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was
   ignoring flags if all certificates in the list fit within the
   initially allocated memory. Patch by Tim Kosse.

** libgnutls: Corrected issue which made gnutls_certificate_get_x509_crt()
   to return invalid pointers when returned more than a single certificate.
   Report and fix by Stefan S?rensen.

** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the complete chain,
   even when the extra_certs was non-null. Report and fix by Stefan S?rensen.

** certtool: Added the "add_extension" and "add_critical_extension"
   template options. This allows specifying arbitrary extensions into
   certificates and certificate requests.

** gnutls-cli: Added the --fastopen option.

** API and ABI modifications:
GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE: Added
gnutls_x509_crq_set_extension_by_oid: Added
gnutls_x509_dn_set_str: Added
gnutls_transport_set_fastopen: Added


* Version 3.5.2 (released 2016-07-06)

** libgnutls: Address issue when utilizing the p11-kit trust store
   for certificate verification (GNUTLS-SA-2016-2).

** libgnutls: Fixed DTLS handshake packet reconstruction. Reported by
   Guillaume Roguez.

** libgnutls: Fixed issues with PKCS#11 reading of sensitive objects
   from SafeNet Network HSM. Reported by Anthony Alba in #108.

** libgnutls: Corrected the writing of PKCS#11 CKA_SERIAL_NUMBER. Report
   and fix by Stanislav ?idek.

** libgnutls: Added AES-GCM optimizations using the AVX and MOVBE
   instructions. Uses Andy Polyakov's assembly code.

** API and ABI modifications:
No changes since last version.


* Version 3.5.1 (released 2016-06-14)

** libgnutls: The SSL 3.0 protocol support can completely be removed
   using a compile time option. The configure option is --disable-ssl3-support.

** libgnutls: The SSL 2.0 client hello support can completely be removed
   using a compile time option. The configure option is --disable-ssl2-support.

** libgnutls: Added support for OCSP Must staple PKIX extension. That is,
   implemented the RFC7633 TLSFeature for OCSP status request extension.
   Feature implemented by Tim Kosse.

** libgnutls: More strict OCSP staple verification. That is, no longer
   ignore invalid or too old OCSP staples. The previous behavior was
   to rely on application use gnutls_ocsp_status_request_is_checked(),
   while the new behavior is to include OCSP verification by default
   and set the GNUTLS_CERT_INVALID_OCSP_STATUS verification flag on error.

** libgnutls: Treat CA certificates with the "Server Gated Cryptography" key
   purpose OIDs equivalent to having the GNUTLS_KP_TLS_WWW_SERVER OID. This
   improves interoperability with several old intermediate CA certificates
   carrying these legacy OIDs.

** libgnutls: Re-read the system wide priority file when needed. Patch by
   Daniel P. Berrange.

** libgnutls: Allow for fallback in system-specific initial keywords
   (prefixed with '@'). That allows to specify a keyword such as
   "@KEYWORD1,KEYWORD2" which will use the first available of these
   two keywords. Patch by Daniel P. Berrange.

** libgnutls: The SSLKEYLOGFILE environment variable can be used to log
   session keys. These session keys are compatible with the NSS Key Log
   Format and can be used to decrypt the session for debugging using
   wireshark.

** API and ABI modifications:
GNUTLS_CERT_INVALID_OCSP_STATUS: Added
gnutls_x509_crt_set_crq_extension_by_oid: Added
gnutls_x509_ext_import_tlsfeatures: Added
gnutls_x509_ext_export_tlsfeatures: Added
gnutls_x509_tlsfeatures_add: Added
gnutls_x509_tlsfeatures_init: Added
gnutls_x509_tlsfeatures_deinit: Added
gnutls_x509_tlsfeatures_get: Added
gnutls_x509_crt_get_tlsfeatures: Added
gnutls_x509_crt_set_tlsfeatures: Added
gnutls_x509_crq_get_tlsfeatures: Added
gnutls_x509_crq_set_tlsfeatures: Added
gnutls_ext_get_name: Added


* Version 3.5.0 (released 2016-05-09)

** libgnutls: Added SHA3 based signing algorithms for DSA, RSA and ECDSA,
   based on http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html

** libgnutls: Added support for curve X25519 (RFC 7748, draft-ietf-tls-rfc4492bis-07).
   This curve is disabled by default as it is still on specification status. It
   can be enabled using the priority string modifier +CURVE-X25519.

** libgnutls: Added support for TLS false start (draft-ietf-tls-falsestart-01)
   by introducing gnutls_init() flag GNUTLS_ENABLE_FALSE_START (#73).

** libgnutls: Added new APIs to access the FIPS186-4 (Shawe-Taylor based) provable
   RSA and DSA parameter generation from a seed.

