The NetBSD Project

CVS log for pkgsrc/security/gnutls/Makefile

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / security / gnutls

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.238 / (download) - annotate - [select for diffs], Wed Feb 15 07:40:52 2023 UTC (5 weeks ago) by nikita
Branch: MAIN
CVS Tags: HEAD
Changes since 1.237: +2 -1 lines
Diff to previous 1.237 (colored)

gnutls: remove guile bindings, dropped and moved to https://gitlab.com/gnutls/guile/

Revision 1.237 / (download) - annotate - [select for diffs], Tue Feb 14 16:45:21 2023 UTC (5 weeks, 1 day ago) by wiz
Branch: MAIN
Changes since 1.236: +2 -3 lines
Diff to previous 1.236 (colored)

gnutls: update to 3.8.0.

* Version 3.8.0 (unreleased 2023-02-09)

** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange.
   Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin.
   [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361]

** libgnutls: C++ library is now header only. All definitions from
   gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++
   interface have two options:
   1. include gnutlsxx.h in their application and link against
      the C library. (default)
   2. include gnutlsxx.h in their application, compile with
      GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link
      against the C++ library.

** libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST
   priority modifier have been added to allow disabling of the
   status_request TLS extension in the client side.

** libgnutls: TLS heartbeat is disabled by default.
   The heartbeat extension in TLS (RFC 6520) is not widely used given
   other implementations dropped support for it. To enable back
   support for it, supply --enable-heartbeat-support to configure
   script.

** libgnutls: SRP authentication is now disabled by default.
   It is disabled because the SRP authentication in TLS is not up to
   date with the latest TLS standards and its ciphersuites are based
   on the CBC mode and SHA-1.  To enable it back, supply
   --enable-srp-authentication option to configure script.

** libgnutls: All code has been indented using "indent -ppi1 -linux".
   CI/CD has been adjusted to catch regressions.  This is implemented
   through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml„ŗ—‘
   commit-check.  You may run devel/indent-gnutls to fix any
   indentation issues if you make code modifications.

** guile: Guile-bindings removed.
   They have been extracted into a separate project to reduce complexity
   and to simplify maintenance, see <https://gitlab.com/gnutls/guile/>.

** minitasn1: Upgraded to libtasn1 version 4.19.

** API and ABI modifications:
GNUTLS_NO_STATUS_REQUEST: New flag
GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member
GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member

* Version 3.7.8 (released 2022-09-27)

** libgnutls: In FIPS140 mode, RSA signature verification is an approved
   operation if the key has modulus with known sizes (1024, 1280,
   1536, and 1792 bits), in addition to any modulus sizes larger than
   2048 bits, according to SP800-131A rev2.

** libgnutls: gnutls_session_channel_binding performs additional checks when
   GNUTLS_CB_TLS_EXPORTER is requested. According to RFC9622 4.2, the
   "tls-exporter" channel binding is only usable when the handshake is
   bound to a unique master secret (i.e., either TLS 1.3 or extended
   master secret extension is negotiated). Otherwise the function now
   returns error.

** libgnutls: usage of the following functions, which are designed to
   loosen restrictions imposed by allowlisting mode of configuration,
   has been additionally restricted. Invoking them is now only allowed
   if system-wide TLS priority string has not been initialized yet:
gnutls_digest_set_secure
gnutls_sign_set_secure
gnutls_sign_set_secure_for_certs
gnutls_protocol_set_enabled

** API and ABI modifications:
No changes since last version.

Revision 1.236 / (download) - annotate - [select for diffs], Wed Oct 26 10:31:07 2022 UTC (4 months, 3 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base, pkgsrc-2022Q4
Changes since 1.235: +2 -1 lines
Diff to previous 1.235 (colored)

*: bump PKGREVISION for libunistring shlib major bump

Revision 1.235 / (download) - annotate - [select for diffs], Wed Sep 28 13:25:57 2022 UTC (5 months, 3 weeks ago) by adam
Branch: MAIN
Changes since 1.234: +2 -2 lines
Diff to previous 1.234 (colored)

gnutls: updated to 3.7.8

ersion 3.7.8 (released 2022-09-27)

** libgnutls: In FIPS140 mode, RSA signature verification is an approved
   operation if the key has modulus with known sizes (1024, 1280,
   1536, and 1792 bits), in addition to any modulus sizes larger than
   2048 bits, according to SP800-131A rev2.

** libgnutls: gnutls_session_channel_binding performs additional checks when
   GNUTLS_CB_TLS_EXPORTER is requested. According to RFC9622 4.2, the
   "tls-exporter" channel binding is only usable when the handshake is
   bound to a unique master secret (i.e., either TLS 1.3 or extended
   master secret extension is negotiated). Otherwise the function now
   returns error.

** libgnutls: usage of the following functions, which are designed to
   loosen restrictions imposed by allowlisting mode of configuration,
   has been additionally restricted. Invoking them is now only allowed
   if system-wide TLS priority string has not been initialized yet:
gnutls_digest_set_secure
gnutls_sign_set_secure
gnutls_sign_set_secure_for_certs
gnutls_protocol_set_enabled

** API and ABI modifications:
No changes since last version.

Revision 1.234 / (download) - annotate - [select for diffs], Fri Jul 29 08:04:47 2022 UTC (7 months, 3 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3
Changes since 1.233: +2 -3 lines
Diff to previous 1.233 (colored)

gnutls: updated to 3.7.7

Version 3.7.7 (released 2022-07-28)

** libgnutls: Fixed double free during verification of pkcs7 signatures.
   [CVE-2022-2509]

** libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument less than or
   equal to 255 times hash digest size, to comply with RFC 5869 2.3.

** libgnutls: Length limit for TLS PSK usernames has been increased
   from 128 to 65535 characters.

** libgnutls: AES-GCM encryption function now limits plaintext
   length to 2^39-256 bits, according to SP800-38D 5.2.1.1.

** libgnutls: New block cipher functions have been added to transparently
   handle padding.  gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 can be
   used in combination of GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically
   add/remove padding if the length of the original plaintext is not a multiple
   of the block size.

** libgnutls: New function for manual FIPS self-testing.

** API and ABI modifications:
gnutls_fips140_run_self_tests: New function
gnutls_cipher_encrypt3: New function
gnutls_cipher_decrypt3: New function
gnutls_cipher_padding_flags_t: New enum

** guile: Guile 1.8 is no longer supported

** guile: Session record port treats premature termination as EOF
   Previously, a „ŗŌ»nutls-error„ŗexception with the
   „ŗŌ∆rror/premature-termination„ŗvalue would be thrown while reading from a
   session record port when the underlying session was terminated
   prematurely.  This was inconvenient since users of the port may not be
   prepared to handle such an exception.
   Reading from the session record port now returns the end-of-file object
   instead of throwing an exception, just like it would for a proper
   session termination.

** guile: Session record ports can have a „ŗŌńlose„ŗprocedure.
   The „ŗŌ‘ession-record-port„ŗprocedure now takes an optional second
   parameter, and a new „ŗŌ‘et-session-record-port-close!„ŗprocedure is
   provided to specify a „ŗŌńlose„ŗprocedure for a session record port.
   This „ŗŌńlose„ŗprocedure lets users specify cleanup operations for when
   the port is closed, such as closing the file descriptor or port that
   backs the underlying session.

Revision 1.233 / (download) - annotate - [select for diffs], Tue Jun 28 11:35:35 2022 UTC (8 months, 3 weeks ago) by wiz
Branch: MAIN
Changes since 1.232: +2 -1 lines
Diff to previous 1.232 (colored)

*: recursive bump for perl 5.36

Revision 1.232 / (download) - annotate - [select for diffs], Sat May 28 06:03:41 2022 UTC (9 months, 3 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base, pkgsrc-2022Q2
Changes since 1.231: +2 -2 lines
Diff to previous 1.231 (colored)

gnutls: updated to 3.7.6

Version 3.7.6 (released 2022-05-27)

** libgnutls: Fixed invalid write when gnutls_realloc_zero()
   is called with new_size < old_size. This bug caused heap
   corruption when gnutls_realloc_zero() has been set as gmp
   reallocfunc

Revision 1.231 / (download) - annotate - [select for diffs], Wed May 18 18:26:14 2022 UTC (10 months ago) by adam
Branch: MAIN
Changes since 1.230: +2 -2 lines
Diff to previous 1.230 (colored)

gnutls: updated to 3.7.5

Version 3.7.5 (released 2022-05-15)

** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 priority
   modifier have been added to disable session ticket usage in TLS 1.2 because
   it does not provide forward secrecy.  On the other hand, since session
   tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now
   only disables session tickets in TLS 1.2.  Future backward incompatibility:
   in the next major release of GnuTLS, we plan to remove those flag and
   modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect TLS 1.2.

** gnutls-cli, gnutls-serv: Channel binding for printing information
   has been changed from tls-unique to tls-exporter as tls-unique is
   not supported in TLS 1.3.

** libgnutls: Certificate sanity checks has been enhanced to make
   gnutls more RFC 5280 compliant (!1583).
   Following changes were included:
   - critical extensions are parsed when loading x509
     certificate to prohibit any random octet strings.
     Requires strict-x509 configure option to be enabled
   - garbage bits in Key Usage extension are prohibited
   - empty DirectoryStrings in Distinguished name structures
     of Issuer and Subject name are prohibited

** libgnutls: Removed 3DES from FIPS approved algorithms.
   According to the section 2 of SP800-131A Rev.2, 3DES algorithm
   will be disallowed for encryption after December 31, 2023:
   https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final

** libgnutls: Optimized support for AES-SIV-CMAC algorithms.
   The existing AEAD API that works in a scatter-gather fashion
   (gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC.
   For further optimization, new function (gnutls_aead_cipher_set_key) has been
   added to set key on the existing AEAD handle without re-allocation.

** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
   when used in TLS.

** The configure arguments for Brotli and Zstandard (zstd) support
   have changed to reflect the previous help text: they are now
   --with-brotli/--with-zstd respectively.

** Detecting the Zstandard (zstd) library in configure has been
   fixed.

** API and ABI modifications:
GNUTLS_NO_TICKETS_TLS12: New flag
gnutls_aead_cipher_set_key: New function

Revision 1.230 / (download) - annotate - [select for diffs], Thu Mar 17 21:16:25 2022 UTC (12 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base, pkgsrc-2022Q1
Changes since 1.229: +2 -3 lines
Diff to previous 1.229 (colored)

gnutls: updated to 3.7.4

Version 3.7.4 (released 2022-03-17)

** libgnutls: Added support for certificate compression as defined in RFC8879.
** certtool: Added option --compress-cert that allows user to specify compression
   methods for certificate compression.
** libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure
   option to enforce stricter certificate sanity checks that are compliant
   with RFC5280.
** libgnutls: Removed IA5String type from DirectoryString within issuer
   and subject name to make DirectoryString RFC5280 compliant.
** libgnutls: Added function to retrieve the name of current ciphersuite
   from session.

** API and ABI modifications:
GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
gnutls_compress_certificate_get_selected_method: Added
gnutls_compress_certificate_set_methods: Added

Revision 1.229 / (download) - annotate - [select for diffs], Wed Mar 16 13:32:37 2022 UTC (12 months ago) by tnn
Branch: MAIN
Changes since 1.228: +6 -1 lines
Diff to previous 1.228 (colored)

gnutls: fix build w/ latest xcode on Apple M1

Revision 1.228 / (download) - annotate - [select for diffs], Sun Feb 6 20:54:24 2022 UTC (13 months, 1 week ago) by rillig
Branch: MAIN
Changes since 1.227: +2 -2 lines
Diff to previous 1.227 (colored)

security/gnutls: remove unknown configure options

The option --enable-lzo was removed in 2011, the option
--enable-local-libopts was removed in January 2022.

Bump PKGREVISION.

Revision 1.227 / (download) - annotate - [select for diffs], Wed Jan 19 21:11:11 2022 UTC (14 months ago) by adam
Branch: MAIN
Changes since 1.226: +2 -16 lines
Diff to previous 1.226 (colored)

gnutls: updated to 3.7.3

Version 3.7.3 (released 2022-01-17)

** libgnutls: The allowlisting configuration mode has been added to the system-wide
   settings. In this mode, all the algorithms are initially marked as insecure
   or disabled, while the applications can re-enable them either through the
   [overrides] section of the configuration file or the new API.

** The build infrastructure no longer depends on GNU AutoGen for generating
   command-line option handling, template file parsing in certtool, and
   documentation generation. This change also removes run-time or
   bundled dependency on the libopts library, and requires Python 3.6 or later
   to regenerate the distribution tarball.

   Note that this brings in known backward incompatibility in command-line
   tools, such as long options are now case sensitive, while previously they
   were treated in a case insensitive manner: for example --RSA is no longer a
   valid option of certtool. The existing scripts using GnuTLS tools may need
   adjustment for this change.

** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
   used as a gnutls_privkey_t. The code was originally written for the
   OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
   tpm2tss-genkey tool from tpm2-tss-engine:
   https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
   or the tpm2_encodeobject tool from unreleased tpm2-tools.

** libgnutls: The library now transparently enables Linux KTLS
   (kernel TLS) when the feature is compiled in with --enable-ktls configuration
   option. If the KTLS initialization fails it automatically falls back
   to the user space implementation.

** certtool: The certtool command can now read the Certificate Transparency
   (RFC 6962) SCT extension.  New API functions are also provided to
   access and manipulate the extension values.

** certtool: The certtool command can now generate, manipulate, and evaluate
   x25519 and x448 public keys, private keys, and certificates.

** libgnutls: Disabling a hashing algorithm through "insecure-hash"
   configuration directive now also disables TLS ciphersuites that use it as a
   PRF algorithm.

** libgnutls: PKCS#12 files are now created with modern algorithms by default.
   Previously certtool used PKCS12-3DES-SHA1 for key derivation and
   HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
   PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
   default PBKDF2 iteration count has been increased to 600000.

** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
   HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
   conform with the latest TC-26 requirements.

** libgnutls: The library now provides a means to report the status of approved
   cryptographic operations. To adhere to the FIPS140-3 IG 2.4.C., this
   complements the existing mechanism to prohibit the use of unapproved
   algorithms by making the library unusable state.

** gnutls-cli: The gnutls-cli command now provides a --list-config option to
   print the library configuration.

** libgnutls: Fixed possible race condition in
   gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
   among multiple threads. [GNUTLS-SA-2022-01-17, CVSS: low]

** API and ABI modifications:
GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
gnutls_ecc_curve_set_enabled: Added.
gnutls_sign_set_secure: Added.
gnutls_sign_set_secure_for_certs: Added.
gnutls_digest_set_secure: Added.
gnutls_protocol_set_enabled: Added.
gnutls_fips140_context_init: New function
gnutls_fips140_context_deinit: New function
gnutls_fips140_push_context: New function
gnutls_fips140_pop_context: New function
gnutls_fips140_get_operation_state: New function
gnutls_fips140_operation_state_t: New enum
gnutls_transport_is_ktls_enabled: New function
gnutls_get_library_configuration: New function

Revision 1.226 / (download) - annotate - [select for diffs], Mon Jan 3 12:36:53 2022 UTC (14 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.225: +1 -2 lines
Diff to previous 1.225 (colored)

gnutls: add lzo option

Based on PR 56601 by Vladimir Stupin.

Revision 1.225 / (download) - annotate - [select for diffs], Sun Dec 26 23:03:54 2021 UTC (14 months, 3 weeks ago) by gutteridge
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base, pkgsrc-2021Q4
Changes since 1.224: +6 -1 lines
Diff to previous 1.224 (colored)

gnutls: fix builds on Solaris 10

Addresses PR pkg/56500 from Claes Nästén.

Revision 1.224 / (download) - annotate - [select for diffs], Wed Dec 8 16:02:33 2021 UTC (15 months, 1 week ago) by adam
Branch: MAIN
Changes since 1.223: +2 -2 lines
Diff to previous 1.223 (colored)

revbump for icu and libffi

Revision 1.223 / (download) - annotate - [select for diffs], Wed Sep 29 19:00:12 2021 UTC (17 months, 3 weeks ago) by adam
Branch: MAIN
Changes since 1.222: +2 -1 lines
Diff to previous 1.222 (colored)

revbump for boost-libs

Revision 1.222 / (download) - annotate - [select for diffs], Mon May 31 11:08:45 2021 UTC (21 months, 3 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base, pkgsrc-2021Q3, pkgsrc-2021Q2-base, pkgsrc-2021Q2
Changes since 1.221: +2 -3 lines
Diff to previous 1.221 (colored)

gnutls: update to 3.7.2.

* Version 3.7.2 (released 2021-05-29)

** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
   to disable TLS 1.3 middlebox compatibility mode

** libgnutls: The Linux kernel AF_ALG based acceleration has been added.
   This can be enabled with --enable-afalg configure option, when libkcapi
   package is installed (#308).

** libgnutls: Fixed timing of early data exchange. Previously, the client was
   sending early data after receiving Server Hello, which not only negates the
   benefit of 0-RTT, but also works under certain assumptions hold (e.g., the
   same ciphersuite is selected in initial and resumption handshake) (#1146).

** certtool: When signing a CSR, CRL distribution point (CDP) is no longer
   copied from the signing CA by default (#1126).

** libgnutls: The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to
   GNUTLS_NO_IMPLICIT_INIT to reflect the purpose (#1178). The former is now
   deprecated and will be removed in the future releases.

** certtool: When producing certificates and certificate requests, subject DN
   components that are provided individually will now be ordered by
   assumed scale (e.g. Country before State, Organization before
   OrganizationalUnit).  This change also affects the order in which
   certtool prompts interactively.  Please rely on the template
   mechanism for automated use of certtool! (#1243)

** API and ABI modifications:
gnutls_early_cipher_get: Added
gnutls_early_prf_hash_get: Added

Revision 1.221 / (download) - annotate - [select for diffs], Mon May 24 19:53:52 2021 UTC (21 months, 4 weeks ago) by wiz
Branch: MAIN
Changes since 1.220: +2 -2 lines
Diff to previous 1.220 (colored)

*: recursive bump for perl 5.34

Revision 1.220 / (download) - annotate - [select for diffs], Wed Apr 21 13:24:15 2021 UTC (23 months ago) by adam
Branch: MAIN
Changes since 1.219: +2 -1 lines
Diff to previous 1.219 (colored)

revbump for boost-libs

Revision 1.219 / (download) - annotate - [select for diffs], Sun Mar 14 07:58:20 2021 UTC (2 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1
Changes since 1.218: +4 -6 lines
Diff to previous 1.218 (colored)

gnutls: update to 3.7.1.

* Version 3.7.1 (released 2021-03-10)

** libgnutls: Fixed potential use-after-free in sending "key_share"
   and "pre_shared_key" extensions. When sending those extensions, the
   client may dereference a pointer no longer valid after
   realloc. This happens only when the client sends a large Client
   Hello message, e.g., when HRR is sent in a resumed session
   previously negotiated large FFDHE parameters, because the initial
   allocation of the buffer is large enough without having to call
   realloc (#1151).  [GNUTLS-SA-2021-03-10, CVSS: low]

** libgnutls: Fixed a regression in handling duplicated certs in a
   chain (#1131).

** libgnutls: Fixed sending of session ID in TLS 1.3 middlebox
   compatibiltiy mode. In that mode the client shall always send a
   non-zero session ID to make the handshake resemble the TLS 1.2
   resumption; this was not true in the previous versions (#1074).

** libgnutls: W32 performance improvement with a new sendmsg()-like
   transport implementation (!1377).

** libgnutls: Removed dependency on the external 'fipscheck' package,
   when compiled with --enable-fips140-mode (#1101).

** libgnutls: Added padlock acceleration for AES-192-CBC (#1004).

Revision 1.218 / (download) - annotate - [select for diffs], Thu Dec 3 12:27:38 2020 UTC (2 years, 3 months ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.217: +4 -4 lines
Diff to previous 1.217 (colored)

gnutls: Update to 3.7.0

* Version 3.7.0 (released 2020-12-02)

** libgnutls: Depend on nettle 3.6 (!1322).

** libgnutls: Added a new API that provides a callback function to
   retrieve missing certificates from incomplete certificate chains
   (#202, #968, #1100).

** libgnutls: Added a new API that provides a callback function to
   output the complete path to the trusted root during certificate
   chain verification (#1012).

** libgnutls: OIDs exposed as gnutls_datum_t no longer account for the
   terminating null bytes, while the data field is null terminated.
   The affected API functions are: gnutls_ocsp_req_get_extension,
   gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
   (#805).

** libgnutls: Added a new set of API to enable QUIC implementation (#826, #849,
   #850).

** libgnutls: The crypto implementation override APIs deprecated in 3.6.9 are
   now no-op (#790).

** libgnutls: Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161).

** libgnutls: Support for padlock has been fixed to make it work with Zhaoxin
   CPU (#1079).

** libgnutls: The maximum PIN length for PKCS #11 has been increased from 31
   bytes to 255 bytes (#932).

** API and ABI modifications:
gnutls_x509_trust_list_set_getissuer_function: Added
gnutls_x509_trust_list_get_ptr: Added
gnutls_x509_trust_list_set_ptr: Added
gnutls_session_set_verify_output_function: Added
gnutls_record_encryption_level_t: New enum
gnutls_handshake_read_func: New callback type
gnutls_handshake_set_read_function: New function
gnutls_handshake_write: New function
gnutls_handshake_secret_func: New callback type
gnutls_handshake_set_secret_function: New function
gnutls_alert_read_func: New callback type
gnutls_alert_set_read_function: New function
gnutls_crypto_register_cipher: Deprecated; no-op
gnutls_crypto_register_aead_cipher: Deprecated; no-op
gnutls_crypto_register_mac: Deprecated; no-op
gnutls_crypto_register_digest: Deprecated; no-op

Revision 1.217 / (download) - annotate - [select for diffs], Mon Sep 7 15:47:15 2020 UTC (2 years, 6 months ago) by leot
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3
Changes since 1.216: +2 -3 lines
Diff to previous 1.216 (colored)

gnutls: Update to 3.6.15

Changes:
3.6.15
------
** libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing.
   The server sending a "no_renegotiation" alert in an unexpected timing,
   followed by an invalid second handshake was able to cause a TLS 1.3 client to
   crash via a null-pointer dereference. The crash happens in the application's
   error handling path, where the gnutls_deinit function is called after
   detecting a handshake failure (#1071).  [GNUTLS-SA-2020-09-04, CVSS: medium]

** libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now
   indicates that with a false return value (!1306).

** libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked
   accordingly to SP800-56A rev 3 (!1295, !1299).

** libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than
   the size of the internal base64 blob (#1025). The new behavior aligns to the
   existing documentation.

** libgnutls: Certificate verification failue due to OCSP must-stapling is not
   honered is now correctly marked with the GNUTLS_CERT_INVALID flag
   (!1317). The new behavior aligns to the existing documentation.

** libgnutls: The audit log message for weak hashes is no longer printed twice
   (!1301).

** libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is
   disabled in the priority string. Previously, even when TLS 1.2 is explicitly
   disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is
   enabled (#1054).

** API and ABI modifications:
No changes since last version.

Revision 1.216 / (download) - annotate - [select for diffs], Mon Aug 31 18:11:07 2020 UTC (2 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.215: +2 -2 lines
Diff to previous 1.215 (colored)

*: bump PKGREVISION for perl-5.32.

Revision 1.215 / (download) - annotate - [select for diffs], Fri Aug 21 14:06:12 2020 UTC (2 years, 7 months ago) by schmonz
Branch: MAIN
Changes since 1.214: +30 -1 lines
Diff to previous 1.214 (colored)

CentOS 6's /usr/bin/as is too old to build the ssse3 hardware
acceleration code. If we're x86_64, and the assembler is GNU, and the
version is too old, disable hardware acceleration. Other non-working
combinations can be added as they're discovered. No functional change
intended to any platforms where this previously built, but since it's
hard to be sure of that, I'm bumping PKGREVISION.

Alternatively, we could build with gas from devel/binutils when needed.
multimedia/libvpx says it does this (for similar reasons), but I
couldn't get that to work here, and am suspicious whether it still
works there.

Revision 1.209.2.1 / (download) - annotate - [select for diffs], Tue Jun 9 11:55:34 2020 UTC (2 years, 9 months ago) by bsiegert
Branch: pkgsrc-2020Q1
Changes since 1.209: +2 -4 lines
Diff to previous 1.209 (colored) next main 1.210 (colored)

Pullup ticket #6232 - requested by maya
security/gnutls: security fix

Revisions pulled up:
- security/gnutls/Makefile                                      1.210-1.213
- security/gnutls/PLIST                                         1.70-1.71
- security/gnutls/PLIST.guile                                   1.1
- security/gnutls/buildlink3.mk                                 1.37
- security/gnutls/distinfo                                      1.143-1.144
- security/gnutls/options.mk                                    1.3
- security/gnutls/patches/patch-configure                       1.5

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Wed Apr  1 08:24:07 UTC 2020

   Modified Files:
           pkgsrc/security/gnutls: Makefile PLIST distinfo
   Added Files:
           pkgsrc/security/gnutls/patches: patch-configure

   Log Message:
   gnutls: updated to 3.6.13

   Version 3.6.13:

   ** libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3.
      The DTLS client would not contribute any randomness to the DTLS negotiation,
      breaking the security guarantees of the DTLS protocol
      [GNUTLS-SA-2020-03-31, CVSS: high]

   ** libgnutls: Added new APIs to access KDF algorithms.

   ** libgnutls: Added new callback gnutls_keylog_func that enables a custom
      logging functionality.

   ** libgnutls: Added support for non-null terminated usernames in PSK
      negotiation.

   ** gnutls-cli-debug: Improved support for old servers that only support
      SSL 3.0.

   ** API and ABI modifications:
   gnutls_hkdf_extract: Added
   gnutls_hkdf_expand: Added
   gnutls_pbkdf2: Added
   gnutls_session_get_keylog_function: Added
   gnutls_session_set_keylog_function: Added
   gnutls_prf_hash_get: Added
   gnutls_psk_server_get_username2: Added
   gnutls_psk_set_client_credentials2: Added
   gnutls_psk_set_client_credentials_function2: Added
   gnutls_psk_set_server_credentials_function2: Added

---
   Module Name:    pkgsrc
   Committed By:   nikita
   Date:           Thu May 14 14:30:02 UTC 2020

   Modified Files:
           pkgsrc/security/gnutls: Makefile buildlink3.mk options.mk
   Added Files:
           pkgsrc/security/gnutls: PLIST.guile

   Log Message:
   security/gnutls: revbump, add support for building guile bindings

---
   Module Name:    pkgsrc
   Committed By:   leot
   Date:           Mon Jun  8 19:48:14 UTC 2020

   Modified Files:
           pkgsrc/security/gnutls: Makefile PLIST distinfo

   Log Message:
   gnutls: Update to 3.6.14

   Changes:
   3.6.14
   ------
    * libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
      The TLS server would not bind the session ticket encryption key with a
      value supplied by the application until the initial key rotation, allowing
      attacker to bypass authentication in TLS 1.3 and recover previous
      conversations in TLS 1.2 (#1011).
      [GNUTLS-SA-2020-06-03, CVSS: high]

    * libgnutls: Fixed handling of certificate chain with cross-signed
      intermediate CA certificates (#1008).

    * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).

    * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
      (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
      Key Identifier (AKI) properly (#989, #991).

    * certtool: PKCS #7 attributes are now printed with symbolic names (!1246).

    * libgnutls: Added several improvements on Windows Vista and later releases
      (!1257, !1254, !1256). Most notably the system random number generator now
      uses Windows BCrypt* API if available (!1255).

    * libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
      Also both accelerated and non-accelerated implementations check key block
      according to FIPS-140-2 IG A.9 (!1233).

    * libgnutls: Added support for AES-SIV ciphers (#463).

    * libgnutls: Added support for 192-bit AES-GCM cipher (!1267).

    * libgnutls: No longer use internal symbols exported from Nettle (!1235)

    * API and ABI modifications:
        GNUTLS_CIPHER_AES_128_SIV: Added
        GNUTLS_CIPHER_AES_256_SIV: Added
        GNUTLS_CIPHER_AES_192_GCM: Added
        gnutls_pkcs7_print_signature_info: Added

Revision 1.214 / (download) - annotate - [select for diffs], Tue Jun 9 09:53:11 2020 UTC (2 years, 9 months ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base, pkgsrc-2020Q2
Changes since 1.213: +1 -2 lines
Diff to previous 1.213 (colored)

gnutls: fix detection of build options

Revision 1.213 / (download) - annotate - [select for diffs], Mon Jun 8 19:48:14 2020 UTC (2 years, 9 months ago) by leot
Branch: MAIN
Changes since 1.212: +2 -3 lines
Diff to previous 1.212 (colored)

gnutls: Update to 3.6.14

Changes:
3.6.14
------
 * libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
   The TLS server would not bind the session ticket encryption key with a
   value supplied by the application until the initial key rotation, allowing
   attacker to bypass authentication in TLS 1.3 and recover previous
   conversations in TLS 1.2 (#1011).
   [GNUTLS-SA-2020-06-03, CVSS: high]

 * libgnutls: Fixed handling of certificate chain with cross-signed
   intermediate CA certificates (#1008).

 * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).

 * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
   (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
   Key Identifier (AKI) properly (#989, #991).

 * certtool: PKCS #7 attributes are now printed with symbolic names (!1246).

 * libgnutls: Added several improvements on Windows Vista and later releases
   (!1257, !1254, !1256). Most notably the system random number generator now
   uses Windows BCrypt* API if available (!1255).

 * libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
   Also both accelerated and non-accelerated implementations check key block
   according to FIPS-140-2 IG A.9 (!1233).

 * libgnutls: Added support for AES-SIV ciphers (#463).

 * libgnutls: Added support for 192-bit AES-GCM cipher (!1267).

 * libgnutls: No longer use internal symbols exported from Nettle (!1235)

 * API and ABI modifications:
     GNUTLS_CIPHER_AES_128_SIV: Added
     GNUTLS_CIPHER_AES_256_SIV: Added
     GNUTLS_CIPHER_AES_192_GCM: Added
     gnutls_pkcs7_print_signature_info: Added

Revision 1.212 / (download) - annotate - [select for diffs], Fri May 22 10:55:50 2020 UTC (2 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.211: +2 -2 lines
Diff to previous 1.211 (colored)

revbump after updating security/nettle

Revision 1.211 / (download) - annotate - [select for diffs], Thu May 14 14:30:02 2020 UTC (2 years, 10 months ago) by nikita
Branch: MAIN
Changes since 1.210: +2 -2 lines
Diff to previous 1.210 (colored)

security/gnutls: revbump, add support for building guile bindings

Revision 1.210 / (download) - annotate - [select for diffs], Wed Apr 1 08:24:07 2020 UTC (2 years, 11 months ago) by adam
Branch: MAIN
Changes since 1.209: +2 -3 lines
Diff to previous 1.209 (colored)

gnutls: updated to 3.6.13

Version 3.6.13:

** libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3.
   The DTLS client would not contribute any randomness to the DTLS negotiation,
   breaking the security guarantees of the DTLS protocol
   [GNUTLS-SA-2020-03-31, CVSS: high]

** libgnutls: Added new APIs to access KDF algorithms.

** libgnutls: Added new callback gnutls_keylog_func that enables a custom
   logging functionality.

** libgnutls: Added support for non-null terminated usernames in PSK
   negotiation.

** gnutls-cli-debug: Improved support for old servers that only support
   SSL 3.0.

** API and ABI modifications:
gnutls_hkdf_extract: Added
gnutls_hkdf_expand: Added
gnutls_pbkdf2: Added
gnutls_session_get_keylog_function: Added
gnutls_session_set_keylog_function: Added
gnutls_prf_hash_get: Added
gnutls_psk_server_get_username2: Added
gnutls_psk_set_client_credentials2: Added
gnutls_psk_set_client_credentials_function2: Added
gnutls_psk_set_server_credentials_function2: Added

Revision 1.209 / (download) - annotate - [select for diffs], Sun Mar 22 12:21:59 2020 UTC (3 years ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base
Branch point for: pkgsrc-2020Q1
Changes since 1.208: +1 -2 lines
Diff to previous 1.208 (colored)

security/gnutls: remove unnecessary comment from Makefile

Revision 1.208 / (download) - annotate - [select for diffs], Sun Mar 22 12:21:12 2020 UTC (3 years ago) by rillig
Branch: MAIN
Changes since 1.207: +2 -4 lines
Diff to previous 1.207 (colored)

security/gnutls: remove nonexistent files from REPLACE_BASH

Revision 1.207 / (download) - annotate - [select for diffs], Sun Mar 8 16:48:06 2020 UTC (3 years ago) by wiz
Branch: MAIN
Changes since 1.206: +2 -1 lines
Diff to previous 1.206 (colored)

*: recursive bump for libffi

Revision 1.206 / (download) - annotate - [select for diffs], Sun Feb 9 13:56:28 2020 UTC (3 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.205: +2 -3 lines
Diff to previous 1.205 (colored)

gnutls: update to 3.6.12.

* Version 3.6.12 (released 2020-02-01)

** libgnutls: Introduced TLS session flag (gnutls_session_get_flags())
   to identify sessions that client request OCSP status request (#829).

** libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448
   signature algorithm (RFC 8032) under TLS (#86).

** libgnutls: Added the default-priority-string option to system configuration;
   it allows overriding the compiled-in default-priority-string.

** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by
   draft-smyshlyaev-tls12-gost-suites-07).
   By default this ciphersuite is disabled. It can be enabled by adding
   +GOST to priority string. In the future this priority string may enable
   other GOST ciphersuites as well.  Note, that server will fail to negotiate
   GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It
   is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites
   are enabled on GnuTLS-based servers.

** libgnutls: added priority shortcuts for different GOST categories like
   CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL.

** libgnutls: Reject certificates with invalid time fields. That is we reject
   certificates with invalid characters in Time fields, or invalid time formatting
   To continue accepting the invalid form compile with --disable-strict-der-time
   (#207, #870).

** libgnutls: Reject certificates which contain duplicate extensions. We were
   previously printing warnings when printing such a certificate, but that is
   not always sufficient to flag such certificates as invalid. Instead we now
   refuse to import them (#887).

** libgnutls: If a CA is found in the trusted list, check in addition to
   time validity, whether the algorithms comply to the expected level prior
   to accepting it. This addresses the problem of accepting CAs which would
   have been marked as insecure otherwise (#877).

** libgnutls: The min-verification-profile from system configuration applies
   for all certificate verifications, not only under TLS. The configuration can
   be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.

** libgnutls: The stapled OCSP certificate verification adheres to the convention
   used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag.

** libgnutls: On client side only send OCSP staples if they have been requested
   by the server, and on server side always advertise that we support OCSP stapling
   (#876).

** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible
   with gnutls_ocsp_req_t but const.

** certtool: Added the --verify-profile option to set a certificate
   verification profile. Use '--verify-profile low' for certificate verification
   to apply the 'NORMAL' verification profile.

** certtool: The add_extension template option is considered even when generating
   a certificate from a certificate request.

** API and ABI modifications:
GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added
GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Added
gnutls_ocsp_req_const_t: Added

Revision 1.205 / (download) - annotate - [select for diffs], Sat Jan 18 21:50:37 2020 UTC (3 years, 2 months ago) by jperkin
Branch: MAIN
Changes since 1.204: +2 -1 lines
Diff to previous 1.204 (colored)

*: Recursive revision bump for openssl 1.1.1.

Revision 1.204 / (download) - annotate - [select for diffs], Fri Dec 6 14:00:08 2019 UTC (3 years, 3 months ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Changes since 1.203: +3 -3 lines
Diff to previous 1.203 (colored)

gnutls: Update to 3.6.11.1

Not sure of 3.6.11.1's specific changes - possibly fixing an incorrectly
generated tarball?

These changes from apply:

* Version 3.6.11 (released 2019-12-01)

** libgnutls: Use KERN_ARND for the system random number generator on NetBSD.
   This syscall provides an endless stream of random numbers from the kernel's
   ChaCha20-based random number generator, without blocking or requiring an open file
   descriptor.

** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client
   during resumption (#841).

** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to
   the empty string. This is a behavioral change of the API but it conforms
   to the RFC4648 expectations (#834).

** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than
   the block size. Fix backported from nettle.

** certtool: CRL distribution points will be set in CA certificates even when
   non self-signed (#765).

** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250).
   Key material can be set via the --rawpkkeyfile and --rawpkfile flags.

** API and ABI modifications:
No changes since last version.

Revision 1.203 / (download) - annotate - [select for diffs], Fri Oct 4 17:25:53 2019 UTC (3 years, 5 months ago) by nia
Branch: MAIN
Changes since 1.202: +4 -3 lines
Diff to previous 1.202 (colored)

gnutls: Update to 3.6.10

* Version 3.6.10 (released 2019-09-29)

** libgnutls: Added support for deterministic ECDSA/DSA (RFC6979)
   Deterministic signing can be enabled by setting
   GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE when calling gnutls_privkey_sign_*()
   functions (#94).

** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2
   functions that will perform in-place encryption/decryption on data buffers (#718).

** libgnutls: Corrected issue in gnutls_session_get_data2() which could fail under
   TLS1.3, if a timeout callback was not set using gnutls_transport_set_pull_timeout_function()
   (#823).

** libgnutls: added interoperability tests with gnutls 2.12.x; addressed
   issue with large record handling due to random padding (#811).

** libgnutls: the server now selects the highest TLS protocol version,
   if TLS 1.3 is enabled and the client advertises an older protocol version first (#837).

** libgnutls: fix non-PIC assembly on i386 (#818).

** libgnutls: added support for GOST 28147-89 cipher in CNT (GOST counter) mode
   and MAC generation based on GOST 28147-89 (IMIT). For description of the
   modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in
   RFC 7836.

** certtool: when outputting an encrypted private key do not insert the textual description
   of it. This fixes a regression since 3.6.5 (#840).

** API and ABI modifications:
gnutls_aead_cipher_encryptv2: Added
gnutls_aead_cipher_decryptv2: Added
GNUTLS_CIPHER_GOST28147_TC26Z_CNT: Added
GNUTLS_MAC_GOST28147_TC26Z_IMIT: Added

Revision 1.202 / (download) - annotate - [select for diffs], Tue Oct 1 14:34:08 2019 UTC (3 years, 5 months ago) by nia
Branch: MAIN
Changes since 1.201: +2 -2 lines
Diff to previous 1.201 (colored)

gnutls: No longer a GNU project

Revision 1.201 / (download) - annotate - [select for diffs], Mon Sep 30 09:51:16 2019 UTC (3 years, 5 months ago) by maya
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Changes since 1.200: +2 -2 lines
Diff to previous 1.200 (colored)

gnutls: backport upstream commit to avoid text relocations on i386.

Regenerate asm files with -fPIC

PR pkg/54555: security/gnutls 3.6.9 runs afoul of PAX MPROTECT and
text relocations on netbsd-9/i386

Bump PKGREVISION.

Revision 1.200 / (download) - annotate - [select for diffs], Wed Sep 18 15:27:05 2019 UTC (3 years, 6 months ago) by ng0
Branch: MAIN
Changes since 1.199: +4 -1 lines
Diff to previous 1.199 (colored)

security/gnutls: Add ability to link against libunbound for DANE support.

Revision 1.199 / (download) - annotate - [select for diffs], Mon Sep 16 00:28:48 2019 UTC (3 years, 6 months ago) by nia
Branch: MAIN
Changes since 1.198: +4 -5 lines
Diff to previous 1.198 (colored)

gnutls: Update to 3.6.9

* Version 3.6.9 (released 2019-07-25)

** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy
   of digest or MAC context. Copying contexts for externally-registered digest and MAC
   contexts is unupported (#787).

** Marked the crypto implementation override APIs as deprecated. These APIs are rarely
   used, are for a niche use case, but have significant side effects, such as preventing
   any internal re-organization and extension of the internal cipher API. The APIs remain
   functional though a compiler warning will be issued, and a future minor version update
   may transform them to a no-op while keeping ABI compatibility (#789).

** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781).

** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
   flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash().

** libgnutls: Added support for Generalname registeredID.

** The priority configuration was enhanced to allow more elaborate
   system-wide configuration of the library (#587).
   The following changes were included:
    - The file is read as an ini file with '#' indicating a comment.
    - The section "[priorities]" or global follows the existing semantics of
      the configuration file, and allows to specify system-wide priority strings
      which are accessed with the '@' prefix.
    - The section "[overrides]" is added with the parameters "insecure-hash",
      "insecure-sig", "insecure-sig-for-cert", "disabled-curve",
      "disabled-version", "min-verification-profile", "tls-disabled-cipher",
      "tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit
      specific algorithms or options globally. Existing algorithms in the
      library can be marked as disabled and insecure, but no hard-coded
      insecure algorithm can be marked as secure (so that the configuration
      cannot be abused to make the system vulnerable).
    - Unknown sections or options are skipped with a debug message, unless
      the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is
      set to 1.

** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE
    - 0x20: Enable SHA_NI instruction set

** API and ABI modifications:
gnutls_crypto_register_cipher: Deprecated
gnutls_crypto_register_aead_cipher: Deprecated
gnutls_crypto_register_digest: Deprecated
gnutls_crypto_register_mac: Deprecated
gnutls_get_system_config_file: Added
gnutls_hash_copy: Added
gnutls_hmac_copy: Added
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
GNUTLS_SAN_REGISTERED_ID: Added

Revision 1.198 / (download) - annotate - [select for diffs], Sun Aug 11 13:22:46 2019 UTC (3 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.197: +2 -2 lines
Diff to previous 1.197 (colored)

Bump PKGREVISIONs for perl 5.30.0

Revision 1.197 / (download) - annotate - [select for diffs], Sat Jul 20 22:46:04 2019 UTC (3 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.196: +2 -1 lines
Diff to previous 1.196 (colored)

*: recursive bump for nettle 3.5.1

Revision 1.196 / (download) - annotate - [select for diffs], Thu Jul 11 14:53:36 2019 UTC (3 years, 8 months ago) by sevan
Branch: MAIN
Changes since 1.195: +2 -2 lines
Diff to previous 1.195 (colored)

Update to v3.6.8

Changes
=======

* Version 3.6.8 (released 2019-05-28)

** libgnutls: Added gnutls_prf_early() function to retrieve early keying
   material (#329)

** libgnutls: Added support for AES-XTS cipher (#354)

** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in
   512 bit addition)

** libgnutls: During Diffie-Hellman operations in TLS, verify that the peer's
   public key is on the right subgroup (y^q=1 mod p), when q is available (under
   TLS 1.3 and under earlier versions when RFC7919 parameters are used).

** libgnutls: the gnutls_srp_set_server_credentials_function can now be used
   with the 8192 parameters as well (#995).

** libgnutls: Fixed bug preventing the use of gnutls_pubkey_verify_data2() and
   gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN flag (#754)

** libgnutls: The priority string option %ALLOW_SMALL_RECORDS was added to allow
   clients to communicate with the server advertising smaller limits than 512

** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent
   hostname/domain crafting via IDNA conversion (#720)

** certtool: allow the digital signature key usage flag in CA certificates.
   Previously certtool would ignore this flag for CA certificates even if
   specified (#767)

** gnutls-cli/serv: added the --keymatexport and --keymatexportsize options.
   These allow testing the RFC5705 using these tools.

** API and ABI modifications:
gnutls_prf_early: Added
gnutls_record_set_max_recv_size: Added
gnutls_dh_params_import_raw3: Added
gnutls_ffdhe_2048_group_q: Added
gnutls_ffdhe_3072_group_q: Added
gnutls_ffdhe_4096_group_q: Added
gnutls_ffdhe_6144_group_q: Added
gnutls_ffdhe_8192_group_q: Added

Revision 1.195 / (download) - annotate - [select for diffs], Wed Mar 27 16:46:40 2019 UTC (3 years, 11 months ago) by leot
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2, pkgsrc-2019Q1-base, pkgsrc-2019Q1
Changes since 1.194: +2 -2 lines
Diff to previous 1.194 (colored)

gnutls: Update to 3.6.7

Bug fix and security release on the stable 3.6.x branch.
OK during the freeze by <jperkin>, thanks!

Changes:
3.6.7
-----

 - libgnutls, gnutls tools: Every gnutls_free() will automatically set
   the free'd pointer to NULL. This prevents possible use-after-free and
   double free issues. Use-after-free will be turned into NULL dereference.
   The counter-measure does not extend to applications using gnutls_free().
 - libgnutls: Fixed a memory corruption (double free) vulnerability in the
   certificate verification API. Reported by Tavis Ormandy; addressed with
   the change above. [GNUTLS-SA-2019-03-27, #694]
 - libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages;
   Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704]
 - libgnutls: enforce key usage limitations on certificates more actively.
   Previously we would enforce it for TLS1.2 protocol, now we enforce it
   even when TLS1.3 is negotiated, or on client certificates as well. When
   an inappropriate for TLS1.3 certificate is seen on the credentials structure
   GnuTLS will disable TLS1.3 support for that session (#690).
 - libgnutls: the default number of tickets sent under TLS 1.3 was increased to
   two. This makes it easier for clients which perform multiple connections
   to the server to use the tickets sent by a default server.
 - libgnutls: enforce the equality of the two signature parameters fields in
   a certificate. We were already enforcing the signature algorithm, but there
   was a bug in parameter checking code.
 - libgnutls: fixed issue preventing sending and receiving from different
   threads when false start was enabled (#713).
 - libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
   session, as non-writeable security officer sessions are undefined in PKCS#11
   (#721).
 - libgnutls: no longer send downgrade sentinel in TLS 1.3.
   Previously the sentinel value was embedded to early in version
   negotiation and was sent even on TLS 1.3. It is now sent only when
   TLS 1.2 or earlier is negotiated (#689).
 - gnutls-cli: Added option --logfile to redirect informational messages output.

 - No API and ABI modifications since last version.

Revision 1.194 / (download) - annotate - [select for diffs], Wed Mar 20 06:27:11 2019 UTC (4 years ago) by adam
Branch: MAIN
Changes since 1.193: +2 -3 lines
Diff to previous 1.193 (colored)

gnutls: updated to 3.6.6

Version 3.6.6:
* libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
  on the public key.
* libgnutls: Added support for raw public-key authentication as defined in RFC7250.
  Raw public-keys can be negotiated by enabling the corresponding certificate
  types via the priority strings. The raw public-key mechanism must be explicitly
  enabled via the GNUTLS_ENABLE_RAWPK init flag.
* libgnutls: When on server or client side we are sending no extensions we do
  not set an empty extensions field but we rather remove that field competely.
  This solves a regression since 3.5.x and improves compatibility of the server
  side with certain clients.
* libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
  the CKA_SIGN is not set.
* libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
  disable extensions at all cases, while providing a functional session. This
  also implies that when specified, TLS1.3 is disabled.
* libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
  The previous definition was non-functional.
* API and ABI modifications:
GNUTLS_ENABLE_RAWPK: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK)
GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: Deprecated
GNUTLS_PCERT_NO_CERT: Deprecated

Revision 1.193 / (download) - annotate - [select for diffs], Thu Dec 13 00:10:12 2018 UTC (4 years, 3 months ago) by leot
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base, pkgsrc-2018Q4
Changes since 1.192: +5 -1 lines
Diff to previous 1.192 (colored)

gnutls: Add a dependency to mozilla-rootcerts and configure to use them

Without providing `--with-default-trust-store-file=' configure
argument gnutls try to check a list of hardcoded paths for the
trust store file and use the first found.

If none of them is found gnutls_certificate_set_x509_system_trust()
returns GNUTLS_E_UNIMPLEMENTED_FEATURE and the location of trust
store file should be provided (e.g. in gnutls-cli via --x509cafile
option).

Depends on mozilla-rootcerts and pass `--with-default-trust-store-file='
similarly to security/p11-kit to always have a consistent default
trust store file and an implemented
gnutls_certificate_set_x509_system_trust().

Bump PKGREVISION

Revision 1.192 / (download) - annotate - [select for diffs], Sun Dec 9 20:12:41 2018 UTC (4 years, 3 months ago) by leot
Branch: MAIN
Changes since 1.191: +3 -9 lines
Diff to previous 1.191 (colored)

gnutls: Update security/gnutls to 3.6.5

pkgsrc changes:
- Remove comments regarding bash and tests (bash was added
  unconditionally due REPLACE_BASH usages)

Changes:
3.6.5
-----
** libgnutls: Provide the option of transparent re-handshake/reauthentication
   when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
** libgnutls: The priority functions will ignore and not enable TLS1.3 if
   requested with legacy TLS versions enabled but not TLS1.2. That is because
   if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled)
   servers which do not support TLS1.3 will negotiate TLS1.2 which will be
   rejected by the client as disabled (#621).
** libgnutls: Change RSA decryption to use a new side-channel silent function.
   This addresses a security issue where memory access patterns as well as timing
   on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
   attacks. Side-channel resistant code is slower due to the need to mask
   access and timings. When used in TLS the new functions cause RSA based
   handshakes to be between 13% and 28% slower on average (Numbers are indicative,
   the tests where performed on a relatively modern Intel CPU, results vary
   depending on the CPU and architecture used). This change makes nettle 3.4.1
   the minimum requirement of gnutls (#630). [CVSS: medium]
** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
   in the priority string. It is only accepted as legacy option and is ignored.
** libgnutls: Added support for EdDSA under PKCS#11 (#417)
** libgnutls: Added support for AES-CFB8 cipher (#357)
** libgnutls: Added support for AES-CMAC MAC (#351)
** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers
   have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
   S-BOXes). They are fixed now.
** libgnutls: Added support for GOST key unmasking and unwrapped GOST private
   keys parsing, as specified in R 50.1.112-2016.
** gnutls-serv: It applies the default settings when no --priority option is given,
   using gnutls_set_default_priority().
** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin
   option (#561)
** certtool: Add parameter --no-text that prevents certtool from outputting
   text before PEM-encoded private key, public key, certificate, CRL or CSR.

** API and ABI modifications:
GNUTLS_AUTO_REAUTH: Added
GNUTLS_CIPHER_AES_128_CFB8: Added
GNUTLS_CIPHER_AES_192_CFB8: Added
GNUTLS_CIPHER_AES_256_CFB8: Added
GNUTLS_MAC_AES_CMAC_128: Added
GNUTLS_MAC_AES_CMAC_256: Added
gnutls_record_get_max_early_data_size: Added
gnutls_record_send_early_data: Added
gnutls_record_recv_early_data: Added
gnutls_db_check_entry_expire_time: Added
gnutls_anti_replay_set_add_function: Added
gnutls_anti_replay_init: Added
gnutls_anti_replay_deinit: Added
gnutls_anti_replay_set_window: Added
gnutls_anti_replay_enable: Added
gnutls_privkey_decrypt_data2: Added

Revision 1.190.2.1 / (download) - annotate - [select for diffs], Thu Nov 22 05:45:13 2018 UTC (4 years, 4 months ago) by spz
Branch: pkgsrc-2018Q3
Changes since 1.190: +2 -3 lines
Diff to previous 1.190 (colored) next main 1.191 (colored)

Pullup ticket #5880 - requested by nia
security/gnutls: security update

Revisions pulled up:
- security/gnutls/Makefile                                      1.191
- security/gnutls/PLIST                                         1.61
- security/gnutls/distinfo                                      1.131
- security/gnutls/patches/patch-doc_examples_tlsproxy_tlsproxy.c deleted

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Fri Nov  9 18:03:45 UTC 2018

   Modified Files:
   	pkgsrc/security/gnutls: Makefile PLIST distinfo
   Removed Files:
   	pkgsrc/security/gnutls/patches: patch-doc_examples_tlsproxy_tlsproxy.c

   Log Message:
   gnutls: update to 3.6.4.

   * Version 3.6.4 (released 2018-09-24)

   ** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.

   ** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
      gnutls_certificate_set_retrieve_function() which could not handle the case where
      no certificates were returned, or the callbacks were set to NULL (see #528).

   ** libgnutls: gnutls_handshake() on server returns early on handshake when no
      certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
      is specified.

   ** libgnutls: Added session ticket key rotation on server side with TOTP.
      The key set with gnutls_session_ticket_enable_server() is used as a
      master key to generate time-based keys for tickets. The rotation
      relates to the gnutls_db_set_cache_expiration() period.

   ** libgnutls: The 'record size limit' extension is added and preferred to the
      'max record size' extension when possible.

   ** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
      This addresses the problem where the CA certificate doesn't have a subject key
      identifier whereas the end certificates have an authority key identifier (#569)

   ** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
      gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
      and export GOST parameters in the "native" little endian format used for these
      curves. This is an intentional incompatible change with 3.6.3.

   ** libgnutls: Added support for seperately negotiating client and server certificate types
      as defined in RFC7250. This mechanism must be explicitly enabled via the
      GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().

   ** gnutls-cli: enable CRL validation on startup (#564)

   ** API and ABI modifications:
   GNUTLS_ENABLE_EARLY_START: Added
   GNUTLS_ENABLE_CERT_TYPE_NEG: Added
   GNUTLS_TL_FAIL_ON_INVALID_CRL: Added
   GNUTLS_CERTIFICATE_VERIFY_CRLS: Added
   gnutls_ctype_target_t: New enumeration
   gnutls_record_set_max_early_data_size: Added
   gnutls_certificate_type_get2: Added
   gnutls_priority_certificate_type_list2: Added
   gnutls_ffdhe_6144_group_prime: Added
   gnutls_ffdhe_6144_group_generator: Added
   gnutls_ffdhe_6144_key_bits: Added


   To generate a diff of this commit:
   cvs rdiff -u -r1.190 -r1.191 pkgsrc/security/gnutls/Makefile
   cvs rdiff -u -r1.60 -r1.61 pkgsrc/security/gnutls/PLIST
   cvs rdiff -u -r1.130 -r1.131 pkgsrc/security/gnutls/distinfo
   cvs rdiff -u -r1.1 -r0 \
       pkgsrc/security/gnutls/patches/patch-doc_examples_tlsproxy_tlsproxy.c

Revision 1.191 / (download) - annotate - [select for diffs], Fri Nov 9 18:03:45 2018 UTC (4 years, 4 months ago) by nia
Branch: MAIN
Changes since 1.190: +2 -3 lines
Diff to previous 1.190 (colored)

gnutls: update to 3.6.4.

* Version 3.6.4 (released 2018-09-24)

** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.

** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
   gnutls_certificate_set_retrieve_function() which could not handle the case where
   no certificates were returned, or the callbacks were set to NULL (see #528).

** libgnutls: gnutls_handshake() on server returns early on handshake when no
   certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START
   is specified.

** libgnutls: Added session ticket key rotation on server side with TOTP.
   The key set with gnutls_session_ticket_enable_server() is used as a
   master key to generate time-based keys for tickets. The rotation
   relates to the gnutls_db_set_cache_expiration() period.

** libgnutls: The 'record size limit' extension is added and preferred to the
   'max record size' extension when possible.

** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
   This addresses the problem where the CA certificate doesn't have a subject key
   identifier whereas the end certificates have an authority key identifier (#569)

** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
   gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
   and export GOST parameters in the "native" little endian format used for these
   curves. This is an intentional incompatible change with 3.6.3.

** libgnutls: Added support for seperately negotiating client and server certificate types
   as defined in RFC7250. This mechanism must be explicitly enabled via the
   GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().

** gnutls-cli: enable CRL validation on startup (#564)

** API and ABI modifications:
GNUTLS_ENABLE_EARLY_START: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Added
GNUTLS_TL_FAIL_ON_INVALID_CRL: Added
GNUTLS_CERTIFICATE_VERIFY_CRLS: Added
gnutls_ctype_target_t: New enumeration
gnutls_record_set_max_early_data_size: Added
gnutls_certificate_type_get2: Added
gnutls_priority_certificate_type_list2: Added
gnutls_ffdhe_6144_group_prime: Added
gnutls_ffdhe_6144_group_generator: Added
gnutls_ffdhe_6144_key_bits: Added

Revision 1.190 / (download) - annotate - [select for diffs], Thu Sep 27 18:32:35 2018 UTC (4 years, 5 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base
Branch point for: pkgsrc-2018Q3
Changes since 1.189: +2 -1 lines
Diff to previous 1.189 (colored)

gnutls: be explicit about --without-idn

Revision 1.189 / (download) - annotate - [select for diffs], Fri Sep 21 14:20:11 2018 UTC (4 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.188: +2 -1 lines
Diff to previous 1.188 (colored)

gnutls: add another REPLACE_BASH so the tests all run through

Revision 1.188 / (download) - annotate - [select for diffs], Wed Aug 22 09:46:18 2018 UTC (4 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.187: +2 -2 lines
Diff to previous 1.187 (colored)

Recursive bump for perl5-5.28.0

Revision 1.187 / (download) - annotate - [select for diffs], Mon Aug 20 06:01:25 2018 UTC (4 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.186: +9 -2 lines
Diff to previous 1.186 (colored)

gnutls: Fix path to bash in installed files.

Bump PKGREVISION.

Revision 1.186 / (download) - annotate - [select for diffs], Sun Aug 19 09:16:01 2018 UTC (4 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.185: +1 -2 lines
Diff to previous 1.185 (colored)

gnutls: remove obsolete configure argument

Revision 1.185 / (download) - annotate - [select for diffs], Sun Aug 19 06:28:39 2018 UTC (4 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.184: +8 -6 lines
Diff to previous 1.184 (colored)

gnutls: build-depend on bash for the tests.

Replace interpreter in more shell scripts. Gets tests further along.

Revision 1.184 / (download) - annotate - [select for diffs], Thu Aug 16 11:05:47 2018 UTC (4 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.183: +3 -3 lines
Diff to previous 1.183 (colored)

gnutls: update to 3.6.3.

* Version 3.6.3 (released 2018-07-16)

** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version
   negotiation, post handshake authentication, length hiding, multiple OCSP support,
   consistent ciphersuite support across protocols, hello retry requests, ability
   to adjust key shares via gnutls_init() flags, certificate authorities extension,
   and key usage limits. TLS1.3 draft-28 support can be enabled by default if
   the option --enable-tls13-support is given to configure script.

** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
   earlier and TLS 1.3. When SRP or NULL ciphersuites are specified in priority strings
   TLS 1.3 is will be disabled. When Anonymous ciphersuites are specified in priority
   strings, then TLS 1.3 negotiation will be disabled if the session is associated
   only with an anonymous credentials structure.

** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
   This adds support for using GOST keys for digital signatures and under PKCS#7, PKCS#12,
   and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 CryptoProA
   256-bit curve (RFC 4357), GOST R 34.10-2001 CryptoProXchA 256-bit curve (RFC 4357),
   and GOST R 34.10-2012 TC26-512-A 512-bit curve (RFC 7836).

** Provide a uniform cipher list across supported TLS protocols; the CAMELLIA ciphers
   as well as ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default
   priority strings, as they are undefined under TLS1.3 and they provide not advantage
   over other options in earlier protocols.

** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled
   by specifying --enable-ssl3-support on configure script.

** libgnutls: Introduced function to switch the current FIPS140-2 operational
   mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2
   operations.

** libgnutls: Introduced low-level function to assist applications attempting client
   hello extension parsing, prior to GnuTLS' parsing of the message.

** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
   modifications to the certificate. That prevents DER re-encoding issues with incorrectly
   encoded certificates, or other DER incompatibilities to affect a TLS session.
   Relates with #403

** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
   which are preferred by the server. That unfortunately has complicated semantics
   as TLS1.2 requires specific ordering of the groups based on the ciphersuite ordering,
   which could make group order unpredictable if TLS1.3 is negotiated.

** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen
   and Adi Shamir reported that the existing counter-measures had certain issues and
   were insufficient when the attacker has additional access to the CPU cache and
   performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium]

** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
   of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.

** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
   GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.

** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
   gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
   unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
   change for these functions which make them err towards safety.

** libgnutls: improved aarch64 cpu features detection by using getauxval().

** certtool: It is now possible to specify certificate and serial CRL numbers greater
   than 2**63-2 as a hex-encoded string both when prompted and in a template file.
   Default certificate serial numbers are now fully random. Default CRL
   numbers include more random bits and are larger than in previous GnuTLS versions.
   Since CRL numbers are required to be monotonic, specify suitable CRL numbers manually
   if you intend to later downgrade to previous versions as it was not possible
   to specify large CRL numbers in previous versions of certtool.

Revision 1.183 / (download) - annotate - [select for diffs], Fri Jul 6 16:15:28 2018 UTC (4 years, 8 months ago) by prlw1
Branch: MAIN
Changes since 1.182: +3 -3 lines
Diff to previous 1.182 (colored)

Update gnutls to 3.6.2

* Version 3.6.2 (released 2018-02-16)

** libgnutls: When verifying against a self signed certificate ignore issuer.
   That is, ignore issuer when checking the issuer's parameters strength, resolving
   issue #347 which caused self signed certificates to be additionally marked as of
   insufficient security level.

** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data
   MTU calculation now, it correctly accounts for the fixed overhead due to
   padding (as 1 byte), while at the same time considers the rest of the
   padding as part of data MTU.

** libgnutls: Address issue of loading of all PKCS#11 modules on startup
   on systems with a PKCS#11 trust store (as opposed to a file trust store).
   Introduced a multi-stage initialization which loads the trust modules, and
   other modules are deferred for the first pure PKCS#11 request.

** libgnutls: The SRP authentication will reject any parameters outside
   RFC5054. This protects any client from potential MitM due to insecure
   parameters. That also brings SRP in par with the RFC7919 changes to
   Diffie-Hellman.

** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters
   for SRP authentication.

** libgnutls: Addressed issue in the accelerated code affecting interoperability
   with versions of nettle >= 3.4.

** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64.

** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by
   Vitezslav Cizek).

** srptool: the --create-conf option no longer includes 1024-bit parameters.

** p11tool: Fixed the deletion of objects in batch mode.

** API and ABI modifications:
gnutls_srp_8192_group_generator: Added
gnutls_srp_8192_group_prime: Added


* Version 3.6.1 (released 2017-10-21)

** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was
   used. Resolves gitlab issue #259.

** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign,
   gnutls_x509_crq_sign, were modified to sign with a better algorithm than
   SHA1. They will now sign with an algorithm that corresponds to the security
   level of the signer's key.

** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign()
   accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal
   the function to auto-detect an appropriate hash algorithm to use.

** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS.
   TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm
   in TLS 1.2. As such, no reason to keep supporting it.

** libgnutls: Refuse to use client certificates containing disallowed
   algorithms for a session. That reverts a change on 3.5.5, which allowed
   a client to use DSA-SHA1 due to his old DSA certificate, without requiring him
   to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).
   The previous approach was to allow a smooth move for client infrastructure
   after the DSA algorithm became disabled by default, and is no longer necessary
   as DSA is now being universally deprecated.

** libgnutls: Refuse to resume a session which had a different SNI advertised. That
   improves RFC6066 support in server side. Reported by Thomas Klute.

** p11tool: Mark all generated objects as sensitive by default.

** p11tool: added options --sign-params and --hash. This allows testing
   signature with multiple algorithms, including RSA-PSS.

** API and ABI modifications:
No changes since last version.

Revision 1.182 / (download) - annotate - [select for diffs], Mon Jun 4 16:12:52 2018 UTC (4 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.181: +2 -2 lines
Diff to previous 1.181 (colored)

gnutls: Bump PKGREVISION for dependency removal

Revision 1.181 / (download) - annotate - [select for diffs], Mon Jun 4 12:45:47 2018 UTC (4 years, 9 months ago) by leot
Branch: MAIN
Changes since 1.180: +2 -1 lines
Diff to previous 1.180 (colored)

gnutls: Fix build if devel/autogen package is installed

Without including the autogen bl3 if devel/autogen package was
installed autogen (the tool) was used but then the build failed
because it tried to include <autoopts/options.h> unconditionally.

Add `--enable-local-libopts' to CONFIGURE_ARGS to avoid that.

Revision 1.180 / (download) - annotate - [select for diffs], Mon Jun 4 11:16:12 2018 UTC (4 years, 9 months ago) by youri
Branch: MAIN
Changes since 1.179: +15 -16 lines
Diff to previous 1.179 (colored)

Remove autogen dependency and make pkglint happy.

Revision 1.179 / (download) - annotate - [select for diffs], Sun Apr 29 06:03:44 2018 UTC (4 years, 10 months ago) by dholland
Branch: MAIN
Changes since 1.178: +2 -2 lines
Diff to previous 1.178 (colored)

Bump PKGREVISION for previous.

Revision 1.178 / (download) - annotate - [select for diffs], Sun Apr 29 04:09:08 2018 UTC (4 years, 10 months ago) by dholland
Branch: MAIN
Changes since 1.177: +2 -1 lines
Diff to previous 1.177 (colored)

Set BUILDLINK_API_DEPENDS.gmp to require gmp>=5.0, per PR 52250.
Otherwise on Solaris it finds a really old builtin gmp and fails.

Revision 1.177 / (download) - annotate - [select for diffs], Tue Apr 17 13:28:53 2018 UTC (4 years, 11 months ago) by wiz
Branch: MAIN
Changes since 1.176: +4 -2 lines
Diff to previous 1.176 (colored)

gnutls: enable p11-kit.

PKCS#11 support is needed by glib-networking.

Revision 1.176 / (download) - annotate - [select for diffs], Wed Sep 6 13:41:26 2017 UTC (5 years, 6 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1, pkgsrc-2017Q4-base, pkgsrc-2017Q4, pkgsrc-2017Q3-base, pkgsrc-2017Q3
Changes since 1.175: +3 -4 lines
Diff to previous 1.175 (colored)

Updated gnutls to 3.6.0.

* Version 3.6.0 (released 2017-08-21)

** libgnutls: tlsfuzzer is part of the CI testsuite. This is a TLS testing and
   fuzzying toolkit, allowing for corner case testing, and ensuring that the
   behavior of the library will not change across releases.
   https://github.com/tomato42/tlsfuzzer

** libgnutls: Introduced a lock-free random generator which operates per-thread
   and eliminates random-generator related bottlenecks in multi-threaded operation.
   Resolves gitlab issue #141.
   http://nmav.gnutls.org/2017/03/improving-by-simplifying-gnutls-prng.html

** libgnutls: Replaced the Salsa20 random generator with one based on CHACHA.
   The goal is to reduce code needed in cache (CHACHA is also used for TLS),
   and the number of primitives used by the library. That does not affect the
   AES-DRBG random generator used in FIPS140-2 mode.

** libgnutls: Added support for RSA-PSS key type as well as signatures in
   certificates, and TLS key exchange. Contributed by Daiki Ueno.
   RSA-PSS signatures can be generated by RSA-PSS keys and normal RSA keys,
   but not vice-versa.  The feature includes:
     * RSA-PSS key generation and key handling (in PKCS#8 form)
     * RSA-PSS key generation and key handling from PKCS#11 (with CKM_RSA_PKCS_PSS mech)
     * Handling of RSA-PSS subjectPublicKeyInfo parameters, when present
       in either the private key or certificate.
     * RSA-PSS signing and verification of PKIX certificates
     * RSA-PSS signing and verification of TLS 1.2 handshake
     * RSA-PSS signing and verification of PKCS#7 structures
     * RSA-PSS and RSA key combinations for TLS credentials. That is, when
       multiple keys are supplied, RSA-PSS keys are preferred over RSA for RSA-PSS
       TLS signatures, to contain risks of cross-protocol attacks between the algorithms.
     * RSA-PSS key conversion to RSA PKCS#1 form (certtool --to-rsa)
   Note that RSA-PSS signatures with SHA1 are (intentionally) not supported.

** libgnutls: Added support for Ed25519 signing in certificates and TLS key
   exchange following draft-ietf-tls-rfc4492bis-17.  The feature includes:
     * Ed25519 key generation and key handling (in PKCS#8 form)
     * Ed25519 signing and verification of PKIX certificates
     * Ed25519 signing and verification of TLS 1.2 handshake
     * Ed25519 signing and verification of PKCS#7 structures

** libgnutls: Enabled X25519 key exchange by default, following draft-ietf-tls-rfc4492bis-17.

** libgnutls: Added support for Diffie-Hellman group negotiation following RFC7919.
   That makes the DH parameters negotiation more robust and less prone to errors
   due to insecure parameters. Servers are no longer required to specific explicit
   DH parameters, though if they do these parameters will be used. Group
   selection can be done via priority strings. The introduced strings are
   GROUP-ALL, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096 and
   GROUP-FFDHE8192, as well as the corresponding to curves groups. Note that
   the 6144 group from RFC7919 is not supported.

** libgnutls: Introduced various sanity checks on certificate import. Refuse
   to import certificates which have fractional seconds in Time fields, X.509v1
   certificates which have the unique identifiers set, and certificates with illegal
   version numbers. All of these are prohibited by RFC5280.

** libgnutls: Introduced gnutls_x509_crt_set_flags(). This function can set flags
   in the crt structure. The only flag supported at the moment is
   GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the certificate sanity
   checks on import.

** libgnutls: PKIX certificates with unknown critical extensions are rejected
   on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS. This
   behavior can be overriden by providing the flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS
   to verification functions. Resolves gitlab issue #177.

** libgnutls: Refuse to generate a certificate with an illegal version, or an
   illegal serial number. That is, gnutls_x509_crt_set_version() and
   gnutls_x509_crt_set_serial(), will fail on input considered to be invalid
   in RFC5280.

** libgnutls: Calls to gnutls_record_send() and gnutls_record_recv()
   prior to handshake being complete are now refused. Addresses gitlab issue #158.

** libgnutls: Added support for PKCS#12 files with no salt (zero length) in their
   password encoding, and PKCS#12 files using SHA384 and SHA512 as MAC.

** libgnutls: Exported functions to encode and decode DSA and ECDSA r,s values.

** libgnutls: Added new callback setting function to gnutls_privkey_t for external
   keys. The new function (gnutls_privkey_import_ext4), allows signing in addition
   to previous algorithms (RSA PKCS#1 1.5, DSA, ECDSA), with RSA-PSS and Ed25519
   keys.

** libgnutls: Introduced the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1
   priority string options. These allows enabling all broken and SHA1-based signature
   algorithms in certificate verification, respectively.

** libgnutls: 3DES-CBC is no longer included in the default priorities
   list. It has to be explicitly enabled, e.g., with a string like
   "NORMAL:+3DES-CBC".

** libgnutls: SHA1 was marked as insecure for signing certificates. Verification
   of certificates signed with SHA1 is now considered insecure and will
   fail, unless flags intended to enable broken algorithms are set. Other uses
   of SHA1 are still allowed. This can be reverted on compile time with the configure
   flag --enable-sha1-support.

** libgnutls: RIPEMD160 was marked as insecure for certificate signatures. Verification
   of certificates signed with RIPEMD160 hash algorithm is now considered insecure and
   will fail, unless flags intended to enable broken algorithms are set.

** libgnutls: No longer enable SECP192R1 and SECP224R1 by default on TLS handshakes.
   These curves were rarely used for that purpose, provide no advantage over
   x25519 and were deprecated by TLS 1.3.

** libgnutls: Removed support for DEFLATE, or any other compression method.

** libgnutls: OpenPGP authentication was removed; the resulting library is ABI
   compatible, with the openpgp related functions being stubs that fail
   on invocation.

** libgnutls: Removed support for libidn (i.e., IDNA2003); gnutls can now be compiled
   only with libidn2 which provides IDNA2008.

** certtool: The option '--load-ca-certificate' can now accept PKCS#11
   URLs in addition to files.

** certtool: The option '--load-crl' can now be used when generating PKCS#12
   files (i.e., in conjunction with '--to-p12' option).

** certtool: Keys with provable RSA and DSA parameters are now only read and
   exported from PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt.
   This removes support for the previous a non-standard key format.

** certtool: Added support for generating, printing and handling RSA-PSS and
   Ed25519 keys and certificates.

** certtool: the parameters --rsa, --dsa and --ecdsa to --generate-privkey are now
   deprecated, replaced by the --key-type option.

** p11tool: The --generate-rsa, --generate-ecc and --generate-dsa options were
   replaced by the --generate-privkey option.

** psktool: Generate 256-bit keys by default.

** gnutls-server: Increase request buffer size to 16kb, and added the --alpn and
   --alpn-fatal options, allowing testing of ALPN negotiation.

** API and ABI modifications:
gnutls_encode_rs_value: Added
gnutls_decode_rs_value: Added
gnutls_base64_encode2: Added
gnutls_base64_decode2: Added
gnutls_x509_crt_set_flags: Added
gnutls_x509_crt_check_ip: Added
gnutls_x509_ext_import_inhibit_anypolicy: Added
gnutls_x509_ext_export_inhibit_anypolicy: Added
gnutls_x509_crt_get_inhibit_anypolicy: Added
gnutls_x509_crt_set_inhibit_anypolicy: Added
gnutls_pubkey_export_rsa_raw2: Added
gnutls_pubkey_export_dsa_raw2: Added
gnutls_pubkey_export_ecc_raw2: Added
gnutls_privkey_export_rsa_raw2: Added
gnutls_privkey_export_dsa_raw2: Added
gnutls_privkey_export_ecc_raw2: Added
gnutls_x509_spki_init: Added
gnutls_x509_spki_deinit: Added
gnutls_x509_spki_get_pk_algorithm: Added
gnutls_x509_spki_set_pk_algorithm: Added
gnutls_x509_spki_get_digest_algorithm: Added
gnutls_x509_spki_set_digest_algorithm: Added
gnutls_x509_spki_get_salt_size: Added
gnutls_x509_spki_set_salt_size: Added
gnutls_x509_crt_set_spki: Added
gnutls_x509_crt_get_spki: Added
gnutls_x509_privkey_get_spki: Added
gnutls_x509_privkey_set_spki: Added
gnutls_x509_crq_get_spki: Added
gnutls_x509_crq_set_spki: Added
gnutls_pubkey_set_spki: Added
gnutls_pubkey_get_spki: Added
gnutls_privkey_set_spki: Added
gnutls_privkey_get_spki: Added
gnutls_privkey_import_ext4: Added
GNUTLS_EXPORT_FLAG_NO_LZ: Added
GNUTLS_DT_IP_ADDRESS: Added
GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Added
GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: Added
GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Added
GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES: Added
GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: Added
GNUTLS_SFLAGS_RFC7919: Added

Revision 1.175 / (download) - annotate - [select for diffs], Thu Aug 31 10:18:12 2017 UTC (5 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.174: +2 -3 lines
Diff to previous 1.174 (colored)

Updated gnutls to 3.5.15.

* Version 3.5.15 (released 2017-08-21)

** libgnutls: Disable hardware acceleration on aarch64/ilp32 mode. There is
   no assembler code included for this CPU mode.

** certtool: Keys with provable RSA and DSA parameters are now only exported
   in PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt.
   This removes the need for a non-standard key format.

** API and ABI modifications:
No changes since last version.


* Version 3.5.14 (released 2017-07-04)

** libgnutls: Handle specially HSMs which request explicit authentication.
   There are HSMs which return CKR_USER_NOT_LOGGED_IN on the first private key
   operation. Detect that state and try to login.

** libgnutls: the GNUTLS_PKCS11_OBJ_FLAG_LOGIN will force a login on HSMs.
   That is, even in tokens which do not have a CKF_LOGIN_REQUIRED flag
   a login will be forced. This improves operation on certain Safenet HSMs.

** libgnutls: do not set leading zeros when copying integers on HSMs.
   PKCS#11 defines integers as unsigned having most significant byte
   first, e.g., 32768 = 0x80 0x00. This is interpreted literraly by
   some HSMs which do not accept an integer with a leading zero. This
   improves operation with certain Atos HSMs.

** libgnutls: Fixed issue discovering certain OCSP signers, and improved the
   discovery of OCSP signer in the case where the Subject Public Key
   identifier field matches. Resolves gitlab issue #223.

** gnutls-cli: ensure OCSP responses are saved with --save-ocsp even if
   certificate verification fails.

** API and ABI modifications:
No changes since last version.

Revision 1.174 / (download) - annotate - [select for diffs], Tue Aug 22 12:05:45 2017 UTC (5 years, 7 months ago) by jmcneill
Branch: MAIN
Changes since 1.173: +3 -1 lines
Diff to previous 1.173 (colored)

Make sure the configure script picks up the correct copy of libintl

Revision 1.173 / (download) - annotate - [select for diffs], Tue Aug 8 16:38:41 2017 UTC (5 years, 7 months ago) by jlam
Branch: MAIN
Changes since 1.172: +2 -2 lines
Diff to previous 1.172 (colored)

DOCDIR is not defined anywhere in the Makefile.

Revision 1.172 / (download) - annotate - [select for diffs], Fri Jun 30 06:15:44 2017 UTC (5 years, 8 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.171: +2 -2 lines
Diff to previous 1.171 (colored)

Updated gnutls to 3.5.13.

While here, remove empty line from PLIST.

* Version 3.5.13 (released 2017-06-07)

** libgnutls: fixed issue with AES-GCM in-place encryption and decryption in
   aarch64. Resolves gitlab issue #204.

** libgnutls: no longer parse the ResponseID field of the status response
   TLS extension. The field is not used by GnuTLS nor is made available to
   calling applications. That addresses a null pointer dereference on server
   side caused by packets containing the ResponseID field. Reported
   by Hubert Kario. [GNUTLS-SA-2017-4]

** libgnutls: tolerate certificates which do not have strict DER time encoding.
   It is possible using 3rd party tools to generate certificates with time fields
   that do not conform to DER requirements. Since 3.4.x these certificates were rejected
   and cannot be used with GnuTLS, however that caused problems with existing private
   certificate infrastructures, which were relying on such certificates (see gitlab
   issue #196). Tolerate reading and using these certificates.

** minitasn1: updated to libtasn1 4.11.

** certtool: allow multiple certificates to be used in --p7-sign with
   the --load-certificate option. Patch by Karl Tarbe.

Revision 1.171 / (download) - annotate - [select for diffs], Thu May 18 07:54:26 2017 UTC (5 years, 10 months ago) by he
Branch: MAIN
Changes since 1.170: +2 -2 lines
Diff to previous 1.170 (colored)

Update to GnuTLS 3.5.12.

Pkgsrc changes:
Adapt PLIST.

Upstream changes:

* Version 3.5.12 (released 2017-05-11)

** libgnutls: enabled TCP Fast open for MacOSX. Patch by Tim Ruehsen.

** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses
   against DNS fields of certificate (CN or DNSname). The previous behavior
   was to tolerate some misconfigured servers, but that was non-standard
   and skipped any IP constraints present in higher level certificates.

** libgnutls: when converting to IDNA2008, fallback to IDNA2003
   (i.e., transitional encoding) if the domain cannot be converted.
   That provides maximum compatibility with browsers like firefox
   that perform the same conversion.

** libgnutls: fix issue in RSA-PSK client callback which resulted
   in no username being sent to the peer. Patch by Nicolas Dufresne.

** libgnutls: fix regression causing stapled extensions in trust modules not
   to be considered.

** certtool: introduced the email_protection_key option.  This
   option was introduced in documentation for certtool without an
   implementation of it.  It is a shortcut for option 'key_purpose_oid
   = 1.3.6.1.5.5.7.3.4'.

** certtool: made printing of key ID and key PIN consistent between
   certificates, public keys, and private keys. That is the private
   key printing now uses the same format as the rest.

** gnutls-cli: introduced the --sni-hostname option. This allows overriding the
   hostname advertised to the peer.

** API and ABI modifications:
No changes since last version.


* Version 3.5.11 (released 2017-04-07)

** gnutls.pc: do not include libtool options into Libs.private.

** libgnutls: Fixed issue when rehandshaking without a client certificate in
   a session which initially used one. Reported by Frantisek Sumsal.

** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
   certificate parsing. Issues found using oss-fuzz project and were fixed
   by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824

** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
   That allows PKCS#11 operations such as signing to be performed with the
   same object from multiple threads.

** libgnutls: Added support for MacOSX key chain for obtaining
   trust store's root CA certificates. That is,
   gnutls_x509_trust_list_add_system_trust() and
   gnutls_certificate_set_x509_system_trust() will load the certificates
   from the key chain. That also means that we no longer check for a
   default trust store file in configure when building on MacOSX (unless
   explicitly asked to).  Patch by David Caldwell.

** libgnutls: when disabling OpenPGP authentication, the resulting library
   is ABI compatible (with openpgp related functions being stubs that fail
   on invocation).

** API and ABI modifications:
No changes since last version.


* Version 3.5.10 (released 2017-03-06)

** gnutls.pc: do not include libidn2 in Requires.private. The
   libidn2 versions available do not include libidn2.pc, thus the
   inclusion was causing pkg-config issues. Instead we include
   -lidn2 in Libs.private when compile against libidn2.

** libgnutls: optimized access to subject alternative names (SANs)
   in parsed certificates. The previous implementation assumed a
   small number of SANs in a certificate, with repeated calls to
   ASN.1 decoding of the extension without any intermediate caching.
   That caused delays in certificates with a long list of names in
   functions such as gnutls_x509_crt_check_hostname().  With the
   current code, the SANs are parsed once on certificate import.
   Resolves gitlab issue #165.

** libgnutls: Addressed integer overflow resulting to invalid memory
   write in OpenPGP certificate parsing. Issue found using oss-fuzz
   project:  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
   [GNUTLS-SA-2017-3A]

** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP
   certificate parsing. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391

** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
   to private key parser. No longer allow OpenPGP certificates (public keys)
   to contain private key sub-packets. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B]

** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
   could lead in out-of-memory condition. Issue found using oss-fuzz project,
   and was fixed by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C]

** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
   when printing certificate information.

** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
   flags can be set from the gnutls_certificate_verify_flags enumeration.
   This allows the functions to pass the same flags available for certificates
   to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
   GNUTLS_VERIFY_ALLOW_BROKEN).

** libgnutls: gnutls_store_commitment() can accept flag
   GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
   in applications which use SHA1 for example, after SHA1 is deprecated.

** certtool: No longer ignore the 'add_critical_extension' template option if
   the 'add_extension' option is not present.

** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
   starttls-proto command. Patch by Robert Scheck.

** API and ABI modifications:
No changes since last version.

Revision 1.170 / (download) - annotate - [select for diffs], Sun Feb 26 09:19:56 2017 UTC (6 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.169: +9 -11 lines
Diff to previous 1.169 (colored)

* Version 3.5.9 (released 2017-02-12)

** libgnutls: Removed any references to OpenPGP functionality in documentation,
   and marked all functions in openpgp.h as deprecated. That functionality
   is considered deprecated and should not be used for other reason than
   backwards compatibility.

** libgnutls: Improve detection of AVX support. In certain cases when
   when the instruction was available on the host, but not on a VM running
   gnutls, detection could fail causing illegal instruction usage.

** libgnutls: Added support for IDNA2008 for internationalized DNS names.
   If gnutls is compiled using libidn2 (the latest version is recommended),
   it will support IDNA2008 instead of the now obsolete IDNA2003 standard.
   Resolves gitlab issue 150. Based on patch by Tim Ruehsen.

** p11tool: re-use ID from corresponding objects when writing certificates.
   That is, when writing a certificate which has a corresponding public key,
   or private key in the token, ensure that we use the same ID for the
   certificate.

** API and ABI modifications:
gnutls_idna_map: Added
gnutls_idna_reverse_map: Added

Revision 1.167.4.1 / (download) - annotate - [select for diffs], Thu Jan 19 19:55:17 2017 UTC (6 years, 2 months ago) by bsiegert
Branch: pkgsrc-2016Q4
Changes since 1.167: +17 -15 lines
Diff to previous 1.167 (colored) next main 1.168 (colored)

Pullup ticket #5185 - requested by wiz
security/gnutls: security fix

Revisions pulled up:
- security/gnutls/Makefile                                      1.168-1.169
- security/gnutls/PLIST                                         1.54
- security/gnutls/distinfo                                      1.122
- security/gnutls/patches/patch-tests_mini-server-name.c        deleted

---
   Module Name:	pkgsrc
   Committed By:	maya
   Date:		Sat Jan  7 18:49:16 UTC 2017

   Modified Files:
   	pkgsrc/security/gnutls: Makefile

   Log Message:
   gnutls: don't redefine max_align_t on FreeBSD. It incorrectly fails the
   configure test because the type in stddef.h is guarded by a c11 macro
   (most likely).

   Force the configure test to pass.

   From David Shao in PR pkg/51793 (originally from FreeBSD ports).

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Tue Jan 10 16:23:50 UTC 2017

   Modified Files:
   	pkgsrc/security/gnutls: Makefile PLIST distinfo
   Removed Files:
   	pkgsrc/security/gnutls/patches: patch-tests_mini-server-name.c

   Log Message:
   Updated gnutls to 3.5.8.

   * Version 3.5.8 (released 2016-01-09)

   ** libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
     functions will not leave the verification profiles field to an
     undefined state. The last call will take precedence.

   ** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
     by PKCS#8 decryption functions when an invalid key is provided. This
     addresses regression on decrypting certain PKCS#8 keys.

   ** libgnutls: Introduced option to override the default priority string
     used by the library. The intention is to allow support of system-wide
     priority strings (as set with --with-system-priority-file). The
     configure option is --with-default-priority-string.

   ** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
     This prevents crashes when decrypting malformed PKCS#8 keys.

   ** libgnutls: Fix crash on the loading of malformed private keys with certain
     parameters set to zero.

   ** libgnutls: Fix double free in certificate information printing. If the PKIX
     extension proxy was set with a policy language set but no policy specified,
     that could lead to a double free.

   ** libgnutls: Addressed memory leaks in client and server side error paths
     (issues found using oss-fuzz project)

   ** libgnutls: Addressed memory leaks in X.509 certificate printing error paths
     (issues found using oss-fuzz project)

   ** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
     parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)

   ** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
     (issues found using oss-fuzz project)

   ** API and ABI modifications:
   No changes since last version.

   * Version 3.5.7 (released 2016-12-8)

   ** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128
     and SECURE256 priority strings.

   ** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly
     operate with OIDs which have elements that exceed 2^32.

   ** libgnutls: The DN decoding functions output the traditional DN format
     rather than the strict RFC4514 compliant textual DN. This reverts the
     3.5.6 introduced change, and allows applications which depended on the
     previous format to continue to function. Introduced new functions which
     output the strict format by default, and can revert to the old one using
     a flag.