** libgnutls: The CHACHA20-POLY1305 ciphersuite is enabled by default. This
   cipher is prioritized after AES-GCM.

** libgnutls: On a rehandshake ensure that the certificate of the peer or
   its username remains the same as in previous handshakes. That is to protect
   applications which do not check user credentials on rehandshakes. The
   threat to address depends on the application protocol. Primarily it
   protects against applications which authenticate the peer initially and
   perform accounting using the session's information, from being misled
   by a rehandshake which switches the peer's identity. Applications can
   disable this protection by using the %GNUTLS_ALLOW_ID_CHANGE flag in
   gnutls_init().

** libgnutls: Be strict in TLS extension decoding. That is, do not tolerate
   parsing errors in the extensions field and treat it as a typical Hello
   message structure. Reported by Hubert Kario (#40).

** libgnutls: Old and unsupported version numbers in client hellos are
   rejected with a "protocol_version" alert message. Reported by Hubert
   Kario (#42).

** libgnutls: Lifted the limitation of calling the gnutls_session_get_data*()
   functions, only on non-resumed sessions. This brings the API in par with
   its usage (#79).

** libgnutls: Follow RFC5280 strictly in name constraints computation. The
   permitted subtrees is intersected with any previous values. Report and
   patch by Daiki Ueno.

** libgnutls: Enforce the RFC 7627 (extended master secret) requirements on
   session resumption. Reported by Hubert Kario (#69).

** libgnutls: Consider the max-record TLS extension even when under DTLS.
   Reported by Peter Dettman (#61).

** libgnutls: Replaced writev() system call with sendmsg().

** libgnutls: Replaced select() system call with poll() on POSIX systems.

** libgnutls: Preload the system priority file on library load. This allows
   applications that chroot() to also use the system priorities.

** libgnutls: Applications are allowed to override the built-in key and
   certificate URLs.

** libgnutls: The gnutls.h header marks constant and pure functions explictly.

** certtool: Added the ability to sign certificates using SHA3.

** certtool: Added the --provable and --verify-allow-broken options.

** gnutls-cli: The --dane option will cause verification failure if gnutls is not
   compiled with DANE support.

** crywrap: The tool was unbundled from gnutls' distribution. It can be found at
   https://github.com/nmav/crywrap

** guile: .go files are now built and installed

** guile: Fix compatibility issue of the test suite with Guile 2.1

** guile: When --with-guile-site-dir is passed, modules are installed in a
   versioned directory, typically $(datadir)/guile/site/2.0

** guile: Tests no longer leave zombie processes behind

** API and ABI modifications:
GNUTLS_FORCE_CLIENT_CERT: Added
GNUTLS_ENABLE_FALSE_START: Added
GNUTLS_INDEFINITE_TIMEOUT: Added
GNUTLS_ALPN_SERVER_PRECEDENCE: Added
GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING: Added
GNUTLS_E_HANDSHAKE_DURING_FALSE_START: Added
gnutls_check_version_numeric: Added
gnutls_x509_crt_equals: Added
gnutls_x509_crt_equals2: Added
gnutls_x509_crt_set_subject_alt_othername: Added
gnutls_x509_crt_set_issuer_alt_othername: Added
gnutls_x509_crt_get_signature_oid: Added
gnutls_x509_crt_get_pk_oid: Added
gnutls_x509_crq_set_subject_alt_othername: Added
gnutls_x509_crq_get_pk_oid: Added
gnutls_x509_crq_get_signature_oid: Added
gnutls_x509_crl_get_signature_oid: Added
gnutls_x509_privkey_generate2: Added
gnutls_x509_privkey_get_seed: Added
gnutls_x509_privkey_verify_seed: Added
gnutls_privkey_generate2: Added
gnutls_privkey_get_seed: Added
gnutls_privkey_verify_seed: Added
gnutls_decode_ber_digest_info: Added
gnutls_encode_ber_digest_info: Added
gnutls_dh_params_import_dsa: Added
gnutls_session_get_master_secret: Added


* Version 3.4.3 (released 2015-07-12)

** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for
   dates prior to 2050.

** libgnutls: Force 16-byte alignment to all input to ciphers (previously it
   was done only when cryptodev was enabled).

** libgnutls: Removed support for pthread_atfork() as it has undefined
   semantics when used with dlopen(), and may lead to a crash.

** libgnutls: corrected failure when importing plain files
   with gnutls_x509_privkey_import2(), and a password was provided.

** libgnutls: Don't reject certificates if a CA has the URI or IP address
   name constraints, and the end certificate doesn't have an IP address
   name or a URI set.

** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites.

** p11tool: Added --list-token-urls option, and print the token module name
   in list-tokens.

** API and ABI modifications:
gnutls_ecc_curve_get_oid: Added
gnutls_digest_get_oid: Added
gnutls_pk_get_oid: Added
gnutls_sign_get_oid: Added
gnutls_ecc_curve_get_id: Added
gnutls_oid_to_digest: Added
gnutls_oid_to_pk: Added
gnutls_oid_to_sign: Added
gnutls_oid_to_ecc_curve: Added
gnutls_pkcs7_get_signature_count: Added


* Version 3.4.2 (released 2015-06-16)

** libgnutls: DTLS blocking API is more robust against infinite blocking,
and will notify of more possible timeouts.

** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported
by Manuel Pegourie-Gonnard.

** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
allows to disable SIGPIPE for writes done within gnutls.

** libgnutls: Enhanced the PKCS #7 API to allow signing and verification
of structures. API moved to gnutls/pkcs7.h header.

** certtool: Added options to generate PKCS #7 bundles and signed
structures.

** API and ABI modifications:
gnutls_x509_dn_get_str: Added
gnutls_pkcs11_get_raw_issuer_by_subject_key_id: Added
gnutls_x509_trust_list_get_issuer_by_subject_key_id: Added
gnutls_x509_crt_verify_data2: Added
gnutls_pkcs7_get_crt_raw2: Added
gnutls_pkcs7_signature_info_deinit: Added
gnutls_pkcs7_get_signature_info: Added
gnutls_pkcs7_verify_direct: Added
gnutls_pkcs7_verify: Added
gnutls_pkcs7_get_crl_raw2: Added
gnutls_pkcs7_sign: Added
gnutls_pkcs7_attrs_deinit: Added
gnutls_pkcs7_add_attr: Added
gnutls_pkcs7_get_attr: Added
gnutls_pkcs7_print: Added


* Version 3.4.1 (released 2015-05-03)

** libgnutls: gnutls_certificate_get_ours: will return the certificate even
if a callback was used to send it.

** libgnutls: Check for invalid length in the X.509 version field. Without
the check certificates with invalid length would be detected as having an
arbitrary version. Reported by Hanno B?ck.

** libgnutls: Handle DNS name constraints with a leading dot. Patch by
Fotis Loukos.

** libgnutls: Updated system-keys support for windows to compile in more
versions of mingw. Patch by Tim Kosse.

** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by
Karthikeyan Bhargavan [GNUTLS-SA-2015-2].

** libgnutls: Reverted: The gnutls_handshake() process will enforce a timeout
by default. That caused issues with non-blocking programs.

** certtool: It can generate SHA256 key IDs.

** gnutls-cli: fixed crash in --benchmark-ciphers. Reported by James Cloos.

** configure: re-enabled the --enable-local-libopts flag

** API and ABI modifications:
gnutls_x509_crt_get_pk_ecc_raw: Added


* Version 3.4.0 (released 2015-04-08)

** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
ciphersuites. The former are enabled by default, the latter need to be
explicitly enabled, since they reduce the overall security level.

** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10.
That is currently provided as technology preview and is not enabled by
default, since there are no assigned ciphersuite points by IETF and there
is no guarrantee of compatibility between draft versions. The ciphersuite
priority string to enable it is "+CHACHA20-POLY1305".

** libgnutls: Added support for encrypt-then-authenticate in CBC
ciphersuites (RFC7366 -taking into account its errata text). This is
enabled by default and can be disabled using the %NO_ETM priority
string.

** libgnutls: Added support for the extended master secret
(triple-handshake fix) following draft-ietf-tls-session-hash-02.

** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).

** libgnutls: SSL 3.0 is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+VERS-SSL3.0".

** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+ARCFOUR-128".

** libgnutls: DSA signatures and DHE-DSS are no longer included in the
default priorities list. They have to be explicitly enabled, e.g., with
a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
DSA ciphersuites were dropped because they had no deployment at all
on the internet, to justify their inclusion.

** libgnutls: The priority string EXPORT was completely removed. The string
was already defunc as support for the EXPORT ciphersuites was removed in
GnuTLS 3.2.0.

** libgnutls: Added API to utilize system specific private keys in
"gnutls/system-keys.h". It is currently provided as technology preview
and is restricted to windows CNG keys.

** libgnutls: gnutls_x509_crt_check_hostname() and friends will use
RFC6125 comparison of hostnames. That introduces a dependency on libidn.

** libgnutls: Depend on p11-kit 0.23.1 to comply with the final
PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21).

** libgnutls: Depend on nettle 3.1.

** libgnutls: Use getrandom() or getentropy() when available. That
avoids the complexity of file descriptor handling and issues with
applications closing all open file descriptors on startup.

** libgnutls: Use pthread_atfork() to detect fork when available.

** libgnutls: If a key purpose (extended key usage) is specified for verification,
it is applied into intermediate certificates. The verification result
GNUTLS_CERT_PURPOSE_MISMATCH is also introduced.

** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in
combination with PKCS #11, or TPM URLs, it will utilize the provided
password as PIN if required. That removes the requirement for the
application to set a callback for PINs in that case.

** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are
restricted to the corresponding protocols only, and the VERS-ALL
string is introduced to catch all possible protocols.

** libgnutls: Added helper functions to obtain information on PKCS #8
structures.

** libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t
will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED.

** libgnutls: Added functions to export and set the record state. That
allows for gnutls_record_send() and recv() to be offloaded (to kernel,
hardware or any other subsystem).

** libgnutls: Added the ability to register application specific URL
types, which express certificates and keys using gnutls_register_custom_url().

** libgnutls: Added API to override existing ciphers, digests and MACs, e.g.,
to override AES-GCM using a system-specific accelerator. That is, (crypto.h)
gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(),
gnutls_crypto_register_mac(), and gnutls_crypto_register_digest().

** libgnutls: Added gnutls_ext_register() to register custom extensions.
Contributed by Thierry Quemerais.

** libgnutls: Added gnutls_supplemental_register() to register custom
supplemental data handshake messages. Contributed by Thierry Quemerais.

** libgnutls-openssl: it is no longer built by default.


** certtool: Added --p8-info option, which will print PKCS #8 information
even if the password is not available.

** certtool: --key-info option will print PKCS #8 encryption information
when available.

** certtool: Added the --key-id and --fingerprint options.

** certtool: Added the --verify-hostname, --verify-email and --verify-purpose
options to be used in certificate chain verification, to simulate verification
for specific hostname and key purpose (extended key usage).

** certtool: --p12-info option will print PKCS #12 MAC and cipher information
when available.

** certtool: it will print the A-label (ACE) names in addition to UTF-8.

** p11tool: added options --set-id and --set-label.

** gnutls-cli: added options --priority-list and --save-cert.

** guile: Deprecated priority API has been removed. The old priority API,
which had been deprecated for some time, is now gone; use 'set-session-priorities!'
instead.

** guile: Remove RSA parameters and related procedures. This API had been
deprecated.

** guile: Fix compilation on MinGW. Previously only the static version of the
'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile.

** API and ABI modifications:
gnutls_record_get_state: Added
gnutls_record_set_state: Added
gnutls_aead_cipher_init: Added
gnutls_aead_cipher_decrypt: Added
gnutls_aead_cipher_encrypt: Added
gnutls_aead_cipher_deinit: Added
gnutls_pkcs12_generate_mac2: Added
gnutls_pkcs12_mac_info: Added
gnutls_pkcs12_bag_enc_info: Added
gnutls_pkcs8_info: Added
gnutls_pkcs_schema_get_name: Added
gnutls_pkcs_schema_get_oid: Added
gnutls_pcert_export_x509: Added
gnutls_pcert_export_openpgp: Added
gnutls_pcert_import_x509_list: Added
gnutls_pkcs11_privkey_cpy: Added
gnutls_x509_crq_get_signature_algorithm: Added
gnutls_x509_trust_list_iter_get_ca: Added
gnutls_x509_trust_list_iter_deinit: Added
gnutls_x509_trust_list_get_issuer_by_dn: Added
gnutls_pkcs11_get_raw_issuer_by_dn: Added
gnutls_certificate_get_trust_list: Added
gnutls_privkey_export_x509: Added
gnutls_privkey_export_pkcs11: Added
gnutls_privkey_export_openpgp: Added
gnutls_privkey_import_ext3: Added
gnutls_certificate_get_x509_key: Added
gnutls_certificate_get_x509_crt: Added
gnutls_certificate_get_openpgp_key: Added
gnutls_certificate_get_openpgp_crt: Added
gnutls_record_discard_queued: Added
gnutls_session_ext_master_secret_status: Added
gnutls_priority_string_list: Added
gnutls_dh_params_import_raw2: Added
gnutls_memset: Added
gnutls_memcmp: Added
gnutls_pkcs12_bag_set_privkey: Added
gnutls_ocsp_resp_get_responder_raw_id: Added
gnutls_system_key_iter_deinit: Added
gnutls_system_key_iter_get_info: Added
gnutls_system_key_delete: Added
gnutls_system_key_add_x509: Added
gnutls_system_recv_timeout: Added
gnutls_register_custom_url: Added
gnutls_pkcs11_obj_list_import_url3: Added
gnutls_pkcs11_obj_list_import_url4: Added
gnutls_pkcs11_obj_set_info: Added
gnutls_crypto_register_cipher: Added
gnutls_crypto_register_aead_cipher: Added
gnutls_crypto_register_mac: Added
gnutls_crypto_register_digest: Added
gnutls_ext_register: Added
gnutls_supplemental_register: Added
gnutls_supplemental_recv: Added
gnutls_supplemental_send: Added
gnutls_openpgp_crt_check_email: Added
gnutls_x509_crt_check_email: Added
gnutls_handshake_set_hook_function: Modified
gnutls_pkcs11_privkey_generate3: Added
gnutls_pkcs11_copy_x509_crt2: Added
gnutls_pkcs11_copy_x509_privkey2: Added
gnutls_pkcs11_obj_list_import_url: Removed
gnutls_pkcs11_obj_list_import_url2: Removed
gnutls_certificate_client_set_retrieve_function: Removed
gnutls_certificate_server_set_retrieve_function: Removed
gnutls_certificate_set_rsa_export_params: Removed
gnutls_certificate_type_set_priority: Removed
gnutls_cipher_set_priority: Removed
gnutls_compression_set_priority: Removed
gnutls_kx_set_priority: Removed
gnutls_mac_set_priority: Removed
gnutls_protocol_set_priority: Removed
gnutls_rsa_export_get_modulus_bits: Removed
gnutls_rsa_export_get_pubkey: Removed
gnutls_rsa_params_cpy: Removed
gnutls_rsa_params_deinit: Removed
gnutls_rsa_params_export_pkcs1: Removed
gnutls_rsa_params_export_raw: Removed
gnutls_rsa_params_generate2: Removed
gnutls_rsa_params_import_pkcs1: Removed
gnutls_rsa_params_import_raw: Removed
gnutls_rsa_params_init: Removed
gnutls_sign_callback_get: Removed
gnutls_sign_callback_set: Removed
gnutls_x509_crt_verify_data: Removed
gnutls_x509_crt_verify_hash: Removed
gnutls_pubkey_get_verify_algorithm: Removed
gnutls_x509_crt_get_verify_algorithm: Removed
gnutls_pubkey_verify_hash: Removed
gnutls_pubkey_verify_data: Removed
gnutls_record_set_max_empty_records: Removed