   ** libgnutls: Improved TPM key handling. Check authorization requirements
     prior to using a key and fix issue on loop for PIN input. Patches by
     James Bottomley.

   ** libgnutls: In all functions accepting UTF-8 passwords, ensure that
     passwords are normalized according to RFC7613. When invalid UTF-8
     passwords are detected, they are only tolerated for decryption.
     This introduces a libunistring dependency on GnuTLS. A version of
     libunistring is included in the library for the platforms that do
     not ship it; it can be used with the '--with-included-unistring'
     option to configure script.

   ** libgnutls: When setting a subject alternative name in a certificate
     which is in UTF-8 format, it will transparently be converted to IDNA form
     prior to storing.

   ** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print()
     will print the SHA256 key-ID instead of a certificate fingerprint.

   ** libgnutls: enhance the PKCS#7 verification capabilities. In the case
     signers that are not discoverable using the trust list or input, use
     the stored list as pool to generate a trusted chain to the signer.

   ** libgnutls: Improved MTU calculation precision for the CBC ciphersuites
     under DTLS.

   ** libgnutls: [added missing news entry since 3.5.0]
     No longer tolerate certificate key usage violations for
     TLS signature verification, and decryption. That is GnuTLS will fail
     to connect to servers which incorrectly use a restricted to signing certificate
     for decryption, or vice-versa. This reverts the lax behavior introduced
     in 3.1.0, due to several such broken servers being available. The %COMPAT
     priority keyword can be used to work-around connecting on these servers.

   ** certtool: When exporting a CRQ in DER format ensure no text data are
     intermixed. Patch by Dmitry Eremin-Solenikov.

   ** certtool: Include the SHA-256 variant of key ID in --certificate-info
     options.

   ** p11tool: Introduced the --initialize-pin and --initialize-so-pin
     options.

   ** API and ABI modifications:
   gnutls_utf8_password_normalize: Added
   gnutls_ocsp_resp_get_responder2: Added
   gnutls_x509_crt_get_issuer_dn3: Added
   gnutls_x509_crt_get_dn3: Added
   gnutls_x509_rdn_get2: Added
   gnutls_x509_dn_get_str2: Added
   gnutls_x509_crl_get_issuer_dn3: Added
   gnutls_x509_crq_get_dn3: Added

   * Version 3.5.6 (released 2016-11-04)

   ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
     (pre-rfc5652) structures with arbitrary encapsulated content.

   ** libgnutls: Introduced a function group to set known DH parameters
     using groups from RFC7919.

   ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
     Now the generated textual DN is in reverse order according to RFC4514,
     and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
     set the expected DN (reverse of the provided string).

   ** libgnutls: Introduced time and constraints checks in the end certificate
     in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()
     functions.

   ** libgnutls: Set limits on the maximum number of alerts handled. That is,
     applications using gnutls could be tricked into an busy loop if the
     peer sends continuously alert messages. Applications which set a maximum
     handshake time (via gnutls_handshake_set_timeout) will eventually recover
     but others may remain in a busy loops indefinitely. This is related but
     not identical to CVE-2016-8610, due to the difference in alert handling
     of the libraries (gnutls delegates that handling to applications).

   ** libgnutls: Reverted the change which made the gnutls_certificate_set_*key*
     functions return an index (introduced in 3.5.5), to avoid affecting programs
     which explicitly check success of the function as equality to zero. In order
     for these functions to return an index an explicit call to gnutls_certificate_set_flags
     with the GNUTLS_CERTIFICATE_API_V2 flag is now required.

   ** libgnutls: Reverted the behavior of sending a status request extension even
     without a response (introduced in 3.5.5). That is, we no longer reply to a
     client's hello with a status request, with a status request extension. Although
     that behavior is legal, it creates incompatibility issues with releases in
     the gnutls 3.3.x branch.

   ** libgnutls: Delayed the initialization of the random generator at
     the first call of gnutls_rnd(). This allows applications to load
     on systems which getrandom() would block, without blocking until
     real random data are needed.

   ** certtool: --get-dh-params will output parameters from the RFC7919
     groups.

   ** p11tool: improvements in --initialize option.

   ** API and ABI modifications:
   GNUTLS_CERTIFICATE_API_V2: Added
   GNUTLS_NO_TICKETS: Added
   gnutls_pkcs7_get_embedded_data_oid: Added
   gnutls_anon_set_server_known_dh_params: Added
   gnutls_certificate_set_known_dh_params: Added
   gnutls_psk_set_server_known_dh_params: Added
   gnutls_x509_crt_check_key_purpose: Added

   * Version 3.5.5 (released 2016-10-09)

   ** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file()
     to allow importing multiple OCSP request files, one for each chain
     provided.

   ** libgnutls: The gnutls_certificate_set_key* functions return an
     index of the added chain. That index can be used either with
     gnutls_certificate_set_ocsp_status_request_file(), or with
     gnutls_certificate_get_crt_raw() and friends.

   ** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations
     for the aarch64 architecture. Uses Andy Polyakov's assembly code.

   ** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key()
     failures due to key mismatch. This prevents leaks or double freeing
     on such failures.

   ** libgnutls: Increased the maximum size of the handshake message hash.
     This will allow the library to cope better with larger packets, as
     the ones offered by current TLS 1.3 drafts.

   ** libgnutls: Allow to use client certificates despite them containing
     disallowed algorithms for a session. That allows for example a client
     to use DSA-SHA1 due to his old DSA certificate, without requiring him
     to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).

   ** libgnutls: Reverted AESNI code on x86 to earlier version as the
     latest version was creating position depending code. Added checks
     in the CI to detect position depending code early.

   ** guile: Update code to the I/O port API of Guile >= 2.1.4
     This makes sure the GnuTLS bindings will work with the forthcoming 2.2
     stable series of Guile, of which 2.1 is a preview.

   ** API and ABI modifications:
   gnutls_certificate_set_ocsp_status_request_function2: Added
   gnutls_session_ext_register: Added
   gnutls_session_supplemental_register: Added
   GNUTLS_E_PK_INVALID_PUBKEY: Added
   GNUTLS_E_PK_INVALID_PRIVKEY: Added

Revision 1.169 / (download) - annotate - [select for diffs], Tue Jan 10 16:23:49 2017 UTC (6 years, 2 months ago) by wiz
Branch: MAIN
Changes since 1.168: +6 -6 lines
Diff to previous 1.168 (colored)

Updated gnutls to 3.5.8.

* Version 3.5.8 (released 2016-01-09)

** libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
   functions will not leave the verification profiles field to an
   undefined state. The last call will take precedence.

** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
   by PKCS#8 decryption functions when an invalid key is provided. This
   addresses regression on decrypting certain PKCS#8 keys.

** libgnutls: Introduced option to override the default priority string
   used by the library. The intention is to allow support of system-wide
   priority strings (as set with --with-system-priority-file). The
   configure option is --with-default-priority-string.

** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
   This prevents crashes when decrypting malformed PKCS#8 keys.

** libgnutls: Fix crash on the loading of malformed private keys with certain
   parameters set to zero.

** libgnutls: Fix double free in certificate information printing. If the PKIX
   extension proxy was set with a policy language set but no policy specified,
   that could lead to a double free.

** libgnutls: Addressed memory leaks in client and server side error paths
   (issues found using oss-fuzz project)

** libgnutls: Addressed memory leaks in X.509 certificate printing error paths
   (issues found using oss-fuzz project)

** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
   parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)

** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
   (issues found using oss-fuzz project)

** API and ABI modifications:
No changes since last version.


* Version 3.5.7 (released 2016-12-8)

** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128
   and SECURE256 priority strings.

** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly
   operate with OIDs which have elements that exceed 2^32.

** libgnutls: The DN decoding functions output the traditional DN format
   rather than the strict RFC4514 compliant textual DN. This reverts the
   3.5.6 introduced change, and allows applications which depended on the
   previous format to continue to function. Introduced new functions which
   output the strict format by default, and can revert to the old one using
   a flag.

** libgnutls: Improved TPM key handling. Check authorization requirements
   prior to using a key and fix issue on loop for PIN input. Patches by
   James Bottomley.

** libgnutls: In all functions accepting UTF-8 passwords, ensure that
   passwords are normalized according to RFC7613. When invalid UTF-8
   passwords are detected, they are only tolerated for decryption.
   This introduces a libunistring dependency on GnuTLS. A version of
   libunistring is included in the library for the platforms that do
   not ship it; it can be used with the '--with-included-unistring'
   option to configure script.

** libgnutls: When setting a subject alternative name in a certificate
   which is in UTF-8 format, it will transparently be converted to IDNA form
   prior to storing.

** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print()
   will print the SHA256 key-ID instead of a certificate fingerprint.

** libgnutls: enhance the PKCS#7 verification capabilities. In the case
   signers that are not discoverable using the trust list or input, use
   the stored list as pool to generate a trusted chain to the signer.

** libgnutls: Improved MTU calculation precision for the CBC ciphersuites
   under DTLS.

** libgnutls: [added missing news entry since 3.5.0]
   No longer tolerate certificate key usage violations for
   TLS signature verification, and decryption. That is GnuTLS will fail
   to connect to servers which incorrectly use a restricted to signing certificate
   for decryption, or vice-versa. This reverts the lax behavior introduced
   in 3.1.0, due to several such broken servers being available. The %COMPAT
   priority keyword can be used to work-around connecting on these servers.

** certtool: When exporting a CRQ in DER format ensure no text data are
   intermixed. Patch by Dmitry Eremin-Solenikov.

** certtool: Include the SHA-256 variant of key ID in --certificate-info
   options.

** p11tool: Introduced the --initialize-pin and --initialize-so-pin
   options.

** API and ABI modifications:
gnutls_utf8_password_normalize: Added
gnutls_ocsp_resp_get_responder2: Added
gnutls_x509_crt_get_issuer_dn3: Added
gnutls_x509_crt_get_dn3: Added
gnutls_x509_rdn_get2: Added
gnutls_x509_dn_get_str2: Added
gnutls_x509_crl_get_issuer_dn3: Added
gnutls_x509_crq_get_dn3: Added


* Version 3.5.6 (released 2016-11-04)

** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
   (pre-rfc5652) structures with arbitrary encapsulated content.

** libgnutls: Introduced a function group to set known DH parameters
   using groups from RFC7919.

** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
   Now the generated textual DN is in reverse order according to RFC4514,
   and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
   set the expected DN (reverse of the provided string).

** libgnutls: Introduced time and constraints checks in the end certificate
   in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()
   functions.

** libgnutls: Set limits on the maximum number of alerts handled. That is,
   applications using gnutls could be tricked into an busy loop if the
   peer sends continuously alert messages. Applications which set a maximum
   handshake time (via gnutls_handshake_set_timeout) will eventually recover
   but others may remain in a busy loops indefinitely. This is related but
   not identical to CVE-2016-8610, due to the difference in alert handling
   of the libraries (gnutls delegates that handling to applications).

** libgnutls: Reverted the change which made the gnutls_certificate_set_*key*
   functions return an index (introduced in 3.5.5), to avoid affecting programs
   which explicitly check success of the function as equality to zero. In order
   for these functions to return an index an explicit call to gnutls_certificate_set_flags
   with the GNUTLS_CERTIFICATE_API_V2 flag is now required.

** libgnutls: Reverted the behavior of sending a status request extension even
   without a response (introduced in 3.5.5). That is, we no longer reply to a
   client's hello with a status request, with a status request extension. Although
   that behavior is legal, it creates incompatibility issues with releases in
   the gnutls 3.3.x branch.

** libgnutls: Delayed the initialization of the random generator at
   the first call of gnutls_rnd(). This allows applications to load
   on systems which getrandom() would block, without blocking until
   real random data are needed.

** certtool: --get-dh-params will output parameters from the RFC7919
   groups.

** p11tool: improvements in --initialize option.

** API and ABI modifications:
GNUTLS_CERTIFICATE_API_V2: Added
GNUTLS_NO_TICKETS: Added
gnutls_pkcs7_get_embedded_data_oid: Added
gnutls_anon_set_server_known_dh_params: Added
gnutls_certificate_set_known_dh_params: Added
gnutls_psk_set_server_known_dh_params: Added
gnutls_x509_crt_check_key_purpose: Added


* Version 3.5.5 (released 2016-10-09)

** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file()
   to allow importing multiple OCSP request files, one for each chain
   provided.

** libgnutls: The gnutls_certificate_set_key* functions return an
   index of the added chain. That index can be used either with
   gnutls_certificate_set_ocsp_status_request_file(), or with
   gnutls_certificate_get_crt_raw() and friends.

** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations
   for the aarch64 architecture. Uses Andy Polyakov's assembly code.

** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key()
   failures due to key mismatch. This prevents leaks or double freeing
   on such failures.

** libgnutls: Increased the maximum size of the handshake message hash.
   This will allow the library to cope better with larger packets, as
   the ones offered by current TLS 1.3 drafts.

** libgnutls: Allow to use client certificates despite them containing
   disallowed algorithms for a session. That allows for example a client
   to use DSA-SHA1 due to his old DSA certificate, without requiring him
   to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).

** libgnutls: Reverted AESNI code on x86 to earlier version as the
   latest version was creating position depending code. Added checks
   in the CI to detect position depending code early.

** guile: Update code to the I/O port API of Guile >= 2.1.4
   This makes sure the GnuTLS bindings will work with the forthcoming 2.2
   stable series of Guile, of which 2.1 is a preview.

** API and ABI modifications:
gnutls_certificate_set_ocsp_status_request_function2: Added
gnutls_session_ext_register: Added
gnutls_session_supplemental_register: Added
GNUTLS_E_PK_INVALID_PUBKEY: Added
GNUTLS_E_PK_INVALID_PRIVKEY: Added

Revision 1.168 / (download) - annotate - [select for diffs], Sat Jan 7 18:49:16 2017 UTC (6 years, 2 months ago) by maya
Branch: MAIN
Changes since 1.167: +12 -10 lines
Diff to previous 1.167 (colored)

gnutls: don't redefine max_align_t on FreeBSD. It incorrectly fails the
configure test because the type in stddef.h is guarded by a c11 macro
(most likely).

Force the configure test to pass.

From David Shao in PR pkg/51793 (originally from FreeBSD ports).

Revision 1.167 / (download) - annotate - [select for diffs], Tue Sep 20 08:40:15 2016 UTC (6 years, 6 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q3-base, pkgsrc-2016Q3
Branch point for: pkgsrc-2016Q4
Changes since 1.166: +4 -2 lines
Diff to previous 1.166 (colored)

Use libopts from autoopts package instead of local copy.
(Only changes bin/*, not lib). Fixes build when autoopts already is installed

Disable valgrind explicitly.

Addresses issues reported by Ricard Palo.

Bump PKGREVISION.

Revision 1.166 / (download) - annotate - [select for diffs], Mon Sep 19 15:32:47 2016 UTC (6 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.165: +10 -4 lines
Diff to previous 1.165 (colored)

Add upstream patch so one test passes.
Replace bash binary path in more shell scripts so more tests work.

Result: no failing tests. Yay!

Revision 1.165 / (download) - annotate - [select for diffs], Mon Sep 19 13:01:23 2016 UTC (6 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.164: +1 -2 lines
Diff to previous 1.164 (colored)

Revert previous.

Revision 1.164 / (download) - annotate - [select for diffs], Mon Sep 19 13:01:09 2016 UTC (6 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.163: +2 -1 lines
Diff to previous 1.163 (colored)

Remove two obsolete patches.

Revision 1.163 / (download) - annotate - [select for diffs], Mon Sep 19 12:33:10 2016 UTC (6 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.162: +15 -4 lines
Diff to previous 1.162 (colored)

Updated gnutls to 3.5.4.

* Version 3.5.4 (released 2016-09-08)

** libgnutls: Corrected the comparison of the serial size in OCSP response.
   Previously the OCSP certificate check wouldn't verify the serial length
   and could succeed in cases it shouldn't (GNUTLS-SA-2016-3).
   Reported by Stefan Buehler.

** libgnutls: Added support for IP name constraints. Patch by Martin Ukrop.

** libgnutls: Added support of PKCS#8 file decryption using DES-CBC-MD5. This
   is added to allow decryption of PKCS #8 private keys from openssl prior to 1.1.0.

** libgnutls: Added support for decrypting PKCS#8 files which use HMAC-SHA256
   as PRF. This allow decrypting PKCS #8 private keys generated with openssl 1.1.0.

** libgnutls: Added support for internationalized passwords in PKCS#12 files.
   Previous versions would only encrypt or decrypt using passwords from the ASCII
   set.

** libgnutls: Addressed issue with PKCS#11 signature generation on ECDSA
   keys. The signature is now written as unsigned integers into the DSASignatureValue
   structure. Previously signed integers could be written depending on what
   the underlying module would produce. Addresses #122.

** gnutls-cli: Fixed starttls regression from 3.5.3.

** API and ABI modifications:
GNUTLS_E_MALFORMED_CIDR: Added
gnutls_x509_cidr_to_rfc5280: Added
gnutls_oid_to_mac: Added


* Version 3.5.3 (released 2016-08-09)

** libgnutls: Added support for TCP fast open (RFC7413), allowing
   to reduce by one round-trip the handshake process. Based on proposal and
   patch by Tim Ruehsen.

** libgnutls: Adopted a simpler with less memory requirements DTLS sliding
   window implementation. Based on Fridolin Pokorny's implementation for
   AF_KTLS.

** libgnutls: Use getrandom where available via the syscall interface.
   This works around an issue of not-using getrandom even if it exists
   since glibc doesn't declare such function.

** libgnutls: Fixed DNS name constraints checking in the case of empty
   intersection of domain names in the chain. Report and fix by Martin Ukrop.

** libgnutls: Fixed name constraints checking in the case of chains
   where the higher level certificates contained different types of
   constraints than the ones present in the lower intermediate CAs.
   Report and fix by Martin Ukrop.

** libgnutls: Dropped support for the EGD random generator.

** libgnutls: Allow the decoding of raw elements (starting with #)
   in RFC4514 DN string decoding.

** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was
   ignoring flags if all certificates in the list fit within the
   initially allocated memory. Patch by Tim Kosse.

** libgnutls: Corrected issue which made gnutls_certificate_get_x509_crt()
   to return invalid pointers when returned more than a single certificate.
   Report and fix by Stefan S√łrensen.

** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the complete chain,
   even when the extra_certs was non-null. Report and fix by Stefan S√łrensen.

** certtool: Added the "add_extension" and "add_critical_extension"
   template options. This allows specifying arbitrary extensions into
   certificates and certificate requests.

** gnutls-cli: Added the --fastopen option.

** API and ABI modifications:
GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE: Added
gnutls_x509_crq_set_extension_by_oid: Added
gnutls_x509_dn_set_str: Added
gnutls_transport_set_fastopen: Added


* Version 3.5.2 (released 2016-07-06)

** libgnutls: Address issue when utilizing the p11-kit trust store
   for certificate verification (GNUTLS-SA-2016-2).

** libgnutls: Fixed DTLS handshake packet reconstruction. Reported by
   Guillaume Roguez.

** libgnutls: Fixed issues with PKCS#11 reading of sensitive objects
   from SafeNet Network HSM. Reported by Anthony Alba in #108.

** libgnutls: Corrected the writing of PKCS#11 CKA_SERIAL_NUMBER. Report
   and fix by Stanislav ŇĹidek.

** libgnutls: Added AES-GCM optimizations using the AVX and MOVBE
   instructions. Uses Andy Polyakov's assembly code.

** API and ABI modifications:
No changes since last version.


* Version 3.5.1 (released 2016-06-14)

** libgnutls: The SSL 3.0 protocol support can completely be removed
   using a compile time option. The configure option is --disable-ssl3-support.

** libgnutls: The SSL 2.0 client hello support can completely be removed
   using a compile time option. The configure option is --disable-ssl2-support.

** libgnutls: Added support for OCSP Must staple PKIX extension. That is,
   implemented the RFC7633 TLSFeature for OCSP status request extension.
   Feature implemented by Tim Kosse.

** libgnutls: More strict OCSP staple verification. That is, no longer
   ignore invalid or too old OCSP staples. The previous behavior was
   to rely on application use gnutls_ocsp_status_request_is_checked(),
   while the new behavior is to include OCSP verification by default
   and set the GNUTLS_CERT_INVALID_OCSP_STATUS verification flag on error.

** libgnutls: Treat CA certificates with the "Server Gated Cryptography" key
   purpose OIDs equivalent to having the GNUTLS_KP_TLS_WWW_SERVER OID. This
   improves interoperability with several old intermediate CA certificates
   carrying these legacy OIDs.

** libgnutls: Re-read the system wide priority file when needed. Patch by
   Daniel P. Berrange.

** libgnutls: Allow for fallback in system-specific initial keywords
   (prefixed with '@'). That allows to specify a keyword such as
   "@KEYWORD1,KEYWORD2" which will use the first available of these
   two keywords. Patch by Daniel P. Berrange.

** libgnutls: The SSLKEYLOGFILE environment variable can be used to log
   session keys. These session keys are compatible with the NSS Key Log
   Format and can be used to decrypt the session for debugging using
   wireshark.

** API and ABI modifications:
GNUTLS_CERT_INVALID_OCSP_STATUS: Added
gnutls_x509_crt_set_crq_extension_by_oid: Added
gnutls_x509_ext_import_tlsfeatures: Added
gnutls_x509_ext_export_tlsfeatures: Added
gnutls_x509_tlsfeatures_add: Added
gnutls_x509_tlsfeatures_init: Added
gnutls_x509_tlsfeatures_deinit: Added
gnutls_x509_tlsfeatures_get: Added
gnutls_x509_crt_get_tlsfeatures: Added
gnutls_x509_crt_set_tlsfeatures: Added
gnutls_x509_crq_get_tlsfeatures: Added
gnutls_x509_crq_set_tlsfeatures: Added
gnutls_ext_get_name: Added


* Version 3.5.0 (released 2016-05-09)

** libgnutls: Added SHA3 based signing algorithms for DSA, RSA and ECDSA,
   based on http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html

** libgnutls: Added support for curve X25519 (RFC 7748, draft-ietf-tls-rfc4492bis-07).
   This curve is disabled by default as it is still on specification status. It
   can be enabled using the priority string modifier +CURVE-X25519.

** libgnutls: Added support for TLS false start (draft-ietf-tls-falsestart-01)
   by introducing gnutls_init() flag GNUTLS_ENABLE_FALSE_START (#73).

** libgnutls: Added new APIs to access the FIPS186-4 (Shawe-Taylor based) provable
   RSA and DSA parameter generation from a seed.

** libgnutls: The CHACHA20-POLY1305 ciphersuite is enabled by default. This
   cipher is prioritized after AES-GCM.

** libgnutls: On a rehandshake ensure that the certificate of the peer or
   its username remains the same as in previous handshakes. That is to protect
   applications which do not check user credentials on rehandshakes. The
   threat to address depends on the application protocol. Primarily it
   protects against applications which authenticate the peer initially and
   perform accounting using the session's information, from being misled
   by a rehandshake which switches the peer's identity. Applications can
   disable this protection by using the %GNUTLS_ALLOW_ID_CHANGE flag in
   gnutls_init().

** libgnutls: Be strict in TLS extension decoding. That is, do not tolerate
   parsing errors in the extensions field and treat it as a typical Hello
   message structure. Reported by Hubert Kario (#40).

** libgnutls: Old and unsupported version numbers in client hellos are
   rejected with a "protocol_version" alert message. Reported by Hubert
   Kario (#42).

** libgnutls: Lifted the limitation of calling the gnutls_session_get_data*()
   functions, only on non-resumed sessions. This brings the API in par with
   its usage (#79).

** libgnutls: Follow RFC5280 strictly in name constraints computation. The
   permitted subtrees is intersected with any previous values. Report and
   patch by Daiki Ueno.

** libgnutls: Enforce the RFC 7627 (extended master secret) requirements on
   session resumption. Reported by Hubert Kario (#69).

** libgnutls: Consider the max-record TLS extension even when under DTLS.
   Reported by Peter Dettman (#61).

** libgnutls: Replaced writev() system call with sendmsg().

** libgnutls: Replaced select() system call with poll() on POSIX systems.

** libgnutls: Preload the system priority file on library load. This allows
   applications that chroot() to also use the system priorities.

** libgnutls: Applications are allowed to override the built-in key and
   certificate URLs.

** libgnutls: The gnutls.h header marks constant and pure functions explictly.

** certtool: Added the ability to sign certificates using SHA3.

** certtool: Added the --provable and --verify-allow-broken options.

** gnutls-cli: The --dane option will cause verification failure if gnutls is not
   compiled with DANE support.

** crywrap: The tool was unbundled from gnutls' distribution. It can be found at
   https://github.com/nmav/crywrap

** guile: .go files are now built and installed

** guile: Fix compatibility issue of the test suite with Guile 2.1

** guile: When --with-guile-site-dir is passed, modules are installed in a
   versioned directory, typically $(datadir)/guile/site/2.0

** guile: Tests no longer leave zombie processes behind

** API and ABI modifications:
GNUTLS_FORCE_CLIENT_CERT: Added
GNUTLS_ENABLE_FALSE_START: Added
GNUTLS_INDEFINITE_TIMEOUT: Added
GNUTLS_ALPN_SERVER_PRECEDENCE: Added
GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING: Added
GNUTLS_E_HANDSHAKE_DURING_FALSE_START: Added
gnutls_check_version_numeric: Added
gnutls_x509_crt_equals: Added
gnutls_x509_crt_equals2: Added
gnutls_x509_crt_set_subject_alt_othername: Added
gnutls_x509_crt_set_issuer_alt_othername: Added
gnutls_x509_crt_get_signature_oid: Added
gnutls_x509_crt_get_pk_oid: Added
gnutls_x509_crq_set_subject_alt_othername: Added
gnutls_x509_crq_get_pk_oid: Added
gnutls_x509_crq_get_signature_oid: Added
gnutls_x509_crl_get_signature_oid: Added
gnutls_x509_privkey_generate2: Added
gnutls_x509_privkey_get_seed: Added
gnutls_x509_privkey_verify_seed: Added
gnutls_privkey_generate2: Added
gnutls_privkey_get_seed: Added
gnutls_privkey_verify_seed: Added
gnutls_decode_ber_digest_info: Added
gnutls_encode_ber_digest_info: Added
gnutls_dh_params_import_dsa: Added
gnutls_session_get_master_secret: Added


* Version 3.4.3 (released 2015-07-12)

** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for
   dates prior to 2050.

** libgnutls: Force 16-byte alignment to all input to ciphers (previously it
   was done only when cryptodev was enabled).

** libgnutls: Removed support for pthread_atfork() as it has undefined
   semantics when used with dlopen(), and may lead to a crash.

** libgnutls: corrected failure when importing plain files
   with gnutls_x509_privkey_import2(), and a password was provided.

** libgnutls: Don't reject certificates if a CA has the URI or IP address
   name constraints, and the end certificate doesn't have an IP address
   name or a URI set.

** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites.

** p11tool: Added --list-token-urls option, and print the token module name
   in list-tokens.

** API and ABI modifications:
gnutls_ecc_curve_get_oid: Added
gnutls_digest_get_oid: Added
gnutls_pk_get_oid: Added
gnutls_sign_get_oid: Added
gnutls_ecc_curve_get_id: Added
gnutls_oid_to_digest: Added
gnutls_oid_to_pk: Added
gnutls_oid_to_sign: Added
gnutls_oid_to_ecc_curve: Added
gnutls_pkcs7_get_signature_count: Added


* Version 3.4.2 (released 2015-06-16)

** libgnutls: DTLS blocking API is more robust against infinite blocking,
and will notify of more possible timeouts.

** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported
by Manuel Pegourie-Gonnard.

** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
allows to disable SIGPIPE for writes done within gnutls.

** libgnutls: Enhanced the PKCS #7 API to allow signing and verification
of structures. API moved to gnutls/pkcs7.h header.