guile:
set-session-cipher-priority!: Removed
set-session-mac-priority!: Removed
set-session-compression-method-priority!: Removed
set-session-kx-priority!: Removed
set-session-protocol-priority!: Removed
set-session-certificate-type-priority!: Removed
set-session-default-priority!: Removed
set-session-default-export-priority!: Removed
make-rsa-parameters: Removed
rsa-parameters?: Removed
set-certificate-credentials-rsa-export-parameters!: Removed
pkcs1-import-rsa-parameters: Removed
pkcs1-export-rsa-parameters: Removed

diffstat:

 security/gnutls/Makefile                                      |   19 +-
 security/gnutls/PLIST                                         |  216 ++++++++-
 security/gnutls/distinfo                                      |   17 +-
 security/gnutls/patches/patch-gl_stdio.in.h                   |   12 +-
 security/gnutls/patches/patch-src_gl_stdio.in.h               |   12 +-
 security/gnutls/patches/patch-tests_Makefile.in               |   16 -
 security/gnutls/patches/patch-tests_openpgp-certs_Makefile.in |   16 -
 7 files changed, 210 insertions(+), 98 deletions(-)

diffs (truncated from 923 to 300 lines):

diff -r 3312d9a1129c -r f1d7f80a5b00 security/gnutls/Makefile
--- a/security/gnutls/Makefile  Mon Sep 19 12:29:05 2016 +0000
+++ b/security/gnutls/Makefile  Mon Sep 19 12:33:10 2016 +0000
@@ -1,9 +1,8 @@
-# $NetBSD: Makefile,v 1.162 2016/09/15 15:44:27 gdt Exp $
+# $NetBSD: Makefile,v 1.163 2016/09/19 12:33:10 wiz Exp $
 
-DISTNAME=      gnutls-3.3.18
-PKGREVISION=   2
+DISTNAME=      gnutls-3.5.4
 CATEGORIES=    security devel
-MASTER_SITES=  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/
+MASTER_SITES=  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/
 EXTRACT_SUFX=  .tar.xz
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
@@ -24,9 +23,20 @@
 CONFIGURE_ARGS+=       --without-tpm
 CONFIGURE_ARGS+=       AUTOGEN=/bin/true
 
+# as of 3.5.4, 1 test failure
+# FAIL: mini-server-name
+# server:262: server: did not received expected name
 TEST_TARGET=           check
+# without the USE_TOOLS line below, two more shell script based tests fail
+# but when this line is added, the tool path for bash is embedded
+# in to the binaries, so only enable this for testing and
+# disable before commit
+#USE_TOOLS+=           bash
 INFO_FILES=            yes
 
+REPLACE_BASH+= tests/fastopen.sh
+REPLACE_BASH+= tests/starttls.sh
+
 REPLACE_PERL+= doc/scripts/gdoc doc/scripts/sort2.pl
 
 PKGCONFIG_OVERRIDE=    lib/gnutls.pc.in
@@ -57,6 +67,7 @@
 .include "../../devel/gmp/buildlink3.mk"
 BUILDLINK_API_DEPENDS.libtasn1+=       libtasn1>=0.3.4
 .include "../../security/libtasn1/buildlink3.mk"
+BUILDLINK_API_DEPENDS.nettle+=         nettle>=3.1
 .include "../../security/nettle/buildlink3.mk"
 # guile is useful for selftests, but bindings should be separate pkgs
 #.include "../../lang/guile20/buildlink3.mk"
diff -r 3312d9a1129c -r f1d7f80a5b00 security/gnutls/PLIST
--- a/security/gnutls/PLIST     Mon Sep 19 12:29:05 2016 +0000
+++ b/security/gnutls/PLIST     Mon Sep 19 12:33:10 2016 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.52 2015/06/01 21:50:22 spz Exp $
+@comment $NetBSD: PLIST,v 1.53 2016/09/19 12:33:10 wiz Exp $
 bin/certtool
 bin/gnutls-cli
 bin/gnutls-cli-debug
@@ -16,8 +16,12 @@
 include/gnutls/openpgp.h
 include/gnutls/pkcs11.h
 include/gnutls/pkcs12.h
+include/gnutls/pkcs7.h
 include/gnutls/self-test.h
+include/gnutls/socket.h
+include/gnutls/system-keys.h
 include/gnutls/tpm.h
+include/gnutls/urls.h
 include/gnutls/x509-ext.h
 include/gnutls/x509.h
 info/gnutls-client-server-use-case.png
@@ -44,6 +48,28 @@
 man/man1/psktool.1
 man/man1/srptool.1
 man/man1/tpmtool.1
+man/man3/dane_cert_type_name.3
+man/man3/dane_cert_usage_name.3
+man/man3/dane_match_type_name.3
+man/man3/dane_query_data.3
+man/man3/dane_query_deinit.3
+man/man3/dane_query_entries.3
+man/man3/dane_query_status.3
+man/man3/dane_query_tlsa.3
+man/man3/dane_query_to_raw_tlsa.3
+man/man3/dane_raw_tlsa.3
+man/man3/dane_state_deinit.3
+man/man3/dane_state_init.3
+man/man3/dane_state_set_dlv_file.3
+man/man3/dane_strerror.3
+man/man3/dane_verification_status_print.3
+man/man3/dane_verify_crt.3
+man/man3/dane_verify_crt_raw.3
+man/man3/dane_verify_session_crt.3
+man/man3/gnutls_aead_cipher_decrypt.3
+man/man3/gnutls_aead_cipher_deinit.3
+man/man3/gnutls_aead_cipher_encrypt.3
+man/man3/gnutls_aead_cipher_init.3
 man/man3/gnutls_alert_get.3
 man/man3/gnutls_alert_get_name.3
 man/man3/gnutls_alert_get_strname.3
@@ -61,11 +87,11 @@
 man/man3/gnutls_auth_client_get_type.3
 man/man3/gnutls_auth_get_type.3
 man/man3/gnutls_auth_server_get_type.3
+man/man3/gnutls_buffer_append_data.3
 man/man3/gnutls_bye.3
 man/man3/gnutls_certificate_activation_time_peers.3
 man/man3/gnutls_certificate_allocate_credentials.3
 man/man3/gnutls_certificate_client_get_request_status.3
-man/man3/gnutls_certificate_client_set_retrieve_function.3
 man/man3/gnutls_certificate_expiration_time_peers.3
 man/man3/gnutls_certificate_free_ca_names.3
 man/man3/gnutls_certificate_free_cas.3
@@ -74,13 +100,19 @@
 man/man3/gnutls_certificate_free_keys.3
 man/man3/gnutls_certificate_get_crt_raw.3
 man/man3/gnutls_certificate_get_issuer.3
+man/man3/gnutls_certificate_get_openpgp_crt.3
+man/man3/gnutls_certificate_get_openpgp_key.3
 man/man3/gnutls_certificate_get_ours.3
 man/man3/gnutls_certificate_get_peers.3
 man/man3/gnutls_certificate_get_peers_subkey_id.3
+man/man3/gnutls_certificate_get_trust_list.3
+man/man3/gnutls_certificate_get_verify_flags.3
+man/man3/gnutls_certificate_get_x509_crt.3
+man/man3/gnutls_certificate_get_x509_key.3
 man/man3/gnutls_certificate_send_x509_rdn_sequence.3
 man/man3/gnutls_certificate_server_set_request.3