** certtool: Added options to generate PKCS #7 bundles and signed
structures.

** API and ABI modifications:
gnutls_x509_dn_get_str: Added
gnutls_pkcs11_get_raw_issuer_by_subject_key_id: Added
gnutls_x509_trust_list_get_issuer_by_subject_key_id: Added
gnutls_x509_crt_verify_data2: Added
gnutls_pkcs7_get_crt_raw2: Added
gnutls_pkcs7_signature_info_deinit: Added
gnutls_pkcs7_get_signature_info: Added
gnutls_pkcs7_verify_direct: Added
gnutls_pkcs7_verify: Added
gnutls_pkcs7_get_crl_raw2: Added
gnutls_pkcs7_sign: Added
gnutls_pkcs7_attrs_deinit: Added
gnutls_pkcs7_add_attr: Added
gnutls_pkcs7_get_attr: Added
gnutls_pkcs7_print: Added


* Version 3.4.1 (released 2015-05-03)

** libgnutls: gnutls_certificate_get_ours: will return the certificate even
if a callback was used to send it.

** libgnutls: Check for invalid length in the X.509 version field. Without
the check certificates with invalid length would be detected as having an
arbitrary version. Reported by Hanno Böck.

** libgnutls: Handle DNS name constraints with a leading dot. Patch by
Fotis Loukos.

** libgnutls: Updated system-keys support for windows to compile in more
versions of mingw. Patch by Tim Kosse.

** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by
Karthikeyan Bhargavan [GNUTLS-SA-2015-2].

** libgnutls: Reverted: The gnutls_handshake() process will enforce a timeout
by default. That caused issues with non-blocking programs.

** certtool: It can generate SHA256 key IDs.

** gnutls-cli: fixed crash in --benchmark-ciphers. Reported by James Cloos.

** configure: re-enabled the --enable-local-libopts flag

** API and ABI modifications:
gnutls_x509_crt_get_pk_ecc_raw: Added


* Version 3.4.0 (released 2015-04-08)

** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251)
ciphersuites. The former are enabled by default, the latter need to be
explicitly enabled, since they reduce the overall security level.

** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following
draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10.
That is currently provided as technology preview and is not enabled by
default, since there are no assigned ciphersuite points by IETF and there
is no guarrantee of compatibility between draft versions. The ciphersuite
priority string to enable it is "+CHACHA20-POLY1305".

** libgnutls: Added support for encrypt-then-authenticate in CBC
ciphersuites (RFC7366 -taking into account its errata text). This is
enabled by default and can be disabled using the %NO_ETM priority
string.

** libgnutls: Added support for the extended master secret
(triple-handshake fix) following draft-ietf-tls-session-hash-02.

** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h).

** libgnutls: SSL 3.0 is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+VERS-SSL3.0".

** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities
list. It has to be explicitly enabled, e.g., with a string like
"NORMAL:+ARCFOUR-128".

** libgnutls: DSA signatures and DHE-DSS are no longer included in the
default priorities list. They have to be explicitly enabled, e.g., with
a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The
DSA ciphersuites were dropped because they had no deployment at all
on the internet, to justify their inclusion.

** libgnutls: The priority string EXPORT was completely removed. The string
was already defunc as support for the EXPORT ciphersuites was removed in
GnuTLS 3.2.0.

** libgnutls: Added API to utilize system specific private keys in
"gnutls/system-keys.h". It is currently provided as technology preview
and is restricted to windows CNG keys.

** libgnutls: gnutls_x509_crt_check_hostname() and friends will use
RFC6125 comparison of hostnames. That introduces a dependency on libidn.

** libgnutls: Depend on p11-kit 0.23.1 to comply with the final
PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21).

** libgnutls: Depend on nettle 3.1.

** libgnutls: Use getrandom() or getentropy() when available. That
avoids the complexity of file descriptor handling and issues with
applications closing all open file descriptors on startup.

** libgnutls: Use pthread_atfork() to detect fork when available.

** libgnutls: If a key purpose (extended key usage) is specified for verification,
it is applied into intermediate certificates. The verification result
GNUTLS_CERT_PURPOSE_MISMATCH is also introduced.

** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in
combination with PKCS #11, or TPM URLs, it will utilize the provided
password as PIN if required. That removes the requirement for the
application to set a callback for PINs in that case.

** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are
restricted to the corresponding protocols only, and the VERS-ALL
string is introduced to catch all possible protocols.

** libgnutls: Added helper functions to obtain information on PKCS #8
structures.

** libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t
will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED.

** libgnutls: Added functions to export and set the record state. That
allows for gnutls_record_send() and recv() to be offloaded (to kernel,
hardware or any other subsystem).

** libgnutls: Added the ability to register application specific URL
types, which express certificates and keys using gnutls_register_custom_url().

** libgnutls: Added API to override existing ciphers, digests and MACs, e.g.,
to override AES-GCM using a system-specific accelerator. That is, (crypto.h)
gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(),
gnutls_crypto_register_mac(), and gnutls_crypto_register_digest().

** libgnutls: Added gnutls_ext_register() to register custom extensions.
Contributed by Thierry Quemerais.

** libgnutls: Added gnutls_supplemental_register() to register custom
supplemental data handshake messages. Contributed by Thierry Quemerais.

** libgnutls-openssl: it is no longer built by default.


** certtool: Added --p8-info option, which will print PKCS #8 information
even if the password is not available.

** certtool: --key-info option will print PKCS #8 encryption information
when available.

** certtool: Added the --key-id and --fingerprint options.

** certtool: Added the --verify-hostname, --verify-email and --verify-purpose
options to be used in certificate chain verification, to simulate verification
for specific hostname and key purpose (extended key usage).

** certtool: --p12-info option will print PKCS #12 MAC and cipher information
when available.

** certtool: it will print the A-label (ACE) names in addition to UTF-8.

** p11tool: added options --set-id and --set-label.

** gnutls-cli: added options --priority-list and --save-cert.

** guile: Deprecated priority API has been removed. The old priority API,
which had been deprecated for some time, is now gone; use 'set-session-priorities!'
instead.

** guile: Remove RSA parameters and related procedures. This API had been
deprecated.

** guile: Fix compilation on MinGW. Previously only the static version of the
'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile.

** API and ABI modifications:
gnutls_record_get_state: Added
gnutls_record_set_state: Added
gnutls_aead_cipher_init: Added
gnutls_aead_cipher_decrypt: Added
gnutls_aead_cipher_encrypt: Added
gnutls_aead_cipher_deinit: Added
gnutls_pkcs12_generate_mac2: Added
gnutls_pkcs12_mac_info: Added
gnutls_pkcs12_bag_enc_info: Added
gnutls_pkcs8_info: Added
gnutls_pkcs_schema_get_name: Added
gnutls_pkcs_schema_get_oid: Added
gnutls_pcert_export_x509: Added
gnutls_pcert_export_openpgp: Added
gnutls_pcert_import_x509_list: Added
gnutls_pkcs11_privkey_cpy: Added
gnutls_x509_crq_get_signature_algorithm: Added
gnutls_x509_trust_list_iter_get_ca: Added
gnutls_x509_trust_list_iter_deinit: Added
gnutls_x509_trust_list_get_issuer_by_dn: Added
gnutls_pkcs11_get_raw_issuer_by_dn: Added
gnutls_certificate_get_trust_list: Added
gnutls_privkey_export_x509: Added
gnutls_privkey_export_pkcs11: Added
gnutls_privkey_export_openpgp: Added
gnutls_privkey_import_ext3: Added
gnutls_certificate_get_x509_key: Added
gnutls_certificate_get_x509_crt: Added
gnutls_certificate_get_openpgp_key: Added
gnutls_certificate_get_openpgp_crt: Added
gnutls_record_discard_queued: Added
gnutls_session_ext_master_secret_status: Added
gnutls_priority_string_list: Added
gnutls_dh_params_import_raw2: Added
gnutls_memset: Added
gnutls_memcmp: Added
gnutls_pkcs12_bag_set_privkey: Added
gnutls_ocsp_resp_get_responder_raw_id: Added
gnutls_system_key_iter_deinit: Added
gnutls_system_key_iter_get_info: Added
gnutls_system_key_delete: Added
gnutls_system_key_add_x509: Added
gnutls_system_recv_timeout: Added
gnutls_register_custom_url: Added
gnutls_pkcs11_obj_list_import_url3: Added
gnutls_pkcs11_obj_list_import_url4: Added
gnutls_pkcs11_obj_set_info: Added
gnutls_crypto_register_cipher: Added
gnutls_crypto_register_aead_cipher: Added
gnutls_crypto_register_mac: Added
gnutls_crypto_register_digest: Added
gnutls_ext_register: Added
gnutls_supplemental_register: Added
gnutls_supplemental_recv: Added
gnutls_supplemental_send: Added
gnutls_openpgp_crt_check_email: Added
gnutls_x509_crt_check_email: Added
gnutls_handshake_set_hook_function: Modified
gnutls_pkcs11_privkey_generate3: Added
gnutls_pkcs11_copy_x509_crt2: Added
gnutls_pkcs11_copy_x509_privkey2: Added
gnutls_pkcs11_obj_list_import_url: Removed
gnutls_pkcs11_obj_list_import_url2: Removed
gnutls_certificate_client_set_retrieve_function: Removed
gnutls_certificate_server_set_retrieve_function: Removed
gnutls_certificate_set_rsa_export_params: Removed
gnutls_certificate_type_set_priority: Removed
gnutls_cipher_set_priority: Removed
gnutls_compression_set_priority: Removed
gnutls_kx_set_priority: Removed
gnutls_mac_set_priority: Removed
gnutls_protocol_set_priority: Removed
gnutls_rsa_export_get_modulus_bits: Removed
gnutls_rsa_export_get_pubkey: Removed
gnutls_rsa_params_cpy: Removed
gnutls_rsa_params_deinit: Removed
gnutls_rsa_params_export_pkcs1: Removed
gnutls_rsa_params_export_raw: Removed
gnutls_rsa_params_generate2: Removed
gnutls_rsa_params_import_pkcs1: Removed
gnutls_rsa_params_import_raw: Removed
gnutls_rsa_params_init: Removed
gnutls_sign_callback_get: Removed
gnutls_sign_callback_set: Removed
gnutls_x509_crt_verify_data: Removed
gnutls_x509_crt_verify_hash: Removed
gnutls_pubkey_get_verify_algorithm: Removed
gnutls_x509_crt_get_verify_algorithm: Removed
gnutls_pubkey_verify_hash: Removed
gnutls_pubkey_verify_data: Removed
gnutls_record_set_max_empty_records: Removed

guile:
set-session-cipher-priority!: Removed
set-session-mac-priority!: Removed
set-session-compression-method-priority!: Removed
set-session-kx-priority!: Removed
set-session-protocol-priority!: Removed
set-session-certificate-type-priority!: Removed
set-session-default-priority!: Removed
set-session-default-export-priority!: Removed
make-rsa-parameters: Removed
rsa-parameters?: Removed
set-certificate-credentials-rsa-export-parameters!: Removed
pkcs1-import-rsa-parameters: Removed
pkcs1-export-rsa-parameters: Removed

Revision 1.162 / (download) - annotate - [select for diffs], Thu Sep 15 15:44:27 2016 UTC (6 years, 6 months ago) by gdt
Branch: MAIN
Changes since 1.161: +2 -2 lines
Diff to previous 1.161 (colored)

Change commented-out bl3 to guile20

This package disables guile unconditionally.  This just changes the
comment to not include 2.0 instead of not including 1.8, to reduce the
number of packages that look like they need updating.

Revision 1.161 / (download) - annotate - [select for diffs], Sat Jul 9 06:38:54 2016 UTC (6 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.160: +2 -2 lines
Diff to previous 1.160 (colored)

Bump PKGREVISION for perl-5.24.0 for everything mentioning perl.

Revision 1.160 / (download) - annotate - [select for diffs], Sun Apr 10 07:45:22 2016 UTC (6 years, 11 months ago) by dbj
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2
Changes since 1.159: +5 -1 lines
Diff to previous 1.159 (colored)

Avoid creating a fake zlib.pc, because if it does
gnutls will add a Requires.private for it in its .pc file

Revision 1.159 / (download) - annotate - [select for diffs], Fri Feb 26 09:41:05 2016 UTC (7 years ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base, pkgsrc-2016Q1
Changes since 1.158: +2 -6 lines
Diff to previous 1.158 (colored)

Use OPSYSVARS.

Revision 1.158 / (download) - annotate - [select for diffs], Mon Sep 14 00:29:45 2015 UTC (7 years, 6 months ago) by mef
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base, pkgsrc-2015Q4, pkgsrc-2015Q3-base, pkgsrc-2015Q3
Changes since 1.157: +2 -3 lines
Diff to previous 1.157 (colored)

Update to 3.3.18
----------------
* Version 3.3.18 (released 2015-09-12)

** libgnutls: When re-importing CRLs to a trust list ensure that there
   no duplicate entries.

** certtool: Removed any arbitrary limits imposed on input file sizes
   and maximum number of certificates imported.

** API and ABI modifications:
   No changes since last version.

Revision 1.157 / (download) - annotate - [select for diffs], Sun Aug 23 14:30:35 2015 UTC (7 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.156: +2 -2 lines
Diff to previous 1.156 (colored)

Bump PKGREVISION for nettle shlib major bump.

Revision 1.156 / (download) - annotate - [select for diffs], Fri Aug 14 11:48:55 2015 UTC (7 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.155: +2 -3 lines
Diff to previous 1.155 (colored)

Update to 3.17.1:

* Version 3.3.17 (released 2015-08-10)

** libgnutls: Fix issue with server side sending the status request
   extension even when not requested. Reported by Jeremy Harris.

** libgnutls: gnutls_pkcs11_privkey_generate2() will store the generated
   public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY flag is
   specified.

** libgnutls: fixed double free in DN decoding [GNUTLS-SA-2015-3].

** API and ABI modifications:
   No changes since last version.


* Version 3.3.16 (released 2015-07-12)

** libgnutls: Allow compilation with nettle 3.0 or later

** libgnutls: corrected failure when importing plain files
   with gnutls_x509_privkey_import2(), and a password was provided.

** libgnutls: Don't reject certificates if a CA has the URI or IP address
   name constraints, and the end certificate doesn't have an IP address
   name or a URI set.

** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites.

** API and ABI modifications:
   No changes since last version.

Revision 1.155 / (download) - annotate - [select for diffs], Fri Jun 12 10:51:01 2015 UTC (7 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2
Changes since 1.154: +2 -1 lines
Diff to previous 1.154 (colored)

Recursive PKGREVISION bump for all packages mentioning 'perl',
having a PKGNAME of p5-*, or depending such a package,
for perl-5.22.0.

Revision 1.154 / (download) - annotate - [select for diffs], Wed Jun 3 20:43:52 2015 UTC (7 years, 9 months ago) by wiz
Branch: MAIN
Changes since 1.153: +2 -1 lines
Diff to previous 1.153 (colored)

Add upper bound for nettle dependency (3.x is not supported).

Revision 1.153 / (download) - annotate - [select for diffs], Mon Jun 1 21:50:22 2015 UTC (7 years, 9 months ago) by spz
Branch: MAIN
Changes since 1.152: +3 -3 lines
Diff to previous 1.152 (colored)

update to gnutls 3.3.15
patch refresh grace of mkpatches

upstream notable changes list since the 3.2 to 3.3 branch point (excerpt
of the NEWS file):

* Version 3.3.15 (released 2015-05-03)

** libgnutls: gnutls_certificate_get_ours: will return the certificate even
if a callback was used to send it.

** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by
Karthikeyan Bhargavan [GNUTLS-SA-2015-2].

** libgnutls: Check for invalid length in the X.509 version field. Without the check
certificates with invalid length would be detected as having an arbitrary
version. Reported by Hanno Böck.

** API and ABI modifications:
No changes since last version.


* Version 3.3.14 (released 2015-03-30)

** libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo
structures use BER to decode them (requires libtasn1 4.3). That allows
to decode some more complex structures.

** libgnutls: When an end-certificate with no name is present and there
are CA name constraints, don't reject the certificate. This follows RFC5280
advice closely. Reported by Fotis Loukos.

** libgnutls: Fixed handling of supplemental data with types > 255.
Patch by Thierry Quemerais.

** libgnutls: Fixed double free in the parsing of CRL distribution points certificate
extension. Reported by Robert wicki.

** libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That
protocol is not enabled by default (used by openconnect VPN).

** libgnutls: The maximum user data send size is set to be the same for
block and non-block ciphersuites. This addresses a regression with wine:
https://bugs.winehq.org/show_bug.cgi?id=37500

** libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN,
and CKA_DECRYPT when needed.

** libgnutls: Allow names with zero size to be set using
gnutls_server_name_set(). That will disable the Server Name Indication.
Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2

** API and ABI modifications:
No changes since last version.


* Version 3.3.13 (released 2015-02-25)

** libgnutls: Enable AESNI in GCM on x86

** libgnutls: Fixes in DTLS message handling

** libgnutls: Check certificate algorithm consistency, i.e.,
check whether the signatureAlgorithm field matches the signature
field inside TBSCertificate.

** gnutls-cli: Fixes in OCSP verification.

** API and ABI modifications:
No changes since last version.


* Version 3.3.12 (released 2015-01-17)

** libgnutls: When negotiating TLS use the lowest enabled version in
the client hello, rather than the lowest supported. In addition, do
not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0
is the only protocol supported. That addresses issues with servers that
immediately drop the connection when the encounter SSL 3.0 as the record
version number. See:
http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html

** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters.

** libgnutls: Handle zero length plaintext for VIA PadLock functions.
This solves a potential crash on AES encryption for small size plaintext.
Patch by Matthias-Christian Ott.

** libgnutls: In DTLS don't combine multiple packets which exceed MTU.
Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715

** libgnutls: In DTLS decode all handshake packets present in a record
packet, in a single pass. Reported by Andreas Schultz.
https://savannah.gnu.org/support/?108712

** libgnutls: When importing a CA file with a PKCS #11 URL, simply
import the certificates, if the URL specifies objects, rather than
treating it as trust module.

** libgnutls: When importing a PKCS #11 URL and we know the type of
object we are importing, don't require the object type in the URL.

** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2
was used by the server.

** guile: Fix compilation on MinGW. Previously only the static version of the
'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile.

** guile: Fix harmless warning during compilation of gnutls.scm
Initially reported at <https://bugzilla.redhat.com/show_bug.cgi?id=1177847>.

** certtool: --pubkey-info will also attempt to load a public key
from stdin.

** gnutls-cli: Added --starttls-proto option. That allows to specify a
protocol for starttls negotiation.

** API and ABI modifications:
No changes since last version.


* Version 3.3.11 (released 2014-12-11)

** libgnutls: Corrected regression introduced in 3.3.9 related to
session renegotiation. Reported by Dan Winship.

** libgnutls: Corrected parsing issue with OCSP responses.

** API and ABI modifications:
No changes since last version.


* Version 3.3.10 (released 2014-11-10)

** libgnutls: Refuse to import v1 or v2 certificates that contain
extensions.

** libgnutls: Fixes in usage of PKCS #11 token callback

** libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used
with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag.
Reported by David Woodhouse.

** libgnutls: Removed superfluous random generator refresh on every call
of gnutls_deinit(). That reduces load and usage of /dev/urandom.

** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
Reported by Sean Burford [GNUTLS-SA-2014-5].

** libgnutls: When gnutls_global_init() is called for a second time, it
will check whether the /dev/urandom fd kept is still open and matches
the original one. That behavior works around issues with servers that
close all file descriptors.

** libgnutls: Corrected behavior with PKCS #11 objects that are marked
as CKA_ALWAYS_AUTHENTICATE.

** certtool: The default cipher for PKCS #12 structures is 3des-pkcs12.
That option is more compatible than AES or RC4.

** API and ABI modifications:
No changes since last version.


* Version 3.3.9 (released 2014-10-13)

** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
Reported by Joseph Peruski.

** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
handshake's hash buffer, in applications using the heartbeat extension
or DTLS. Reported by Joeri de Ruiter.

** libgnutls: When both a trust module and additional CAs are present
account the latter as well; reported by David Woodhouse.

** libgnutls: added GNUTLS_TL_GET_COPY flag for
gnutls_x509_trust_list_get_issuer(). That allows the function to be used
in a thread safe way when PKCS #11 trust modules are in use.

** libgnutls: fix issue in DTLS retransmission when session tickets
were in use; reported by Manuel Pégourié-Gonnard.

** libgnutls-dane: Do not require the CA on a ca match to be direct CA.

** libgnutls: Prevent abort() in library if getrusage() fails. Try to
detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.

** guile: new 'set-session-server-name!' procedure; see the manual for
details.

** certtool: The authority key identifier will be set in a certificate only
if the CA's subject key identifier is set.

** API and ABI modifications:
No changes since last version.


* Version 3.3.8 (released 2014-09-18)

** libgnutls: Updates in the name constraints checks. No name constraints
will be checked for intermediate certificates. As our support for name
constraints is limited to e-mail addresses in DNS names, it is pointless
to check them on intermediate certificates.

** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple
object listing would fail completely if a single object could not be exported.

** libgnutls: Improved the performance of PKCS #11 object listing/retrieving,
by retrieving them in large batches. Report and suggestion by David
Woodhouse.

** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from
Codenomicon.

** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.

** libgnutls: when comparing a CA certificate with the trusted list compare
the name and key only instead of the whole certificate. That is to handle
cases where a CA certificate was superceded by a different one with the same
name and the same key.

** libgnutls: when verifying a certificate against a p11-kit trusted
module, use the attached extensions in the module to override the CA's
extensions (that requires p11-kit 0.20.7).

** libgnutls: In DTLS prevent sending zero-size fragments in certain cases
of MTU split. Reported by Manuel Pégourié-Gonnard.

** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows
verifying using a hostname and a purpose (extended key usage). That
enhances PKCS #11 trust module verification, as it can now check the purpose
when this function is used.

** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid. Reported by Armin Burgmeier.

** libgnutls: added option --disable-padlock to allow disabling the padlock
CPU acceleration.

** p11tool: when listing tokens, list their type as well.

** p11tool: when listing objects from a trust module print any attached
extensions on certificates.

** API and ABI modifications:
gnutls_x509_crq_get_extension_by_oid2: Added
gnutls_x509_crt_get_extension_by_oid2: Added
gnutls_x509_trust_list_verify_crt2: Added
gnutls_x509_ext_print: Added
gnutls_x509_ext_deinit: Added
gnutls_x509_othername_to_virtual: Added
gnutls_pkcs11_obj_get_exts: Added


* Version 3.3.7 (released 2014-08-24)

** libgnutls: Added function to export the public key of a PKCS #11
private key. Contributed by Wolfgang Meyer zu Bergsten.

** libgnutls: Explicitly set the exponent in PKCS #11 key generation.
That improves compatibility with certain PKCS #11 modules. Contributed by
Wolfgang Meyer zu Bergsten.

** libgnutls: When generating a PKCS #11 private key allow setting
the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten.

** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session
to the key.

** libgnutls: bundle replacements of inet_pton and inet_aton if not
available.

** libgnutls: initialize parameters variable on PKCS #8 decryption.

** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
algorithms.

** libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125
requirement of checking the Common Name (CN) part of DN only if there is
a single CN present in the certificate.

** libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used
to force the FIPS mode, when set to 1.

** libgnutls: In DTLS ignore only errors that relate to unexpected packets
and decryption failures.

** p11tool: Added --info parameter.

** certtool: Added --mark-wrap parameter.

** danetool: --check will attempt to retrieve the server's certificate
chain and verify against it.

** danetool/gnutls-cli-debug: Added --app-proto parameters which can
be used to enforce starttls (currently only SMTP and IMAP) on the connection.

** danetool: Added openssl linking exception, to allow linking
with libunbound.

** API and ABI modifications:
GNUTLS_PKCS11_OBJ_ATTR_MATCH: Added
gnutls_pkcs11_privkey_export_pubkey: Added
gnutls_pkcs11_obj_flags_get_str: Added
gnutls_pkcs11_obj_get_flags: Added


* Version 3.3.6 (released 2014-07-23)

** libgnutls: Use inet_ntop to print IP addresses when available

** libgnutls: gnutls_x509_crt_check_hostname and friends will also check
IP addresses, and match documented behavior. Reported by David Woodhouse.

** libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024
bit parameters.

** libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens
being usable after a reinitialization.

** libgnutls: fixed PKCS #11 private key operations after a fork.

** libgnutls: fixed PKCS #11 ECDSA key generation.

** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to
explicitly enable/disable the use of certain CPU capabilities. Note that CPU
detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel
CPU. The currently available options are:
  0x1: Disable all run-time detected optimizations
  0x2: Enable AES-NI
  0x4: Enable SSSE3
  0x8: Enable PCLMUL
  0x100000: Enable VIA padlock
  0x200000: Enable VIA PHE
  0x400000: Enable VIA PHE SHA512

** libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott.

** p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set.

** p11tool: ask for label when one isn't provided.

** p11tool: added --batch parameter to disable any interactivity.

** p11tool: will not implicitly enable so-login for certain types of
objects. That avoids issues with tokens that require different login
types.

** certtool/p11tool: Added the --curve parameter which allows to explicitly
specify the curve to use.

** API and ABI modifications:
gnutls_certificate_set_x509_trust_dir: Added
gnutls_x509_trust_list_add_trust_dir: Added


* Version 3.3.5 (released 2014-06-26)

** libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit().
These functions provide a variant of gnutls_record_recv() that avoids
the final memcpy of data.

** libgnutls: gnutls_x509_crl_iter_crt_serial() was added as a
faster variant of gnutls_x509_crl_get_crt_serial() when coping with
very large structures.

** libgnutls: When the decoding of a printable DN element fails, then treat
it as unknown and print its hex value rather than failing. That works around
an issue in a TURKTRST root certificate which improperly encodes the
X520countryName element.

** libgnutls: gnutls_x509_trust_list_add_trust_file() will return the number
of certificates present in a PKCS #11 token when loading it.

** libgnutls: Allow the post client hello callback to put the handshake on
hold, by returning GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED.

** certtool: option --to-p12 will now consider --load-ca-certificate

** certtol: Added option to specify the PKCS #12 friendly name on command
line.

** p11tool: Allow marking a certificate copied to a token as a CA.

** API and ABI modifications:
GNUTLS_PKCS11_OBJ_FLAG_MARK_CA: Added
gnutls_x509_crl_iter_deinit: Added
gnutls_x509_crl_iter_crt_serial: Added
gnutls_record_recv_packet: Added
gnutls_packet_deinit: Added
gnutls_packet_get: Added


* Version 3.3.4 (released 2014-05-31)

** libgnutls: Updated Andy Polyakov's assembly code. That prevents a
crash on certain CPUs.

** API and ABI modifications:
No changes since last version.


* Version 3.3.3 (released 2014-05-30)

** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.

** libgnutls: gnutls_global_set_mutex() was modified to operate with the
new initialization process.

** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.

** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.

** libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to
create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552

** gnutls-cli: --dane will only check the end certificate if PKIX validation
has been disabled.

** gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot
be emulated with the implicit initialization of gnutls.

** certtool: Allow multiple organizations and organizational unit names to
be specified in a template.

** certtool: Warn when invalid configuration options are set to a template.

** ocsptool: Include path in ocsp request. This resolves #108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.

** API and ABI modifications:
gnutls_credentials_get: Added


* Version 3.3.2 (released 2014-05-06)

** libgnutls: Added the 'very weak' certificate verification profile
that corresponds to 64-bit security level.

** libgnutls: Corrected file descriptor leak on random generator
initialization.

** libgnutls: Corrected file descriptor leak on PSK password file
reading. Issue identified using the Codenomicon TLS test suite.

** libgnutls: Avoid deinitialization if initialization has failed.

** libgnutls: null-terminate othername alternative names.

** libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly
on a PKCS #11 trust list.

** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.

** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.

** libgnutls-guile: Fixed compilation issue.

** certtool: Allow exporting a CRL on DER format.

** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.

** API and ABI modifications:
GNUTLS_PROFILE_VERY_WEAK: Added


* Version 3.3.1 (released 2014-04-19)

** libgnutls: Enforce more strict checks to heartbeat messages
concerning padding and payload. Suggested by Peter Dettman.

** libgnutls: Allow decoding PKCS #8 files with ECC parameters
from openssl.

** libgnutls: Several small bug fixes found by coverity.

** libgnutls: The conditionally available self-test functions
were moved to self-test.h.

** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.

** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
result to illegal memory access if a server hint was provided. Reported
by André Klitzing.

** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.

** libgnutls: Corrected the *get_*_othername_oid() functions.

** API and ABI modifications:
No changes since last version.


* Version 3.3.0 (released 2014-04-10)

** libgnutls: The initialization of the library was moved to a
constructor. That is, gnutls_global_init() is no longer required
unless linking with a static library or a system that does not
support library constructors.

** libgnutls: static libraries are not built by default.

** libgnutls: PKCS #11 initialization is delayed to first usage.
That avoids long delays in gnutls initialization due to broken PKCS #11
modules.

** libgnutls: The PKCS #11 subsystem is re-initialized "automatically"
on the first PKCS #11 API call after a fork.

** libgnutls: certificate verification profiles were introduced
that can be specified as flags to verification functions. They
are enumerations in gnutls_certificate_verification_profiles_t
and can be converted to flags for use in a verification function
using GNUTLS_PROFILE_TO_VFLAGS().