-man/man3/gnutls_certificate_server_set_retrieve_function.3
 man/man3/gnutls_certificate_set_dh_params.3
+man/man3/gnutls_certificate_set_flags.3
 man/man3/gnutls_certificate_set_key.3
 man/man3/gnutls_certificate_set_ocsp_status_request_file.3
 man/man3/gnutls_certificate_set_ocsp_status_request_function.3
@@ -95,7 +127,6 @@
 man/man3/gnutls_certificate_set_pin_function.3
 man/man3/gnutls_certificate_set_retrieve_function.3
 man/man3/gnutls_certificate_set_retrieve_function2.3
-man/man3/gnutls_certificate_set_rsa_export_params.3
 man/man3/gnutls_certificate_set_trust_list.3
 man/man3/gnutls_certificate_set_verify_flags.3
 man/man3/gnutls_certificate_set_verify_function.3
@@ -119,7 +150,6 @@
 man/man3/gnutls_certificate_type_get_id.3
 man/man3/gnutls_certificate_type_get_name.3
 man/man3/gnutls_certificate_type_list.3
-man/man3/gnutls_certificate_type_set_priority.3
 man/man3/gnutls_certificate_verification_status_print.3
 man/man3/gnutls_certificate_verify_peers.3
 man/man3/gnutls_certificate_verify_peers2.3
@@ -142,7 +172,6 @@
 man/man3/gnutls_cipher_list.3
 man/man3/gnutls_cipher_self_test.3
 man/man3/gnutls_cipher_set_iv.3
-man/man3/gnutls_cipher_set_priority.3
 man/man3/gnutls_cipher_suite_get_name.3
 man/man3/gnutls_cipher_suite_info.3
 man/man3/gnutls_cipher_tag.3
@@ -150,10 +179,13 @@
 man/man3/gnutls_compression_get_id.3
 man/man3/gnutls_compression_get_name.3
 man/man3/gnutls_compression_list.3
-man/man3/gnutls_compression_set_priority.3
 man/man3/gnutls_credentials_clear.3
 man/man3/gnutls_credentials_get.3
 man/man3/gnutls_credentials_set.3
+man/man3/gnutls_crypto_register_aead_cipher.3
+man/man3/gnutls_crypto_register_cipher.3
+man/man3/gnutls_crypto_register_digest.3
+man/man3/gnutls_crypto_register_mac.3
 man/man3/gnutls_db_check_entry.3
 man/man3/gnutls_db_check_entry_time.3
 man/man3/gnutls_db_get_default_cache_expiration.3
@@ -164,6 +196,7 @@
 man/man3/gnutls_db_set_remove_function.3
 man/man3/gnutls_db_set_retrieve_function.3
 man/man3/gnutls_db_set_store_function.3
+man/man3/gnutls_decode_ber_digest_info.3
 man/man3/gnutls_deinit.3
 man/man3/gnutls_dh_get_group.3
 man/man3/gnutls_dh_get_peers_public_bits.3
@@ -176,12 +209,15 @@
 man/man3/gnutls_dh_params_export_pkcs3.3
 man/man3/gnutls_dh_params_export_raw.3
 man/man3/gnutls_dh_params_generate2.3
+man/man3/gnutls_dh_params_import_dsa.3
 man/man3/gnutls_dh_params_import_pkcs3.3
 man/man3/gnutls_dh_params_import_raw.3
+man/man3/gnutls_dh_params_import_raw2.3
 man/man3/gnutls_dh_params_init.3
 man/man3/gnutls_dh_set_prime_bits.3
 man/man3/gnutls_digest_get_id.3
 man/man3/gnutls_digest_get_name.3
+man/man3/gnutls_digest_get_oid.3
 man/man3/gnutls_digest_list.3
 man/man3/gnutls_digest_self_test.3
 man/man3/gnutls_dtls_cookie_send.3
@@ -194,12 +230,20 @@
 man/man3/gnutls_dtls_set_mtu.3
 man/man3/gnutls_dtls_set_timeouts.3
 man/man3/gnutls_ecc_curve_get.3
+man/man3/gnutls_ecc_curve_get_id.3
 man/man3/gnutls_ecc_curve_get_name.3
+man/man3/gnutls_ecc_curve_get_oid.3
+man/man3/gnutls_ecc_curve_get_pk.3
 man/man3/gnutls_ecc_curve_get_size.3
 man/man3/gnutls_ecc_curve_list.3
+man/man3/gnutls_encode_ber_digest_info.3
 man/man3/gnutls_error_is_fatal.3
 man/man3/gnutls_error_to_alert.3
 man/man3/gnutls_est_record_overhead_size.3
+man/man3/gnutls_ext_get_data.3
+man/man3/gnutls_ext_get_name.3