** libgnutls: Added the ability to read system-specific initial
keywords, if they are prefixed with '@'. That allows a compile-time
specified configuration file to be used to read pre-configured priority
strings from. That can be used to impose system specific policies.

** libgnutls: Increased the default security level of priority
strings (NORMAL and PFS strings require at minimum a 1008 DH prime),
and set a verification profile by default.  The LEGACY keyword is
introduced to set the old defaults.

** libgnutls: Added support for the name constraints PKIX extension.
Currently only DNS names and e-mails are supported (no URIs, IPs
or DNs).

** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to
SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL.

** libgnutls: Added new API in x509-ext.h to handle X.509 extensions.
This API handles the X.509 extensions in isolation, allowing to parse
similarly formatted extensions stored in other structures.

** libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS
can be used to specify a particular subgroup as the number of bits in
gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256).

** libgnutls: DH parameter generation is now delegated to nettle.
That unfortunately has the side-effect that DH parameters longer than
3072 bits, cannot be generated (not without a nettle update).

** libgnutls: Separated nonce RNG from the main RNG. The nonce
random number generator is based on salsa20/12.

** libgnutls: The buffer alignment provided to crypto backend is
enforced to be 16-byte aligned, when compiled with cryptodev
support. That allows certain cryptodev drivers to operate more
efficiently.

** libgnutls: Return error when a public/private key pair that doesn't
match is set into a credentials structure.

** libgnutls: Depend on p11-kit 0.20.0 or later.

** libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has
been removed. It was not approved by IETF.

** libgnutls: The experimental xssl library is removed from the gnutls
distribution.

** libgnutls: Reduced the number of gnulib modules used in the main library.

** libgnutls: Added priority string %DISABLE_WILDCARDS.

** libgnutls: Added the more extensible verification function
gnutls_certificate_verify_peers(), that allows checking, in addition
to a peer's DNS hostname, for the key purpose of the end certificate
(via PKIX extended key usage).

** certtool: Timestamps for serial numbers were increased to 8 bytes,
and in batch mode to 12 (appended with 4 random bytes).

** certtool: When no CRL number is provided (or value set to -1), then
a time-based number will be used, similarly to the serial generation
number in certificates.

** certtool: Print the SHA256 fingerprint of a certificate in addition
to SHA1.

** libgnutls: Added --enable-fips140-mode configuration option (unsupported).
That option enables (when running on FIPS140-enabled system):
 o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes)
 o The DRBG-CTR-AES256 deterministic random generator from SP800-90A.
 o Self-tests on initialization on ciphers/MACs, public key algorithms
   and the random generator.
 o HMAC-SHA256 verification of the library on load.
 o MD5 is included for TLS purposes but cannot be used by the high level
   hashing functions.
 o All ciphers except AES are disabled.
 o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5).
 o All keys (temporal and long term) are zeroized after use.
 o Security levels are adjusted to the FIPS140-2 recommendations (rather
   than ECRYPT).

** API and ABI modifications:
GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS: Added
gnutls_certificate_verify_peers: Added
gnutls_privkey_generate: Added
gnutls_pkcs11_crt_is_known: Added
gnutls_fips140_mode_enabled: Added
gnutls_sec_param_to_symmetric_bits: Added
gnutls_pubkey_export_ecc_x962: Added (replaces gnutls_pubkey_get_pk_ecc_x962)
gnutls_pubkey_export_ecc_raw: Added (replaces gnutls_pubkey_get_pk_ecc_raw)
gnutls_pubkey_export_dsa_raw: Added (replaces gnutls_pubkey_get_pk_dsa_raw)
gnutls_pubkey_export_rsa_raw: Added (replaces gnutls_pubkey_get_pk_rsa_raw)
gnutls_pubkey_verify_params: Added
gnutls_privkey_export_ecc_raw: Added
gnutls_privkey_export_dsa_raw: Added
gnutls_privkey_export_rsa_raw: Added
gnutls_privkey_import_ecc_raw: Added
gnutls_privkey_import_dsa_raw: Added
gnutls_privkey_import_rsa_raw: Added
gnutls_privkey_verify_params: Added
gnutls_x509_crt_check_hostname2: Added
gnutls_openpgp_crt_check_hostname2: Added
gnutls_x509_name_constraints_init: Added
gnutls_x509_name_constraints_deinit: Added
gnutls_x509_crt_get_name_constraints: Added
gnutls_x509_name_constraints_add_permitted: Added
gnutls_x509_name_constraints_add_excluded: Added
gnutls_x509_crt_set_name_constraints: Added
gnutls_x509_name_constraints_get_permitted: Added
gnutls_x509_name_constraints_get_excluded: Added
gnutls_x509_name_constraints_check: Added
gnutls_x509_name_constraints_check_crt: Added
gnutls_x509_crl_get_extension_data2: Added
gnutls_x509_crt_get_extension_data2: Added
gnutls_x509_crq_get_extension_data2: Added
gnutls_subject_alt_names_init: Added
gnutls_subject_alt_names_deinit: Added
gnutls_subject_alt_names_get: Added
gnutls_subject_alt_names_set: Added
gnutls_x509_ext_import_subject_alt_names: Added
gnutls_x509_ext_export_subject_alt_names: Added
gnutls_x509_crl_dist_points_init: Added
gnutls_x509_crl_dist_points_deinit: Added
gnutls_x509_crl_dist_points_get: Added
gnutls_x509_crl_dist_points_set: Added
gnutls_x509_ext_import_crl_dist_points: Added
gnutls_x509_ext_export_crl_dist_points: Added
gnutls_x509_ext_import_name_constraints: Added
gnutls_x509_ext_export_name_constraints: Added
gnutls_x509_aia_init: Added
gnutls_x509_aia_deinit: Added
gnutls_x509_aia_get: Added
gnutls_x509_aia_set: Added
gnutls_x509_ext_import_aia: Added
gnutls_x509_ext_export_aia: Added
gnutls_x509_ext_import_subject_key_id: Added
gnutls_x509_ext_export_subject_key_id: Added
gnutls_x509_ext_export_authority_key_id: Added
gnutls_x509_ext_import_authority_key_id: Added
gnutls_x509_aki_init: Added
gnutls_x509_aki_get_id: Added
gnutls_x509_aki_get_cert_issuer: Added
gnutls_x509_aki_set_id: Added
gnutls_x509_aki_set_cert_issuer: Added
gnutls_x509_aki_deinit: Added
gnutls_x509_ext_import_private_key_usage_period: Added
gnutls_x509_ext_export_private_key_usage_period: Added
gnutls_x509_ext_import_basic_constraints: Added
gnutls_x509_ext_export_basic_constraints: Added
gnutls_x509_ext_import_key_usage: Added
gnutls_x509_ext_export_key_usage: Added
gnutls_x509_ext_import_proxy: Added
gnutls_x509_ext_export_proxy: Added
gnutls_x509_policies_init: Added
gnutls_x509_policies_deinit: Added
gnutls_x509_policies_get: Added
gnutls_x509_policies_set: Added
gnutls_x509_ext_import_policies: Added
gnutls_x509_ext_export_policies: Added
gnutls_x509_key_purpose_init: Added
gnutls_x509_key_purpose_deinit: Added
gnutls_x509_key_purpose_set: Added
gnutls_x509_key_purpose_get: Added
gnutls_x509_ext_import_key_purposes: Added
gnutls_x509_ext_export_key_purposes: Added
gnutls_digest_self_test: Added (conditionally)
gnutls_mac_self_test: Added (conditionally)
gnutls_pk_self_test: Added (conditionally)
gnutls_cipher_self_test: Added (conditionally)
gnutls_global_set_mem_functions: Deprecated

Revision 1.152 / (download) - annotate - [select for diffs], Wed Feb 11 11:25:57 2015 UTC (8 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base, pkgsrc-2015Q1
Changes since 1.151: +2 -2 lines
Diff to previous 1.151 (colored)

Changes 3.2.21:
** libgnutls: Corrected regression introduced in 3.2.19 related to
session renegotiation. Reported by Dan Winship.
** libgnutls: Corrected parsing issue with OCSP responses.
** API and ABI modifications:
No changes since last version.

Revision 1.151 / (download) - annotate - [select for diffs], Fri Dec 5 12:43:24 2014 UTC (8 years, 3 months ago) by khorben
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base, pkgsrc-2014Q4
Changes since 1.150: +2 -2 lines
Diff to previous 1.150 (colored)

Packaged gnutls 3.2.20

* Version 3.2.20 (released 2014-11-10)

** libgnutls: Removed superfluous random generator refresh on every call
of gnutls_deinit(). That reduces load and usage of /dev/urandom.

** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
Reported by Sean Burford [GNUTLS-SA-2014-5].

** API and ABI modifications:
No changes since last version.

Revision 1.150 / (download) - annotate - [select for diffs], Fri Dec 5 12:25:42 2014 UTC (8 years, 3 months ago) by khorben
Branch: MAIN
Changes since 1.149: +3 -3 lines
Diff to previous 1.149 (colored)

Packaged gnutls 3.2.19

* Version 3.2.19 (released 2014-10-13)

** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
Reported by Joseph Peruski.

** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
handshake's hash buffer, in applications using the heartbeat extension
or DTLS. Reported by Joeri de Ruiter.

** libgnutls: fix issue in DTLS retransmission when session tickets
were in use; reported by Manuel Pégourié-Gonnard.

** libgnutls: Prevent abort() in library if getrusage() fails. Try to
detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.

** guile: new 'set-session-server-name!' procedure; see the manual for
details.

** API and ABI modifications:
No changes since last version.

Revision 1.149 / (download) - annotate - [select for diffs], Fri Oct 10 11:40:15 2014 UTC (8 years, 5 months ago) by adam
Branch: MAIN
Changes since 1.148: +2 -2 lines
Diff to previous 1.148 (colored)

Changes 3.2.18:

** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.

** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid.

** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original.

Revision 1.148 / (download) - annotate - [select for diffs], Thu Oct 9 14:06:52 2014 UTC (8 years, 5 months ago) by wiz
Branch: MAIN
Changes since 1.147: +1 -3 lines
Diff to previous 1.147 (colored)

Remove pkgviews: don't set PKG_INSTALLATION_TYPES in Makefiles.

Revision 1.147 / (download) - annotate - [select for diffs], Sat Aug 30 12:45:11 2014 UTC (8 years, 6 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2014Q3-base, pkgsrc-2014Q3
Changes since 1.146: +2 -2 lines
Diff to previous 1.146 (colored)

Changes 3.2.17:
** libgnutls: initialize parameters variable on PKCS 8 decryption.
** libgnutls: Explicitly set the exponent in PKCS 11 key generation.
That improves compatibility with certain PKCS 11 modules. Contributed by
Wolfgang Meyer zu Bergsten.
** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1
algorithms.
** libgnutls: when checking the hostname of a certificate with multiple CNs
ensure that the "most specific" CN is being used.
** libgnutls: In DTLS ignore only errors that relate to unexpected packets
and decryption failures.
** API and ABI modifications:
No changes since last version.

Revision 1.144.2.1 / (download) - annotate - [select for diffs], Wed Jun 4 16:15:38 2014 UTC (8 years, 9 months ago) by schnoebe
Branch: pkgsrc-2014Q1
Changes since 1.144: +2 -2 lines
Diff to previous 1.144 (colored) next main 1.145 (colored)

Pullup ticket #4430 - requested by tron
security/gnutls: security update

Revisions pulled up:
- security/gnutls/Makefile                                      1.146
- security/gnutls/distinfo                                      1.106

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Fri May 30 13:20:23 UTC 2014

   Modified Files:
   	pkgsrc/security/gnutls: Makefile distinfo

   Log Message:
   Update to 3.2.15:

   * Version 3.2.15 (released 2014-05-30)

   ** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
   Issue reported by Joonas Kuorilehto of Codenomicon.

   ** libgnutls: Several memory leaks caused by error conditions were
   fixed. The leaks were identified using valgrind and the Codenomicon
   TLS test suite.

   ** libgnutls: Increased the maximum certificate size buffer
   in the PKCS #11 subsystem.

   ** libgnutls: Check the return code of getpwuid_r() instead of relying
   on the result value. That avoids issue in certain systems, when using
   tofu authentication and the home path cannot be determined. Issue reported
   by Viktor Dukhovni.

   ** gnutls-cli: if dane is requested but not PKIX verification, then
   only do verify the end certificate.

   ** ocsptool: Include path in ocsp request. This resolves #108582
   (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.

   ** API and ABI modifications:
   No changes since last version.

   * Version 3.2.14 (released 2014-05-06)

   ** libgnutls: Fixed issue with the check of incoming data when two
   different recv and send pointers have been specified. Reported and
   investigated by JMRecio.

   ** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
   result to illegal memory access if a server hint was provided.

   ** libgnutls: Fixed client memory leak in the PSK key exchange, if a
   server hint was provided.

   ** libgnutls: Several small bug fixes identified using valgrind and
   the Codenomicon TLS test suite.

   ** libgnutls: Several small bug fixes found by coverity.

   ** libgnutls-dane: Accept a certificate using DANE if there is at least one
   entry that matches the certificate. Patch by simon [at] arlott.org.

   ** configure: Added --with-nettle-mini option, which allows linking
   with a libnettle that contains gmp.

   ** certtool: The ECDSA keys generated by default use the SECP256R1 curve
   which is supported more widely than the previously used SECP224R1.

   ** API and ABI modifications:
   No changes since last version.

   * Version 3.2.13 (released 2014-04-07)

   ** libgnutls: gnutls_openpgp_keyring_import will no longer fail silently
   if there are no base64 data. Report and patch by Ramkumar Chinchani.

   ** libgnutls: gnutls_record_send is now safe to be called under DTLS when
   in corked mode.

   ** libgnutls: Ciphersuites that use the SHA256 or SHA384 MACs are
   only available in TLS 1.0 as SSL 3.0 doesn't specify parameters for
   these algorithms.

   ** libgnutls: Changed the behaviour in wildcard acceptance in certificates.
   Wildcards are only accepted when there are more than two domain components
   after the wildcard. This drops support for the permissive RFC2818 wildcards
   and adds more conservative support based on the suggestions in RFC6125. Suggested
   by Jeffrey Walton.

   ** certtool: When no password is provided to export a PKCS #8 keys, do
   not encrypt by default. This reverts to the certtool behavior of gnutls
   3.0. The previous behavior of encrypting using an empty password can be
   replicating using the new parameter --empty-password.

   ** p11tool: Avoid dual initialization of the PKCS #11 subsystem when
   the --provider option is given.

   ** API and ABI modifications:
   No changes since last version.

Revision 1.146 / (download) - annotate - [select for diffs], Fri May 30 13:20:23 2014 UTC (8 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base, pkgsrc-2014Q2
Changes since 1.145: +2 -3 lines
Diff to previous 1.145 (colored)

Update to 3.2.15:

* Version 3.2.15 (released 2014-05-30)

** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.

** libgnutls: Several memory leaks caused by error conditions were
fixed. The leaks were identified using valgrind and the Codenomicon
TLS test suite.

** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.

** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.

** gnutls-cli: if dane is requested but not PKIX verification, then
only do verify the end certificate.

** ocsptool: Include path in ocsp request. This resolves #108582
(https://savannah.gnu.org/support/?108582), reported by Matt McCutchen.

** API and ABI modifications:
No changes since last version.


* Version 3.2.14 (released 2014-05-06)

** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.

** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
result to illegal memory access if a server hint was provided.

** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.

** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.

** libgnutls: Several small bug fixes found by coverity.

** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at] arlott.org.

** configure: Added --with-nettle-mini option, which allows linking
with a libnettle that contains gmp.

** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.

** API and ABI modifications:
No changes since last version.


* Version 3.2.13 (released 2014-04-07)

** libgnutls: gnutls_openpgp_keyring_import will no longer fail silently
if there are no base64 data. Report and patch by Ramkumar Chinchani.

** libgnutls: gnutls_record_send is now safe to be called under DTLS when
in corked mode.

** libgnutls: Ciphersuites that use the SHA256 or SHA384 MACs are
only available in TLS 1.0 as SSL 3.0 doesn't specify parameters for
these algorithms.

** libgnutls: Changed the behaviour in wildcard acceptance in certificates.
Wildcards are only accepted when there are more than two domain components
after the wildcard. This drops support for the permissive RFC2818 wildcards
and adds more conservative support based on the suggestions in RFC6125. Suggested
by Jeffrey Walton.

** certtool: When no password is provided to export a PKCS #8 keys, do
not encrypt by default. This reverts to the certtool behavior of gnutls
3.0. The previous behavior of encrypting using an empty password can be
replicating using the new parameter --empty-password.

** p11tool: Avoid dual initialization of the PKCS #11 subsystem when
the --provider option is given.

** API and ABI modifications:
No changes since last version.

Revision 1.145 / (download) - annotate - [select for diffs], Thu May 29 23:37:19 2014 UTC (8 years, 9 months ago) by wiz
Branch: MAIN
Changes since 1.144: +2 -1 lines
Diff to previous 1.144 (colored)

Bump for perl-5.20.0.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.

Revision 1.144 / (download) - annotate - [select for diffs], Tue Mar 4 09:34:19 2014 UTC (9 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2014Q1-base
Branch point for: pkgsrc-2014Q1
Changes since 1.143: +2 -2 lines
Diff to previous 1.143 (colored)

Changes 3.2.12:

** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)

** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
when provided with invalid data. Reported by Dmitriy Anisimkov.

** libgnutls: Corrected timeout issue in subsequent to the first
DTLS handshakes.

** libgnutls: Removed unconditional not-trusted message in
gnutls_certificate_verification_status_print() when used with
OpenPGP certificates. Reported by Michel Briand.

** libgnutls: All ciphersuites that were available in TLS1.0 or
later are now made available in SSL3.0 or later to prevent
any incompatibilities with servers that negotiate them in SSL 3.0.

** ocsptool: When verifying a response and a signer isn't provided
assume that the signer is the issuer.

** ocsptool: When sending a nonce, verify that the nonce exists
in the OCSP response.

** gnutls-cli: Added --strict-tofu option; contributed by Jens
Lechtenboerger.

** API and ABI modifications:
No changes since last version.

Revision 1.135.2.1 / (download) - annotate - [select for diffs], Thu Feb 20 12:31:26 2014 UTC (9 years, 1 month ago) by tron
Branch: pkgsrc-2013Q4
Changes since 1.135: +2 -1 lines
Diff to previous 1.135 (colored) next main 1.136 (colored)

Pullup ticket #4331 - requested by drochner
security/gnutls: security patch

Apply patch to fix security vulnerability reported in CVE-2014-1959.

Revision 1.143 / (download) - annotate - [select for diffs], Fri Feb 14 17:24:27 2014 UTC (9 years, 1 month ago) by drochner
Branch: MAIN
Changes since 1.142: +2 -4 lines
Diff to previous 1.142 (colored)

update to 3.2.11
changes:
Fix bug that prevented the rejection of v1 intermediate CA certificates
(CVE-2014-1959)

Revision 1.142 / (download) - annotate - [select for diffs], Mon Feb 10 12:01:19 2014 UTC (9 years, 1 month ago) by tron
Branch: MAIN
Changes since 1.141: +4 -3 lines
Diff to previous 1.141 (colored)

Add patch from GnuTLS repository to fix build of assembler routines
under Mac OS X. Crucial hint provided by Nikos Mavrogiannopoulos.

Revision 1.141 / (download) - annotate - [select for diffs], Sun Jan 26 09:38:33 2014 UTC (9 years, 1 month ago) by tron
Branch: MAIN
Changes since 1.140: +2 -2 lines
Diff to previous 1.140 (colored)

Update comment:
Assembler support is still broken under Mac OS X in version 3.2.9.
Somebody should re-check Solaris as well.

Revision 1.140 / (download) - annotate - [select for diffs], Sat Jan 25 10:59:22 2014 UTC (9 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.139: +3 -5 lines
Diff to previous 1.139 (colored)

Update to 3.2.9 based on patch from Richard Palo.
Assembler issues still seem to be there at least on SunOS.

* Version 3.2.9 (released 2014-01-24)

** libgnutls: The %DUMBFW option in priority string only
appends data to client hello if the expected size is in the
"black hole" range.

** libgnutls: %COMPAT implies %DUMBFW.

** libgnutls: gnutls_session_get_desc() returns a more compact
ciphersuite description.

* libgnutls: In PKCS #11 allow deleting multiple non-certificate data.

** libgnutls: When a PKCS #11 trust store is specified (e.g. using the
configure option --with-default-trust-store-pkcs11), then the PKCS #11
token is used on demand to obtain the trusted anchors, rather than
preloading all trusted certificates. That delegates CA certificate management
and blacklist checking to the PKCS #11 module.

** libgnutls: When a PKCS #11 trust store is specified in configure option
or in gnutls_x509_trust_list_add_trust_file(), then the module is used
to obtain the verification anchors and any required blacklists as in
http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html

** libgnutls: Fix in OCSP certificate status extension handling
in non-blocking servers. Patch by Nils Maier.

** p11tool: Added --so-login option to force login as security
officer (admin).

** API and ABI modifications:
No changes since last version.

Revision 1.139 / (download) - annotate - [select for diffs], Tue Jan 21 12:13:16 2014 UTC (9 years, 2 months ago) by jperkin
Branch: MAIN
Changes since 1.138: +3 -3 lines
Diff to previous 1.138 (colored)

Disable inline assembly on SunOS for now too.

Revision 1.138 / (download) - annotate - [select for diffs], Fri Jan 17 19:13:37 2014 UTC (9 years, 2 months ago) by tron
Branch: MAIN
Changes since 1.137: +6 -1 lines
Diff to previous 1.137 (colored)

Disable assembler code under Mac OS X which is broken in this release.

Revision 1.137 / (download) - annotate - [select for diffs], Thu Jan 16 10:14:09 2014 UTC (9 years, 2 months ago) by wiz
Branch: MAIN
Changes since 1.136: +5 -2 lines
Diff to previous 1.136 (colored)

Update to 3.2.8.1.

Changes in 3.2.8.1:
Note, that I've realized that this release has issues with the
assembly files in win32 and macosx systems. In these systems
use gnutls 3.2.8.1.

3.2.8:

* Version 3.2.8 (released 2013-12-20)

** libgnutls: Updated code for AES-NI. That prevents an uninitialized
variable complaint from valgrind.

** libgnutls: Enforce a maximum size for DH primes.

** libgnutls: Added SSSE3 optimized SHA1, and SHA256, using Andy Polyakov's
code.

** libgnutls: Added SSSE3 optimized AES using Mike Hamburg's code.

** libgnutls: It only links to librt if the required functions are
not present in libc. This also prevents an indirect linking to libpthread.

** libgnutls: Fixed issue with gnulib strerror replacement by adding
the strerror gnulib module.

** libgnutls: The time provided in the TLS random values is only precise
on its first 3 bytes. That prevents leakage of the precise system
time (at least on the client side when only few connections are
done on a single server).

** certtool: The --verify option will use the system CAs if the
load-ca-certificate option is not provided.

** configure: Added option --with-default-blacklist-file to allow
specifying a certificate blacklist file.

** configure: Added --disable-non-suiteb-curves option. This option
restricts the supported curves to SuiteB curves.

** API and ABI modifications:
gnutls_record_check_corked: Added

Revision 1.136 / (download) - annotate - [select for diffs], Wed Jan 15 14:38:48 2014 UTC (9 years, 2 months ago) by wiz
Branch: MAIN
Changes since 1.135: +2 -1 lines
Diff to previous 1.135 (colored)

Disable autogen detection.
Addresses PR 48523 by Kai-Uwe Eckhardt.

Revision 1.135 / (download) - annotate - [select for diffs], Fri Nov 29 22:55:29 2013 UTC (9 years, 3 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base
Branch point for: pkgsrc-2013Q4
Changes since 1.134: +2 -2 lines
Diff to previous 1.134 (colored)

Update to 3.2.7:

* Version 3.2.7 (released 2013-11-23)

** libgnutls: gnutls_cipher_get_iv_size() now returns the correct IV size in
GCM ciphers (previously it returned the implicit IV used in TLS).

** libgnutls: gnutls_certificate_set_x509_key_file() et al when provided
with a PKCS #11 URL pointing to a certificate, will attempt to load the whole
chain.

** libgnutls: When traversing PKCS #11 tokens looking for an object, avoid
looking in unrelated to the object tokens.

** libgnutls: Added an experimental %DUMBFW option in priority strings. This
avoids a black hole behavior in some firewalls by sending a large client hello.
See http://www.ietf.org/mail-archive/web/tls/current/msg10423.html

** libgnutls: The GNUTLS_DEBUG_LEVEL variable if set to a log level number
will force output of debug messages to stderr.

** libgnutls: Fixed the setting of the ciphersuite when gnutls_premaster_set()
is used with another protocol than the GNUTLS_DTLS0_9 protocol.

** libgnutls: gnutls_x509_crt_set_expiration_time() will set the no well defined
expiration date when (time_t)-1 is specified as date.

** libgnutls: Session tickets are encrypted using AES-GCM.

** libgnutls: Corrected issue in record decompression. Issue pinpointed
by Frank Zschockel.

** libgnutls: Forbid all compression methods in DTLS.

** gnutls-serv: Fixed issue with IPv6 address in UDP mode.

** certtool: When exporting an encrypted PEM private key do not output the key
parameters.

** certtool: Expiration days template option allows for a -1 value which
will set to the no well defined expiration date (RFC5280), and no longer
chokes on integer overflows. Suggested by Stefan Buehler.

** certtool: Added new template options: 'activation_date', and
'expiration_date'.

** tools: The environment variable GNUTLS_PIN can be used to read any PIN
requested from tokens.

** tools: The installed version of libopts is used if the autogen tool is
present.

** API and ABI modifications:
gnutls_pkcs11_obj_export3: Added
gnutls_pkcs11_get_raw_issuer: Added
gnutls_est_record_overhead_size: Exported

Revision 1.134 / (download) - annotate - [select for diffs], Mon Nov 4 08:22:54 2013 UTC (9 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.133: +2 -1 lines
Diff to previous 1.133 (colored)

Add --without-tpm to configure arguments to have consistency across
platforms.
Reported by Richard PALO.

Revision 1.133 / (download) - annotate - [select for diffs], Thu Oct 31 14:41:48 2013 UTC (9 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.132: +3 -3 lines
Diff to previous 1.132 (colored)

Update to 3.2.6:

* Version 3.2.6 (released 2013-10-31)

** libgnutls: Support for TPM via trousers is now enabled by default.

** libgnutls: Camellia in GCM mode has been added in default priorities, and
GCM mode is prioritized over CBC in all of the default priority strings.

** libgnutls: Added ciphersuite GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384.

** libgnutls: Fixed ciphersuites GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384,
GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 and GNUTLS_PSK_CAMELLIA_128_GCM_SHA256.
Reported by Stefan Buehler.

** libgnutls: Added support for ISO OID for RSA-SHA1 signatures.

** libgnutls: Minimum acceptable DH group parameters were increased to 767
bits from 727.

** libgnutls: Added function to obtain random data from PKCS #11 tokens.
Contributed by Wolfgang Meyer zu Bergsten.

** gnulib: updated.

** libdane: Fixed a one-off bug in dane_query_tlsa() introduced by the
previous fix. Reported by Tomas Mraz.

** p11tool: Added option generate-random.

** API and ABI modifications:
gnutls_pkcs11_token_get_random: Added

Revision 1.132 / (download) - annotate - [select for diffs], Sun Oct 27 23:13:09 2013 UTC (9 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.131: +2 -2 lines
Diff to previous 1.131 (colored)

Update to 3.2.5:

* Version 3.2.5 (released 2013-10-23)

** libgnutls: Documentation and build-time fixes.

** libgnutls: Allow the generation of DH groups of less than 700 bits.

** libgnutls: Added several combinations of ciphersuites with SHA256 and SHA384 as MAC,
as well as Camellia with GCM.

** libdane: Added interfaces to allow initialization of dane_query_t from
external DNS resolutions, and to allow direct verification of a certificate
chain against a dane_query_t. Contributed by Christian Grothoff.

** libdane: Fixed a buffer overflow in dane_query_tlsa(). This could be
triggered by a DNS server supplying more than 4 DANE records. Report and fix
by Christian Grothoff.

** srptool: Fixed index command line option. Patch by Attila Molnar.

** gnutls-cli: Added support for inline commands, using the
--inline-commands-prefix and --inline-commands options. Patch by Raj Raman.

** certtool: pathlen constraint is now read correctly. Reported by
Christoph Seitz.

** API and ABI modifications:
gnutls_certificate_get_crt_raw: Added
dane_verify_crt_raw: Added
dane_raw_tlsa: Added


* Version 3.2.4 (released 2013-08-31)

** libgnutls: Fixes when session tickets and session DB are used.
Report and initial patch by Stefan Buehler.

** libgnutls: Added the RSA-PSK key exchange. Patch by by Frank Morgner,
based on previous patch by Bardenheuer GmbH and Bundesdruckerei GmbH.

** libgnutls: Added ciphersuites that use ARCFOUR with ECDHE. Patch
by Stefan Buehler.

** libgnutls: Added the PFS priority string option.

** libgnutls: Gnulib included files are strictly LGPLv2.

** libgnutls: Corrected gnutls_certificate_server_set_request().
Reported by Petr Pisar.

** API and ABI modifications:
gnutls_record_set_timeout: Exported

Revision 1.131 / (download) - annotate - [select for diffs], Thu Aug 1 20:00:59 2013 UTC (9 years, 7 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2013Q3-base, pkgsrc-2013Q3
Changes since 1.130: +2 -2 lines
Diff to previous 1.130 (colored)

Changes 3.2.3:
** libgnutls: Fixes in parsing of priority strings. Patch by Stefan Buehler.
** libgnutls: Solve issue with received TLS packets that exceed 2^14.
(this fixes a bug that was accidentally introduced in 3.2.2)
** libgnutls: Removed gnulib modules under LGPLv3 that could possibly be
used by the library.
** libgnutls: Fixes in gnutls_record_send_range().
** API and ABI modifications:
gnutls_priority_kx_list: Added
gnutls_priority_mac_list: Added
gnutls_priority_cipher_list: Added

Revision 1.130 / (download) - annotate - [select for diffs], Mon Jul 15 08:19:15 2013 UTC (9 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.129: +2 -3 lines
Diff to previous 1.129 (colored)

Update to 3.2.2, with SunOS updates from Jörn Clausen.

* Version 3.2.2 (released 2013-07-14)

** libgnutls: Several optimizations in the related to packet processing
subsystems.

** libgnutls: DTLS replay detection can now be disabled (to be used
in certain transport layers like SCTP).

** libgnutls: Fixes in SRTP extension generation when MKI is being
used.

** libgnutls: Added ability to set hooks before or after sending or receiving
any handshake message with gnutls_handshake_set_hook_function().

** API and ABI modifications:
GNUTLS_NO_REPLAY_PROTECTION: Added
gnutls_certificate_set_trust_list: Added
gnutls_cipher_get_tag_size: Added
gnutls_record_overhead_size: Added
gnutls_est_record_overhead_size: Added
gnutls_handshake_set_hook_function: Added
gnutls_handshake_description_get_name: Added
gnutls_digest_list: Added
gnutls_digest_get_id: Added
gnutls_digest_get_name: Added

Revision 1.129 / (download) - annotate - [select for diffs], Mon Jul 15 02:02:28 2013 UTC (9 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.128: +2 -2 lines
Diff to previous 1.128 (colored)

* .include "../../devel/readline/buildlink3.mk" with USE_GNU_READLINE=yes
  are replaced with .include "../../devel/readline/buildlink3.mk", and
  USE_GNU_READLINE are removed,

* .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE
  are replaced with .include "../../mk/readline.buildlink3.mk".

Revision 1.128 / (download) - annotate - [select for diffs], Tue Jul 9 11:11:11 2013 UTC (9 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.127: +2 -1 lines
Diff to previous 1.127 (colored)

Jörn Clausen reports that this needs librt on SunOS.

Revision 1.127 / (download) - annotate - [select for diffs], Mon Jul 8 08:30:01 2013 UTC (9 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.126: +4 -4 lines
Diff to previous 1.126 (colored)

Update to 3.2.1.

* Version 3.2.1 (released 2013-06-01)

** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain
openssl versions.

** libgnutls: Fixes in interrupted function resumption. Report
and patch by Tim Kosse.

** libgnutls: Corrected issue when receiving client hello verify requests
in DTLS.

** libgnutls: Fixes in DTLS record overhead size calculations.

** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported
by Mann Ern Kang.

** API and ABI modifications:
gnutls_session_set_id: Added


* Version 3.2.0 (released 2013-05-10)

** libgnutls: Use nettle's elliptic curve implementation.

** libgnutls: Added Salsa20 cipher

** libgnutls: Added UMAC-96 and UMAC-128

** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96.
As they are not standardized they are defined using private ciphersuite
numbers.

** libgnutls: Added support for DTLS 1.2.

** libgnutls: Added support for the Application Layer Protocol Negotiation
(ALPN) extension.

** libgnutls: Removed support for the RSA-EXPORT ciphersuites.

** libgnutls: Avoid linking to librt (that also avoids unnecessary
linking to pthreads if p11-kit isn't used).

** API and ABI modifications:
gnutls_cipher_get_iv_size: Added
gnutls_hmac_set_nonce: Added
gnutls_mac_get_nonce_size: Added


* Version 3.1.10 (released 2013-03-22)

** certtool: When generating PKCS #12 files use by default the
ARCFOUR (RC4) cipher to be compatible with devices that don't
support AES with PKCS #12.

** libgnutls: Load CA certificates in android 4.x systems.

** libgnutls: Optimized CA certificate loading.

** libgnutls: Private keys are overwritten on deinitialization.

** libgnutls: PKCS #11 slots are scanned only when needed, not
on initialization. This speeds up gnutls initialization when smart
cards are present.

** libgnutls: Corrected issue in the (deprecated) external key
signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen.

** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by
Joke de Buhr.

** libgnutls-dane: Updated DANE verification options.

** configure: Trust store file must be explicitly set or unset when
cross compiling.

** API and ABI modifications:
gnutls_x509_crt_get_issuer_dn2: Added
gnutls_x509_crt_get_dn2: Added
gnutls_x509_crl_get_issuer_dn2: Added
gnutls_x509_crq_get_dn2: Added
gnutls_x509_trust_list_remove_trust_mem: Added
gnutls_x509_trust_list_remove_trust_file: Added
gnutls_x509_trust_list_remove_cas: Added
gnutls_session_get_desc: Added
gnutls_privkey_sign_raw_data: Added
gnutls_privkey_status: Added





* Version 3.1.9 (released 2013-02-27)

** certtool: Option --to-p12 will now ask for a password to generate
a PKCS #12 file from an encrypted key file. Reported by Yan Fiz.

** libgnutls: Corrected issue in gnutls_pubkey_verify_data().

** libgnutls: Corrected parsing issue in XMPP within a subject
alternative name. Reported by James Cloos.

** libgnutls: gnutls_pkcs11_reinit() will reinitialize all PKCS #11
modules, and not only the ones loaded via p11-kit.

** libgnutls: Added function to check whether the private key is
still available (inserted).

** libgnutls: Try to detect fork even during nonce generation.

** API and ABI modifications:
gnutls_handshake_set_random: Added
gnutls_transport_set_int2: Added
gnutls_transport_get_int2: Added
gnutls_transport_get_int: Added
gnutls_record_cork: Exported
gnutls_record_uncork: Exported
gnutls_pkcs11_privkey_status: Added


* Version 3.1.8 (released 2013-02-10)

** libgnutls: Fixed issue in gnutls_x509_privkey_import2() which didn't return
GNUTLS_E_DECRYPTION_FAILED in all cases, and affect certtool operation
with encrypted keys. Reported by Yan Fiz.

** libgnutls: The minimum DH bits accepted by priorities NORMAL and
PERFORMANCE was set to previous defaults 727 bits. Reported by Diego
Elio Petteno.

** libgnutls: Corrected issue which prevented gnutls_pubkey_verify_hash()
to operate with long keys. Reported by Erik A Jensen.

** API and ABI modifications:
No changes since last version.


* Version 3.1.7 (released 2013-02-04)

** certtool: Added option "dn" which allows to directly set the DN
in a template from an RFC4514 string.

** danetool: Added options: --dlv and --insecure. Suggested by Paul Wouters.

** libgnutls-xssl: Added a new library to simplify GnuTLS usage.

** libgnutls-dane: Added function to specify a DLV file.

** libgnutls: Heartbeat code was made optional.

** libgnutls: Fixes in server side of DTLS-0.9.

** libgnutls: DN variable 'T' was expanded to 'title'.

** libgnutls: Fixes in record padding parsing to prevent a timing attack.
Issue reported by Kenny Paterson and Nadhem Alfardan.

** libgnutls: Added functions to directly set the DN in a certificate
or request from an RFC4514 string.

** libgnutls: Optimizations in the random generator. The re-seeding of
it is now explicitly done on every session deinit.

** libgnutls: Simplified the DTLS sliding window implementation.

** libgnutls: The minimum DH bits accepted by a client are now set
by the specified priority string. The current values correspond to the
previous defaults (727 bits), except for the SECURE128 and SECURE192
strings which increase the minimum to 1248 and 1776 respectively.

** libgnutls: Added the gnutls_record_cork() and uncork API to enable
buffering in sending application data.

** libgnutls: Removed default random padding, and added a length-hiding interface
instead.  Both the server and the client must support this extension. Whether
length-hiding can be used on a given session can be checked using
gnutls_record_can_use_length_hiding(). Contributed by Alfredo Pironti.

** libgnutls: Added the experimental %NEW_PADDING priority string. It enables
a new padding mechanism in TLS allowing arbitrary padding in TLS records
in all ciphersuites, which makes length-hiding more efficient and solves
the issues with timing attacks on CBC ciphersuites.

** libgnutls: Corrected gnutls_cipher_decrypt2() when used with AEAD
ciphers (i.e., AES-GCM). Reported by William McGovern.

** API and ABI modifications:
gnutls_db_check_entry_time: Added
gnutls_record_set_timeout: Added
gnutls_record_get_random_padding_status: Added
gnutls_x509_crt_set_dn: Added
gnutls_x509_crt_set_issuer_dn: Added
gnutls_x509_crq_set_dn: Added
gnutls_range_split: Added
gnutls_record_send_range: Added
gnutls_record_set_max_empty_records: Added
gnutls_record_can_use_length_hiding: Added
gnutls_rnd_refresh: Added
xssl_deinit: Added
xssl_flush: Added
xssl_read: Added
xssl_getdelim: Added
xssl_write: Added
xssl_printf: Added
xssl_sinit: Added
xssl_client_init: Added
xssl_server_init: Added
xssl_get_session: Added
xssl_get_verify_status: Added
xssl_cred_init: Added
xssl_cred_deinit: Added
dane_state_set_dlv_file: Added
GNUTLS_SEC_PARAM_EXPORT: Added
GNUTLS_SEC_PARAM_VERY_WEAK: Added


* Version 3.1.6 (released 2013-01-02)

** libgnutls: Fixed record padding parsing issue. Reported by Kenny
Patterson and Nadhem Alfardan.

** libgnutls: Several updates in the ASN.1 string handling subsystem.

** libgnutls: gnutls_x509_crt_get_policy() allows for a list of zero
policy qualifiers.

** libgnutls: Ignore heartbeat messages when received out-of-order,
instead of issuing an error.

** libgnutls: Stricter RSA PKCS #1 1.5 encoding and decoding. Reported
by Kikuchi Masashi.

** libgnutls: TPM support is disabled by default because GPL programs
cannot link with it. Use --with-tpm to enable it.

** libgnutls-guile: Fixed parallel compilation issue.

** gnutls-cli: It will try to connect to all possible returned addresses
before failing.

** API and ABI modifications:
No changes since last version.


* Version 3.1.5 (released 2012-11-24)

** libgnutls: Added functions to parse the certificates policies
extension.

** libgnutls: Handle BMPString (UCS-2) encoding in the Distinguished
Name by translating it to UTF-8 (works on windows or systems with iconv).

** libgnutls: Added PKCS #11 key generation function that returns the
public key on generation.

** libgnutls: Corrected bug in priority string parsing, that mostly
affected combined levels. Patch by Tim Kosse.

** certtool: The --pubkey-info option can be combined with the
--load-privkey or --load-request to print the corresponding public keys.

** certtool: It is able to set certificate policies via a template.

** certtool: Added --hex-numbers option which prints big numbers in
an easier to parse format.

** p11tool: After key generation, outputs the public key (useful in
tokens that do not store the public key).

** danetool: It is being built even without libgnutls-dane (the
--check functionality is disabled though).

** API and ABI modifications:
gnutls_pkcs11_privkey_generate2: Added
gnutls_x509_crt_get_policy: Added
gnutls_x509_crt_set_policy: Added
gnutls_x509_policy_release: Added
gnutls_pubkey_import_x509_crq: Added
gnutls_pubkey_print: Added
GNUTLS_CRT_PRINT_FULL_NUMBERS: Added


* Version 3.1.4 (released 2012-11-10)

** libgnutls: gnutls_certificate_verify_peers2() will set flags depending on
the available revocation data validity.

** libgnutls: Added gnutls_certificate_verification_status_print(),
a function to print the verification status code in human readable text.

** libgnutls: Added priority string %VERIFY_DISABLE_CRL_CHECKS.

** libgnutls: Simplified certificate verification by adding
gnutls_certificate_verify_peers3().

** libgnutls: Added support for extension to establish keys for SRTP.
Contributed by Martin Storsjo.

** libgnutls: The X.509 verification functions check the key
usage bits and pathlen constraints and on failure output
GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE.

** libgnutls: gnutls_x509_crl_verify() includes the time checks.

** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN
and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default.

** libgnutls: Always tolerate key usage violation errors from the side
of the peer, but also notify via an audit message.

** gnutls-cli: Added --local-dns option.

** danetool: Corrected bug that prevented loading PEM files.

** danetool: Added --check option to allow querying and verifying
a site's DANE data.

** libgnutls-dane: Added pkg-config file for the library.

** API and ABI modifications:
gnutls_session_get_id2: Added
gnutls_sign_is_secure: Added
gnutls_certificate_verify_peers3: Added
gnutls_ocsp_status_request_is_checked: Added
gnutls_certificate_verification_status_print: Added
gnutls_srtp_set_profile: Added
gnutls_srtp_set_profile_direct: Added
gnutls_srtp_get_selected_profile: Added
gnutls_srtp_get_profile_name: Added
gnutls_srtp_get_profile_id: Added
gnutls_srtp_get_keys: Added
gnutls_srtp_get_mki: Added
gnutls_srtp_set_mki: Added
gnutls_srtp_profile_t: Added
dane_cert_type_name: Added
dane_match_type_name: Added
dane_cert_usage_name: Added
dane_verification_status_print: Added
GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: Added
GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: Added
GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE: Added
GNUTLS_CERT_UNEXPECTED_OWNER: Added
GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Added


* Version 3.1.3 (released 2012-10-12)

** libgnutls: Added support for the OCSP Certificate Status
extension.

** libgnutls: gnutls_certificate_verify_peers2() will use the OCSP
certificate status extension in verification.

** libgnutls: Bug fixes in gnutls_x509_privkey_import_openssl().

** libgnutls: Increased maximum password length in the PKCS #12
functions.

** libgnutls: Fixed the receipt of session tickets during session resumption.
Reported by danblack at http://savannah.gnu.org/support/?108146

** libgnutls: Added functions to export structures in an allocated buffer.

** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP
response corresponds to the given certificate.

** libgnutls: In client side gnutls_init() enables the session ticket and
OCSP certificate status request extensions by default. The flag
GNUTLS_NO_EXTENSIONS can be used to prevent that.

** libgnutls: Several updates in the OpenPGP code. The generating code
is fully RFC6091 compliant and RFC5081 support is only supported in client
mode.

** libgnutls-dane: Added. It is a library to provide DANE with DNSSEC
certificate verification.

** gnutls-cli: Added --dane option to enable DANE certificate verification.

** danetool: Added tool to generate DANE TLSA Resource Records (RR).

** API and ABI modifications:
gnutls_certificate_get_peers_subkey_id: Added
gnutls_certificate_set_ocsp_status_request_function: Added
gnutls_certificate_set_ocsp_status_request_file: Added
gnutls_ocsp_status_request_enable_client: Added
gnutls_ocsp_status_request_get: Added
gnutls_ocsp_resp_check_crt: Added
gnutls_dh_params_export2_pkcs3: Added
gnutls_pubkey_export2: Added
gnutls_x509_crt_export2: Added
gnutls_x509_dn_export2: Added
gnutls_x509_crl_export2: Added
gnutls_pkcs7_export2: Added
gnutls_x509_privkey_export2: Added
gnutls_x509_privkey_export2_pkcs8: Added
gnutls_x509_crq_export2: Added
gnutls_openpgp_crt_export2: Added
gnutls_openpgp_privkey_export2: Added
gnutls_pkcs11_obj_export2: Added
gnutls_pkcs12_export2: Added
gnutls_pubkey_import_openpgp_raw: Added
gnutls_pubkey_import_x509_raw: Added
dane_state_init: Added
dane_state_deinit: Added
dane_query_tlsa: Added
dane_query_status: Added
dane_query_entries: Added
dane_query_data: Added
dane_query_deinit: Added
dane_verify_session_crt: Added
dane_verify_crt: Added
dane_strerror: Added


* Version 3.1.2 (released 2012-09-26)

** libgnutls: Fixed bug in gnutls_x509_trust_list_add_system_trust()
and gnutls_x509_trust_list_add_trust_mem() that prevented the loading
of certificates in the windows platform.

** libgnutls: Corrected bug in OpenPGP subpacket encoding.

** libgnutls: Added support for DTLS/TLS heartbeats by Olga Smolenchuk.
(the work was done during Google Summer of Code).

** libgnutls: Added X.509 certificate verification flag
GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. This flag allows the verification
of unsorted certificate chains and is enabled by default for
TLS certificate verification (if gnutls_certificate_set_verify_flags()
does not override it).

** libgnutls: Prints warning on certificates that contain keys of
an insecure level. If the %COMPAT priority flag is not specified
the TLS connection fails.

** libgnutls: Correctly restore gnutls_record_recv() in DTLS mode
if interrupted during the retrasmition of handshake data.

** libgnutls: Better mingw32 support (patch by LRN).

** libgnutls: The %COMPAT keyword, if specified, will tolerate
key usage violation errors (they are far too common to ignore).

** libgnutls: Added GNUTLS_STATELESS_COMPRESSION flag to gnutls_init(),
which provides a tool to counter compression-related attacks where
parts of the data are controlled by the attacker _and_ are placed in
separate records (use with care - do not use compression if not sure).

** libgnutls: Depends on libtasn1 2.14 or later.

** certtool: Prints the number of bits of the public key algorithm
parameter in a private key.

** API and ABI modifications:
gnutls_x509_privkey_get_pk_algorithm2: Added
gnutls_heartbeat_ping: Added
gnutls_heartbeat_pong: Added
gnutls_heartbeat_allowed: Added
gnutls_heartbeat_enable: Added
gnutls_heartbeat_set_timeouts: Added
gnutls_heartbeat_get_timeout: Added
GNUTLS_SEC_PARAM_WEAK: Added
GNUTLS_SEC_PARAM_INSECURE: Added

* Version 3.1.1 (released 2012-09-02)

** gnutls-serv: Listens on IPv6. Patch by Bernhard R. Link.

** certtool: Changes in password handling of certtool.
Ask password when required and only if the '--password' option is not
given. If the '--password' option is given during key generation then
assume the PKCS #8 file format, instead of ignoring the password.

** tpmtool: No longer asks for key password in registered keys.

** libgnutls: Elliptic curve code was optimized by Ilya Tumaykin.
wmNAF is now used for point multiplication and other optimizations.
(the major part of the work was done during Google Summer of Code).

** libgnutls: The default pull_timeout_function only uses select
instead of a combination of select() and recv() to prevent issues
when used in stream sockets in some systems.

** libgnutls: Be tolerant in ECDSA signature violations (e.g. using
SHA256 with a SECP384 curve instead of SHA-384), to interoperate with
openssl.

** libgnutls: Fixed DSA and ECDSA signature generation in smart
cards. Thanks to Andreas Schwier from cardcontact.de for providing
me with ECDSA capable smart cards.

** API and ABI modifications:
gnutls_sign_algorithm_get: Added
gnutls_sign_get_hash_algorithm: Added
gnutls_sign_get_pk_algorithm: Added


* Version 3.1.0 (released 2012-08-15)

** libgnutls: Added direct support for TPM as a cryptographic module
in gnutls/tpm.h. TPM keys can be used in functions accepting files
using URLs of the following types:
  tpmkey:file=/path/to/file
  tpmkey:uuid=7f468c16-cb7f-11e1-824d-b3a4f4b20343;storage=user

** libgnutls: Priority string level keywords can be combined.
For example the string "SECURE256:+SUITEB128" is now allowed.

** libgnutls: requires libnettle 2.5.

** libgnutls: Use the PKCS #1 1.5 encoding provided by nettle (2.5)
for encryption and signatures.

** libgnutls: Added GNUTLS_CERT_SIGNATURE_FAILURE to differentiate between
generic errors and signature verification errors in the verification
functions.

** libgnutls: Added gnutls_pkcs12_simple_parse() as a helper function
to simplify parsing in most PKCS #12 use cases.

** libgnutls: gnutls_certificate_set_x509_simple_pkcs12_file() adds
the whole certificate chain (if any) to the credentials structure, instead
of only the end-user certificate.

** libgnutls: Key import functions such as gnutls_pkcs12_simple_parse()
and gnutls_x509_privkey_import_pkcs8(), return consistently
GNUTLS_E_DECRYPTION_FAILED if the input structure is encrypted but no
password was provided.

** libgnutls: Added gnutls_handshake_set_timeout() a function that
allows to set the maximum time spent in a handshake.

** libgnutlsxx: Added session::set_transport_vec_push_function. Patch
by Alexandre Bique.

** tpmtool: Added. It is a tool to generate private keys in the
TPM.

** gnutls-cli: --benchmark-tls was split to --benchmark-tls-kx
and --benchmark-tls-ciphers

** certtool: generated PKCS #12 structures may hold more than one
private key. Patch by Lucas Fisher.

** certtool: Added option --null-password to generate/decrypt keys
that use a NULL password (in schemas that distinguish between NULL
an empty passwords).

** minitasn1: Upgraded to libtasn1 version 2.13.

** API and ABI modifications:
GNUTLS_CERT_SIGNATURE_FAILURE: Added
GNUTLS_CAMELLIA_192_CBC: Added
GNUTLS_PKCS_NULL_PASSWORD: Added
gnutls_url_is_supported: Added
gnutls_pkcs11_obj_list_import_url2: Added
gnutls_pkcs11_obj_set_pin_function: Added
gnutls_pkcs11_privkey_set_pin_function: Added
gnutls_pkcs11_get_pin_function: Added
gnutls_privkey_import_tpm_raw: Added
gnutls_privkey_import_tpm_url: Added
gnutls_privkey_import_pkcs11_url: Added
gnutls_privkey_import_openpgp_raw: Added
gnutls_privkey_import_x509_raw: Added
gnutls_privkey_import_ext2: Added
gnutls_privkey_import_url: Added
gnutls_privkey_set_pin_function: Added
gnutls_tpm_privkey_generate: Added
gnutls_tpm_key_list_deinit: Added
gnutls_tpm_key_list_get_url: Added
gnutls_tpm_get_registered: Added
gnutls_tpm_privkey_delete: Added
gnutls_pubkey_import_tpm_raw: Added
gnutls_pubkey_import_tpm_url: Added
gnutls_pubkey_import_url: Added
gnutls_pubkey_verify_hash2: Added
gnutls_pubkey_set_pin_function: Added
gnutls_x509_privkey_import2: Added
gnutls_x509_privkey_import_openssl: Added
gnutls_x509_crt_set_pin_function: Added
gnutls_load_file: Added
gnutls_pkcs12_simple_parse: Added
gnutls_certificate_set_x509_system_trust: Added
gnutls_certificate_set_pin_function: Added
gnutls_x509_trust_list_add_system_trust: Added
gnutls_x509_trust_list_add_trust_file: Added
gnutls_x509_trust_list_add_trust_mem: Added
gnutls_pk_to_sign: Added
gnutls_handshake_set_timeout: Added
gnutls_pubkey_verify_hash: Deprecated (use gnutls_pubkey_verify_hash2)
gnutls_pubkey_verify_data: Deprecated (use gnutls_pubkey_verify_data2)

Revision 1.126 / (download) - annotate - [select for diffs], Fri May 31 12:41:51 2013 UTC (9 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base, pkgsrc-2013Q2
Changes since 1.125: +2 -1 lines
Diff to previous 1.125 (colored)

Bump all packages for perl-5.18, that
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package

Like last time, where this caused no complaints.

Revision 1.125 / (download) - annotate - [select for diffs], Wed Apr 10 15:09:10 2013 UTC (9 years, 11 months ago) by drochner
Branch: MAIN
Changes since 1.124: +2 -2 lines
Diff to previous 1.124 (colored)

update to 3.0.29
changes: minor fixes

Revision 1.122.2.1 / (download) - annotate - [select for diffs], Fri Feb 15 14:46:47 2013 UTC (10 years, 1 month ago) by tron
Branch: pkgsrc-2012Q4
Changes since 1.122: +4 -6 lines
Diff to previous 1.122 (colored) next main 1.123 (colored)

Pullup ticket #4074 - requested by drochner
security/gnutls: security update

Revisions pulled up:
- security/gnutls/Makefile                                      1.123-1.124
- security/gnutls/distinfo                                      1.92

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Tue Jan 15 11:29:21 UTC 2013

   Modified Files:
           pkgsrc/security/gnutls: Makefile

   Log Message:
   wants to use pkg-config

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Tue Feb 12 13:16:25 UTC 2013

   Modified Files:
           pkgsrc/security/gnutls: Makefile distinfo

   Log Message:
   update to 3.0.28
   changes: bugfixes

   This prevents the recent TLS CBC padding timing attack (CVE-2013-1619).

Revision 1.124 / (download) - annotate - [select for diffs], Tue Feb 12 13:16:25 2013 UTC (10 years, 1 month ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2013Q1-base, pkgsrc-2013Q1
Changes since 1.123: +3 -5 lines
Diff to previous 1.123 (colored)

update to 3.0.28
changes: bugfixes

This prevents the recent TLS CBC padding timing attack (CVE-2013-1619).

Revision 1.123 / (download) - annotate - [select for diffs], Tue Jan 15 11:29:21 2013 UTC (10 years, 2 months ago) by drochner
Branch: MAIN
Changes since 1.122: +2 -2 lines
Diff to previous 1.122 (colored)

wants to use pkg-config

Revision 1.122 / (download) - annotate - [select for diffs], Tue Nov 6 19:01:36 2012 UTC (10 years, 4 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base
Branch point for: pkgsrc-2012Q4
Changes since 1.121: +2 -2 lines
Diff to previous 1.121 (colored)

update to 3.0.25
changes:
--bugfixes
-added an OCSP function

Revision 1.121 / (download) - annotate - [select for diffs], Tue Oct 23 18:16:29 2012 UTC (10 years, 5 months ago) by asau
Branch: MAIN
Changes since 1.120: +1 -2 lines
Diff to previous 1.120 (colored)

Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.

Revision 1.120 / (download) - annotate - [select for diffs], Fri Oct 12 15:37:12 2012 UTC (10 years, 5 months ago) by adam
Branch: MAIN
Changes since 1.119: +2 -2 lines
Diff to previous 1.119 (colored)

MASTER_SITES fix

Revision 1.119 / (download) - annotate - [select for diffs], Wed Oct 10 11:44:30 2012 UTC (10 years, 5 months ago) by drochner
Branch: MAIN
Changes since 1.118: +2 -3 lines
Diff to previous 1.118 (colored)

update to 3.0.24
changes:
-better IPv6 support
-bugfixes
-minor improvements

Revision 1.118 / (download) - annotate - [select for diffs], Wed Oct 3 21:57:23 2012 UTC (10 years, 5 months ago) by wiz
Branch: MAIN
Changes since 1.117: +2 -1 lines
Diff to previous 1.117 (colored)

Bump all packages that use perl, or depend on a p5-* package, or
are called p5-*.

I hope that's all of them.

Revision 1.117 / (download) - annotate - [select for diffs], Fri Aug 24 13:36:52 2012 UTC (10 years, 6 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base, pkgsrc-2012Q3
Changes since 1.116: +2 -1 lines
Diff to previous 1.116 (colored)

Explicitly disable guile. PR 46830 by Sergey Litvinov.

Revision 1.116 / (download) - annotate - [select for diffs], Thu Aug 9 18:58:11 2012 UTC (10 years, 7 months ago) by drochner
Branch: MAIN
Changes since 1.115: +2 -2 lines
Diff to previous 1.115 (colored)

update to 3.0.22
changes: bugfixes

Revision 1.115 / (download) - annotate - [select for diffs], Tue Jul 24 18:34:06 2012 UTC (10 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.114: +2 -2 lines
Diff to previous 1.114 (colored)

update to 3.0.21
changes
-DTLS improvements
-bugfixes

Revision 1.114 / (download) - annotate - [select for diffs], Mon Jul 2 18:53:02 2012 UTC (10 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.113: +3 -5 lines
Diff to previous 1.113 (colored)

update to 3.0,20
This switches to the new stable release branch.