+man/man3/gnutls_ext_register.3
+man/man3/gnutls_ext_set_data.3
 man/man3/gnutls_fingerprint.3
 man/man3/gnutls_fips140_mode_enabled.3
 man/man3/gnutls_global_deinit.3
@@ -234,7 +278,9 @@
 man/man3/gnutls_heartbeat_set_timeouts.3
 man/man3/gnutls_hex2bin.3
 man/man3/gnutls_hex_decode.3
+man/man3/gnutls_hex_decode2.3
 man/man3/gnutls_hex_encode.3
+man/man3/gnutls_hex_encode2.3
 man/man3/gnutls_hmac.3
 man/man3/gnutls_hmac_deinit.3
 man/man3/gnutls_hmac_fast.3
@@ -248,7 +294,6 @@
 man/man3/gnutls_kx_get_id.3
 man/man3/gnutls_kx_get_name.3
 man/man3/gnutls_kx_list.3
-man/man3/gnutls_kx_set_priority.3
 man/man3/gnutls_load_file.3
 man/man3/gnutls_mac_get.3
 man/man3/gnutls_mac_get_id.3
@@ -257,7 +302,8 @@
 man/man3/gnutls_mac_get_nonce_size.3
 man/man3/gnutls_mac_list.3
 man/man3/gnutls_mac_self_test.3
-man/man3/gnutls_mac_set_priority.3
+man/man3/gnutls_memcmp.3
+man/man3/gnutls_memset.3
 man/man3/gnutls_ocsp_req_add_cert.3
 man/man3/gnutls_ocsp_req_add_cert_id.3
 man/man3/gnutls_ocsp_req_deinit.3
@@ -280,6 +326,7 @@
 man/man3/gnutls_ocsp_resp_get_nonce.3
 man/man3/gnutls_ocsp_resp_get_produced.3
 man/man3/gnutls_ocsp_resp_get_responder.3
+man/man3/gnutls_ocsp_resp_get_responder_raw_id.3
 man/man3/gnutls_ocsp_resp_get_response.3
 man/man3/gnutls_ocsp_resp_get_signature.3
 man/man3/gnutls_ocsp_resp_get_signature_algorithm.3
@@ -294,6 +341,12 @@
 man/man3/gnutls_ocsp_status_request_enable_client.3
 man/man3/gnutls_ocsp_status_request_get.3
 man/man3/gnutls_ocsp_status_request_is_checked.3
+man/man3/gnutls_oid_to_digest.3
+man/man3/gnutls_oid_to_ecc_curve.3
+man/man3/gnutls_oid_to_mac.3
+man/man3/gnutls_oid_to_pk.3
+man/man3/gnutls_oid_to_sign.3
+man/man3/gnutls_openpgp_crt_check_email.3
 man/man3/gnutls_openpgp_crt_check_hostname.3
 man/man3/gnutls_openpgp_crt_check_hostname2.3
 man/man3/gnutls_openpgp_crt_deinit.3
@@ -365,32 +418,42 @@
 man/man3/gnutls_packet_deinit.3
 man/man3/gnutls_packet_get.3
 man/man3/gnutls_pcert_deinit.3
+man/man3/gnutls_pcert_export_openpgp.3
+man/man3/gnutls_pcert_export_x509.3
 man/man3/gnutls_pcert_import_openpgp.3
 man/man3/gnutls_pcert_import_openpgp_raw.3
 man/man3/gnutls_pcert_import_x509.3
+man/man3/gnutls_pcert_import_x509_list.3
 man/man3/gnutls_pcert_import_x509_raw.3
 man/man3/gnutls_pcert_list_import_x509_raw.3
 man/man3/gnutls_pem_base64_decode.3
-man/man3/gnutls_pem_base64_decode_alloc.3
+man/man3/gnutls_pem_base64_decode2.3
 man/man3/gnutls_pem_base64_encode.3
-man/man3/gnutls_pem_base64_encode_alloc.3
+man/man3/gnutls_pem_base64_encode2.3
 man/man3/gnutls_perror.3
 man/man3/gnutls_pk_algorithm_get_name.3
 man/man3/gnutls_pk_bits_to_sec_param.3
 man/man3/gnutls_pk_get_id.3
 man/man3/gnutls_pk_get_name.3
+man/man3/gnutls_pk_get_oid.3
 man/man3/gnutls_pk_list.3
 man/man3/gnutls_pk_self_test.3
 man/man3/gnutls_pk_to_sign.3
 man/man3/gnutls_pkcs11_add_provider.3
+man/man3/gnutls_pkcs11_copy_attached_extension.3
+man/man3/gnutls_pkcs11_copy_pubkey.3
 man/man3/gnutls_pkcs11_copy_secret_key.3
 man/man3/gnutls_pkcs11_copy_x509_crt.3
+man/man3/gnutls_pkcs11_copy_x509_crt2.3
 man/man3/gnutls_pkcs11_copy_x509_privkey.3
+man/man3/gnutls_pkcs11_copy_x509_privkey2.3
 man/man3/gnutls_pkcs11_crt_is_known.3
 man/man3/gnutls_pkcs11_deinit.3



Home | Main Index | Thread Index | Old Index