Revision 1.113 / (download) - annotate - [select for diffs], Mon Jul 2 16:30:01 2012 UTC (10 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.112: +2 -2 lines
Diff to previous 1.112 (colored)

update to 1.12.20
changes: bugfixes:
-Fixed memory leak in PKCS #8 key import
-Check key identifiers when checking for an issuer

pkgsrc note: This is just a last checkpoint on the 2.x branch, in case
 it will be needed for the Q2 branch. Will update to 3.x RSN.

Revision 1.112 / (download) - annotate - [select for diffs], Wed May 30 06:51:37 2012 UTC (10 years, 9 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base, pkgsrc-2012Q2
Changes since 1.111: +2 -2 lines
Diff to previous 1.111 (colored)

Changes 2.12.19:
* libgnutls: When decoding a PKCS #11 URL the pin-source field is assumed to be
  a file that stores the pin.
* libgnutls: Added strict tests in Diffie-Hellman and SRP key exchange public
  keys.
* minitasn1: Upgraded to libtasn1 version 2.13 (pre-release).

Revision 1.111 / (download) - annotate - [select for diffs], Tue Apr 17 17:53:01 2012 UTC (10 years, 11 months ago) by drochner
Branch: MAIN
Changes since 1.110: +2 -2 lines
Diff to previous 1.110 (colored)

update to 2.12.18
changes:
-Corrected SRP-RSA ciphersuites when used under TLS 1.2
-Fixed leaks in key generation

Revision 1.110 / (download) - annotate - [select for diffs], Thu Mar 15 16:41:48 2012 UTC (11 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2012Q1-base, pkgsrc-2012Q1
Changes since 1.109: +2 -2 lines
Diff to previous 1.109 (colored)

Changes 2.12.17:
* libgnutls: Corrections in record packet parsing.
* libgnutls: Fixes in SRP authentication.
* libgnutls: Added function to force explicit reinitialization of PKCS 11
  modules. This is required on the child process after a fork.
* libgnutls: PKCS 11 objects that do not have ID no longer crash listing.
* API and ABI modifications: gnutls_pkcs11_reinit: Added

Revision 1.109 / (download) - annotate - [select for diffs], Tue Jan 17 14:54:19 2012 UTC (11 years, 2 months ago) by drochner
Branch: MAIN
Changes since 1.108: +2 -3 lines
Diff to previous 1.108 (colored)

update to 2.12.16
changes: bugfixes

Revision 1.108 / (download) - annotate - [select for diffs], Wed Nov 16 08:23:49 2011 UTC (11 years, 4 months ago) by sbd
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base, pkgsrc-2011Q4
Changes since 1.107: +3 -1 lines
Diff to previous 1.107 (colored)

Add missing devel/readline buildlinks.

Bump PKGREVISIONs

Revision 1.107 / (download) - annotate - [select for diffs], Wed Nov 9 18:41:46 2011 UTC (11 years, 4 months ago) by drochner
Branch: MAIN
Changes since 1.106: +2 -2 lines
Diff to previous 1.106 (colored)

update to 2.12.14
This fixes a Possible buffer overflow/Denial of service problem
(CVE-2011-4128)

Revision 1.106 / (download) - annotate - [select for diffs], Sun Oct 30 18:07:55 2011 UTC (11 years, 4 months ago) by drochner
Branch: MAIN
Changes since 1.105: +2 -2 lines
Diff to previous 1.105 (colored)

update to 2.12.12
changes: minor fixes and cleanup

Revision 1.105 / (download) - annotate - [select for diffs], Thu Oct 6 17:56:25 2011 UTC (11 years, 5 months ago) by drochner
Branch: MAIN
Changes since 1.104: +2 -2 lines
Diff to previous 1.104 (colored)

update to 2.12.11
changes: bugfixes

Revision 1.104 / (download) - annotate - [select for diffs], Mon Sep 12 17:31:40 2011 UTC (11 years, 6 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2011Q3-base, pkgsrc-2011Q3
Changes since 1.103: +2 -2 lines
Diff to previous 1.103 (colored)

update to 2.12.10
changes: bugfixes

Revision 1.103 / (download) - annotate - [select for diffs], Mon Aug 22 15:14:58 2011 UTC (11 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.102: +2 -2 lines
Diff to previous 1.102 (colored)

Update to 2.12.9:

* Version 2.12.9 (released 2011-08-21)

** libgnutls-extra: Replaced enumeration with unsigned
int, in openssl.h to make it identical to the 3.0.0 version.
This shouldn't introduce binary incompatibility.

** libgnutls: When asking for a PIN multiple times, the
flags in the callback were not being updated to reflect
for PIN low count or final try.

** API and ABI modifications:
GNUTLS_PKCS11_PIN_WRONG: New flag for PIN callback

Revision 1.102 / (download) - annotate - [select for diffs], Thu Aug 11 11:03:35 2011 UTC (11 years, 7 months ago) by adam
Branch: MAIN
Changes since 1.101: +7 -7 lines
Diff to previous 1.101 (colored)

Changes 2.12.8:
* libgnutls: PKCS-11 back-end was replaced by p11-kit
* libgnutls: gcrypt: replaced occurences of gcry_sexp_nth_mpi (..., 0)
  with gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) to fix errors with 1.5.0.
* libgnutls: Verify that a certificate liste specified using
  gnutls_certificate_set_x509_key*(), is sorted according to TLS specification
* libgnutls: Added GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag for
  gnutls_x509_crt_list_import. It checks whether the list to be imported is
  properly sorted.
* libgnutls: writev_emu: stop on the first incomplete write.
* libgnutls: Fix zlib handling in gnutls.pc.
* certtool: bug fixes in certificate request generation.
* API and ABI modifications: GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED:
  New element in gnutls_certificate_import_flags

Revision 1.101 / (download) - annotate - [select for diffs], Mon Jul 11 16:10:29 2011 UTC (11 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.100: +5 -5 lines
Diff to previous 1.100 (colored)

update to 2.12.7
changes:
-bugfixes
-minor feature additions
pkgsrc change: since the pkg was changed to build against "nettle"
instead of libgcrypt (whether this was a good idea or not...), the
latter isn't needed anymore, so remove the stale dependency
This can cause build breakage -- in this case addition of a local
dependency should restore the old state. (This dependency is technically
unnecessary often, but the assumption that gnutls needs libgcrypt
is sometimes hardwired in configure scripts and/or code.)

Revision 1.100 / (download) - annotate - [select for diffs], Wed Apr 27 16:56:43 2011 UTC (11 years, 10 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2011Q2-base, pkgsrc-2011Q2
Changes since 1.99: +2 -1 lines
Diff to previous 1.99 (colored)

"pkg-config --cflags gnutls" failed with:

Package zlib was not found in the pkg-config search path.

... there is no zlib.pc, so comment out the part of the configure
script that adds that to the pkg-config file.
Bump PKGREVISION.

Revision 1.99 / (download) - annotate - [select for diffs], Tue Apr 26 10:35:29 2011 UTC (11 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.98: +3 -3 lines
Diff to previous 1.98 (colored)

Changes 2.12.3:
* libgnutls: Several minor bugfixes.
* libgnutls: Restored HMAC-MD5 for compatibility. Although considered weak,
  several sites require it for connection. It is enabled for "NORMAL" and
  "PERFORMANCE" priority strings.
* libgnutls: depend on libdl.
* libgnutls: gnutls_transport_set_global_errno() was deprecated. Use your
  system's errno fascility or gnutls_transport_set_errno().
* gnutls-cli: Correction with usage of select to check for pending data in
  gnutls sessions. It now uses gnutls_record_check_pending().
* tests: More fixes and updates for win32. Patches by LRN.
* libgnutls: Several files unnecessarily included <gcrypt.h>; this has been
  fixed.
** API and ABI modifications: gnutls_transport_set_global_errno: DEPRECATED

Changes 2.12.2:
* libgnutls: Several updates and fixes for win32. Patches by LRN.
* libgnutls: Several bug and memory leak fixes.
* srptool: Accepts the -d option to enable debugging.
* libgnutls: Corrected bug in gnutls_srp_verifier() that prevented the
  allocation of a verifier. Reported by Andrew Wiseman.

Changes 2.12.1:
* certtool: Generated certificate request with stricter permissions.
* libgnutls: Bug fixes in opencdk code. Reported by Vitaly Kruglikov.
* libgnutls: Corrected windows system_errno() function prototype.
* libgnutls: C++ compatibility fix for compat.h. Reported by Mark Brand.
* libgnutls: Fix size of gnutls_openpgp_keyid_t by using the
  GNUTLS_OPENPGP_KEYID_SIZE definition. Reported by Andreas Metzler.

Revision 1.98 / (download) - annotate - [select for diffs], Fri Apr 22 13:42:00 2011 UTC (11 years, 11 months ago) by obache
Branch: MAIN
Changes since 1.97: +2 -2 lines
Diff to previous 1.97 (colored)

recursive bump from gettext-lib shlib bump.

Revision 1.97 / (download) - annotate - [select for diffs], Wed Mar 9 10:52:25 2011 UTC (12 years ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2011Q1-base, pkgsrc-2011Q1
Changes since 1.96: +2 -1 lines
Diff to previous 1.96 (colored)

fix installed pkgconfig .pc file: Don't refer to zlib.pc -- this
fails with system libz. We propagate a dependency per bl3 file,
this should be sufficient.
bump PKGREV

Revision 1.96 / (download) - annotate - [select for diffs], Mon Mar 7 13:45:34 2011 UTC (12 years ago) by adam
Branch: MAIN
Changes since 1.95: +2 -2 lines
Diff to previous 1.95 (colored)

Changes 2.10.5:
* libgnutls: Corrected verification of finished messages.
* libgnutls: Corrected signature generation and verification in the Certificate
  Verify message when in TLS 1.2.
* pkg-config gnutls.pc improvements.
* API and ABI modifications: No changes since last version.

Revision 1.95 / (download) - annotate - [select for diffs], Sun Dec 12 11:58:53 2010 UTC (12 years, 3 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2010Q4-base, pkgsrc-2010Q4
Changes since 1.94: +2 -2 lines
Diff to previous 1.94 (colored)

Update to 2.10.4:

* Version 2.10.4 (released 2010-12-06)

** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz.

** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures.
This makes us comply with RFC3279. Reported by Michael Rommel.

** libgnutls: Reverted default behavior for verification and
introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default
V1 trusted CAs are allowed, unless the new flag is specified.

** minitasn1: Updated to Libtasn1 2.9.

** API and ABI modifications:
No changes since last version.

Revision 1.94 / (download) - annotate - [select for diffs], Fri Nov 26 17:56:14 2010 UTC (12 years, 3 months ago) by drochner
Branch: MAIN
Changes since 1.93: +2 -2 lines
Diff to previous 1.93 (colored)

update to 2.10.3
changes: bugfixes

Revision 1.93 / (download) - annotate - [select for diffs], Sat Oct 16 16:43:42 2010 UTC (12 years, 5 months ago) by wiz
Branch: MAIN
Changes since 1.92: +2 -2 lines
Diff to previous 1.92 (colored)

Update to 2.10.2:

* Version 2.10.2 (released 2010-09-30)

** Use Libtool 2.2.10 to ease MinGW64 builds.

** libgnutls: Add new extended key usage ipsecIKE.

** libgnutls: Is now more liberal in the PEM decoding.
That is spaces and tabs are being skipped.

** libgnutls: Renamed NULL MAC to MAC-NULL to prevent clash with NULL cipher.
This prevented the usage of the TLS ciphersuites with NULL cipher.
See <http://thread.gmane.org/gmane.network.gnutls.general/2093>.

** libgnutls: The %COMPAT flag now allows larger records that violate the
TLS spec.

** libgnutls: Fix asynchronous API handling.
The code was clearing session hash data on EAGAIN.  Problem reported
by Sjoerd Simons <sjoerd.simons@collabora.co.uk> and Vivek
Dasmohapatra <vivek@collabora.co.uk>.  See
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4531>.

** gnutls-cli: Flush stdout/stderr before removing buffering.
Reported by Knut Anders Hatlen see
<http://savannah.gnu.org/support/?107481>.

Revision 1.92 / (download) - annotate - [select for diffs], Wed Sep 1 16:32:17 2010 UTC (12 years, 6 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2010Q3-base, pkgsrc-2010Q3
Changes since 1.91: +2 -4 lines
Diff to previous 1.91 (colored)

update to 2.10.1
many fixes and API extensions, but still binary compatible afaict

Revision 1.91 / (download) - annotate - [select for diffs], Tue Apr 13 16:31:27 2010 UTC (12 years, 11 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2010Q2-base, pkgsrc-2010Q2
Changes since 1.90: +2 -3 lines
Diff to previous 1.90 (colored)

update to 2.8.6
changes:
-interoperability improvements (especially for VeriSign)
-misc fixes
-translation updates

Revision 1.90 / (download) - annotate - [select for diffs], Wed Mar 24 19:43:28 2010 UTC (13 years ago) by asau
Branch: MAIN
CVS Tags: pkgsrc-2010Q1-base, pkgsrc-2010Q1
Changes since 1.89: +2 -1 lines
Diff to previous 1.89 (colored)

Recursive revision bump for GMP update.

Revision 1.89 / (download) - annotate - [select for diffs], Tue Nov 3 00:15:41 2009 UTC (13 years, 4 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2009Q4-base, pkgsrc-2009Q4
Changes since 1.88: +2 -2 lines
Diff to previous 1.88 (colored)

Update to 2.8.5:

* Version 2.8.5 (released 2009-11-02)

** libgnutls: In server side when resuming a session do not overwrite the
** initial session data with the resumed session data.

** libgnutls: Fix PKCS#12 encoding.
The error you would get was "The OID is not supported.".  Problem
introduced for the v2.8.x branch in 2.7.6.

** guile: Compatibility with guile 2.x.
By Ludovic Courtes <ludovic.courtes@laas.fr>.

** tests: Fix expired cert in chainverify self-test.

** tests: Fix time bomb in chainverify self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3925>.

** API and ABI modifications:
No changes since last version.

Revision 1.88 / (download) - annotate - [select for diffs], Sat Oct 31 01:16:42 2009 UTC (13 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.87: +2 -2 lines
Diff to previous 1.87 (colored)

Update to 2.8.4:

* Version 2.8.4 (released 2009-09-18)

** libgnutls: Enable Camellia ciphers by default.

** libgnutls: Make OpenPGP hostname checking work again.
The patch to resolve the X.509 CN/SAN issue accidentally broken
OpenPGP hostname comparison.

** libgnutls: When printing X.509 certificates, handle XMPP SANs better.
Reported by Howard Chu <hyc@symas.com> in
<https://savannah.gnu.org/support/?106975>.

** API and ABI modifications:
No changes since last version.

Revision 1.87 / (download) - annotate - [select for diffs], Mon Oct 12 15:25:14 2009 UTC (13 years, 5 months ago) by reed
Branch: MAIN
Changes since 1.86: +2 -2 lines
Diff to previous 1.86 (colored)

Increase the BUILDLINK_API_DEPENDS.libgcrypt requirement.
The configure requires GCRY_CIPHER_CAMELLIA128.
(Not bumping PKGREVISION as this is a build issue.)

Revision 1.83.2.1 / (download) - annotate - [select for diffs], Sat Aug 29 09:49:13 2009 UTC (13 years, 6 months ago) by spz
Branch: pkgsrc-2009Q2
Changes since 1.83: +6 -3 lines
Diff to previous 1.83 (colored) next main 1.84 (colored)

Pullup ticket 2874 - requested by tron
security update

Revisions pulled up:
- pkgsrc/security/gnutls/Makefile		1.86
- pkgsrc/security/gnutls/PLIST			1.36
- pkgsrc/security/gnutls/distinfo		1.60

Files added:
pkgsrc/security/gnutls/patches/patch-ak		1.2
pkgsrc/security/gnutls/patches/patch-al		1.2

   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Sat Jul 18 10:32:32 UTC 2009

   Modified Files:
   	pkgsrc/security/gnutls: Makefile distinfo

   Log Message:
   Update to 2.8.1:

   * Version 2.8.1 (released 2009-06-10)

   ** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cyc=
   le.
   Forwarded by Martin von Gagern <Martin.vGagern@gmx.net> from
   <http://bugs.gentoo.org/272388>.

   ** libgnutls: Fix PKCS#12 decryption from password.
   The encryption key derived from the password was incorrect for (on
   average) 1 in every 128 input for random inputs.  Reported by "Kukosa,
   Tomas" <tomas.kukosa@siemens-enterprise.com> in
   <http://permalink.gmane.org/gmane.network.gnutls.general/1663>.

   ** API and ABI modifications:
   No changes since last version.


   To generate a diff of this commit:
   cvs rdiff -u -r1.83 -r1.84 pkgsrc/security/gnutls/Makefile
   cvs rdiff -u -r1.57 -r1.58 pkgsrc/security/gnutls/distinfo

   ----------------------------------------------------------------------

   Module Name:	pkgsrc
   Committed By:	drochner
   Date:		Wed Jul 22 16:50:07 UTC 2009

   Modified Files:
   	pkgsrc/security/gnutls: Makefile PLIST distinfo
   Added Files:
   	pkgsrc/security/gnutls/patches: patch-ak patch-al

   Log Message:
   disable the openssl compatibility library -- no pkg I know of needs
   it, and it only has a potential to conflict with the real openssl
   (bad things will happen if a program links or dlopen()s both)
   bump PKGREVISION
   (the bug fixed in the added patches is already fixed upstream, will
   be in the next release)


   To generate a diff of this commit:
   cvs rdiff -u -r1.84 -r1.85 pkgsrc/security/gnutls/Makefile
   cvs rdiff -u -r1.35 -r1.36 pkgsrc/security/gnutls/PLIST
   cvs rdiff -u -r1.58 -r1.59 pkgsrc/security/gnutls/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/security/gnutls/patches/patch-ak \
       pkgsrc/security/gnutls/patches/patch-al

   ----------------------------------------------------------------------

   Module Name:	pkgsrc
   Committed By:	snj
   Date:		Thu Aug 13 18:56:32 UTC 2009

   Modified Files:
   	pkgsrc/security/gnutls: Makefile distinfo
   	pkgsrc/security/gnutls/patches: patch-ak patch-al

   Log Message:
   Update to 2.8.3.  Changes:

   * Version 2.8.3 (released 2009-08-13)

   ** libgnutls: Fix patch for NUL in CN/SAN in last release.
   Code intended to be removed would lead to an read-out-bound error in
   some situations.  Reported by Tomas Hoger <thoger@redhat.com>.  A CVE
   code have been allocated for the vulnerability: [CVE-2009-2730].

   ** libgnutls: Fix rare failure in gnutls_x509_crt_import.
   The function may fail incorrectly when an earlier certificate was
   imported to the same gnutls_x509_crt_t structure.

   ** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
   error.

   ** tests: Made self-test mini-eagain take less time.

   ** doc: Typo fixes.

   ** API and ABI modifications:
   No changes since last version.

   * Version 2.8.2 (released 2009-08-10)

   ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
   By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
   into 1) not printing the entire CN/SAN field value when printing a
   certificate and 2) cause incorrect positive matches when matching a
   hostname against a certificate.  Some CAs apparently have poor
   checking of CN/SAN values and issue these (arguable invalid)
   certificates.  Combined, this can be used by attackers to become a
   MITM on server-authenticated TLS sessions.  The problem is mitigated
   since attackers needs to get one certificate per site they want to
   attack, and the attacker reveals his tracks by applying for a
   certificate at the CA.  It does not apply to client authenticated TLS
   sessions.  Research presented independently by Dan Kaminsky and Moxie
   Marlinspike at BlackHat09.  Thanks to Tomas Hoger <thoger@redhat.com>
   for providing one part of the patch.  [GNUTLS-SA-2009-4].

   ** libgnutls: Fix return value of gnutls_certificate_client_get_request_sta=
   tus.
   Before it always returned false.  Reported by Peter Hendrickson
   <pdh@wiredyne.com> in
   <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.

   ** libgnutls: Fix off-by-one size computation error in unknown DN printing.
   The error resulted in truncated strings when printing unknown OIDs in
   X.509 certificate DNs.  Reported by Tim Kosse
   <tim.kosse@filezilla-project.org> in
   <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.

   ** libgnutls: Return correct bit lengths of some MPIs.
   gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
   gnutls_dh_get_peers_public_bits.  Before the reported value was
   overestimated.  Reported by Peter Hendrickson <pdh@wiredyne.com> in
   <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.

   ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
   Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in
   <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
   and
   <http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.

   ** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
   Before we required that the runtime library used the same (or more
   recent) libgcrypt/libtasn1 as it was compiled with.  Now we just check
   that the runtime usage is above the minimum required.  Reported by
   Marco d'Itri <md@linux.it> via Andreas Metzler
   <ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.

   ** minitasn1: Internal copy updated to libtasn1 v2.3.

   ** tests: Fix failure in "chainverify" because a certificate have expired.

   ** API and ABI modifications:
   No changes since last version.


   To generate a diff of this commit:
   cvs rdiff -u -r1.85 -r1.86 pkgsrc/security/gnutls/Makefile
   cvs rdiff -u -r1.59 -r1.60 pkgsrc/security/gnutls/distinfo
   cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/gnutls/patches/patch-ak \
       pkgsrc/security/gnutls/patches/patch-al

Revision 1.86 / (download) - annotate - [select for diffs], Thu Aug 13 18:56:32 2009 UTC (13 years, 7 months ago) by snj
Branch: MAIN
CVS Tags: pkgsrc-2009Q3-base, pkgsrc-2009Q3
Changes since 1.85: +2 -3 lines
Diff to previous 1.85 (colored)

Update to 2.8.3.  Changes:

* Version 2.8.3 (released 2009-08-13)

** libgnutls: Fix patch for NUL in CN/SAN in last release.
Code intended to be removed would lead to an read-out-bound error in
some situations.  Reported by Tomas Hoger <thoger@redhat.com>.  A CVE
code have been allocated for the vulnerability: [CVE-2009-2730].

** libgnutls: Fix rare failure in gnutls_x509_crt_import.
The function may fail incorrectly when an earlier certificate was
imported to the same gnutls_x509_crt_t structure.

** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build
error.

** tests: Made self-test mini-eagain take less time.

** doc: Typo fixes.

** API and ABI modifications:
No changes since last version.

* Version 2.8.2 (released 2009-08-10)

** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields.
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS
into 1) not printing the entire CN/SAN field value when printing a
certificate and 2) cause incorrect positive matches when matching a
hostname against a certificate.  Some CAs apparently have poor
checking of CN/SAN values and issue these (arguable invalid)
certificates.  Combined, this can be used by attackers to become a
MITM on server-authenticated TLS sessions.  The problem is mitigated
since attackers needs to get one certificate per site they want to
attack, and the attacker reveals his tracks by applying for a
certificate at the CA.  It does not apply to client authenticated TLS
sessions.  Research presented independently by Dan Kaminsky and Moxie
Marlinspike at BlackHat09.  Thanks to Tomas Hoger <thoger@redhat.com>
for providing one part of the patch.  [GNUTLS-SA-2009-4].

** libgnutls: Fix return value of gnutls_certificate_client_get_request_status.
Before it always returned false.  Reported by Peter Hendrickson
<pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3668>.

** libgnutls: Fix off-by-one size computation error in unknown DN printing.
The error resulted in truncated strings when printing unknown OIDs in
X.509 certificate DNs.  Reported by Tim Kosse
<tim.kosse@filezilla-project.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3651>.

** libgnutls: Return correct bit lengths of some MPIs.
gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and
gnutls_dh_get_peers_public_bits.  Before the reported value was
overestimated.  Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3607>.

** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN.
Report and patch by Tim Kosse <tim.kosse@filezilla-project.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3671>
and
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3670>.

** libgnutls: Relax checking of required libtasn1/libgcrypt versions.
Before we required that the runtime library used the same (or more
recent) libgcrypt/libtasn1 as it was compiled with.  Now we just check
that the runtime usage is above the minimum required.  Reported by
Marco d'Itri <md@linux.it> via Andreas Metzler
<ametzler@downhill.at.eu.org> in <http://bugs.debian.org/540449>.

** minitasn1: Internal copy updated to libtasn1 v2.3.

** tests: Fix failure in "chainverify" because a certificate have expired.

** API and ABI modifications:
No changes since last version.

Revision 1.85 / (download) - annotate - [select for diffs], Wed Jul 22 16:50:07 2009 UTC (13 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.84: +5 -1 lines
Diff to previous 1.84 (colored)

disable the openssl compatibility library -- no pkg I know of needs
it, and it only has a potential to conflict with the real openssl
(bad things will happen if a program links or dlopen()s both)
bump PKGREVISION
(the bug fixed in the added patches is already fixed upstream, will
be in the next release)

Revision 1.84 / (download) - annotate - [select for diffs], Sat Jul 18 10:32:32 2009 UTC (13 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.83: +3 -3 lines
Diff to previous 1.83 (colored)

Update to 2.8.1:

* Version 2.8.1 (released 2009-06-10)

** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle.
Forwarded by Martin von Gagern <Martin.vGagern@gmx.net> from
<http://bugs.gentoo.org/272388>.

** libgnutls: Fix PKCS#12 decryption from password.
The encryption key derived from the password was incorrect for (on
average) 1 in every 128 input for random inputs.  Reported by "Kukosa,
Tomas" <tomas.kukosa@siemens-enterprise.com> in
<http://permalink.gmane.org/gmane.network.gnutls.general/1663>.

** API and ABI modifications:
No changes since last version.

Revision 1.83 / (download) - annotate - [select for diffs], Tue Jun 9 18:56:37 2009 UTC (13 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2009Q2-base
Branch point for: pkgsrc-2009Q2
Changes since 1.82: +2 -3 lines
Diff to previous 1.82 (colored)

Update to 2.8.0:

* Version 2.8.0 (released 2009-05-27)

** doc: Fix gnutls_dh_get_prime_bits.  Fix error codes and algorithm lists.

** Major changes compared to the v2.4 branch:

*** lib: Linker version scripts reduces number of exported symbols.

*** lib: Limit exported symbols on systems without LD linker scripts.

*** libgnutls: Fix namespace issue with version symbols.

*** libgnutls: Add functions to verify a hash against a certificate.
gnutls_x509_crt_verify_hash: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED

*** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.

*** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.

*** certtool: Query for multiple dnsName subjectAltName in interactive mode.

*** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.

*** gnutls-serv: No longer disable MAC padding by default.

*** gnutls-cli: Certificate information output format changed.

*** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
*** and %VERIFY_ALLOW_X509_V1_CA_CRT.

*** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.

*** libgnutls: gnutls_openpgp_crt_print supports oneline mode.

*** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.

*** libgnutls: New interface to get key id for certificate requests.
gnutls_x509_crq_get_key_id: ADDED.

*** libgnutls: gnutls_x509_crq_print will now also print public key id.

*** certtool: --verify-chain now prints results of using library verification.

*** libgnutls: Libgcrypt initialization changed.

*** libgnutls: Small byte reads via gnutls_record_recv() optimized.

*** gnutls-cli: Return non-zero exit code on error conditions.

*** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.

*** certtool: allow setting arbitrary key purpose object identifiers.

*** libgnutls: Change detection of when to use a linker version script.
Use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.

*** Fix warnings and build GnuTLS with more warnings enabled.

*** New API to set X.509 credentials from PKCS#12 memory structure.
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED

*** Old libgnutls.m4 and libgnutls-config scripts removed.
Please use pkg-config instead.

*** libgnutls: Added functions to handle CRL extensions.
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED

*** libgnutls: Added functions to handle X.509 extensions in Certificate
Requests.
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED

*** certtool: Print and set CRL and CRQ extensions.

*** minitasn1: Internal copy updated to libtasn1 v2.1.

*** examples: Now released into the public domain.

*** The Texinfo and GTK-DOC manuals were improved.

*** Several self-tests were added and others improved.

*** API/ABI changes in GnuTLS 2.8 compared to GnuTLS 2.6.x
No offically supported interfaces have been modified or removed.  The
library should be completely backwards compatible on both the source
and binary level.

The shared library no longer exports some symbols that have never been
officially supported, i.e., not mentioned in any of the header files.
The symbols are:

  _gnutls*
  gnutls_asn1_tab

Normally when symbols are removed, the shared library version has to
be incremented.  This leads to a significant cost for everyone using
the library.  Because none of the above symbols have ever been
intended for use by well-behaved applications, we decided that the it
would be better for those applications to pay the price rather than
incurring problems on the majority of applications.

If it turns out that applications have been using unofficial
interfaces, we will need to release a follow-on release on the v2.8
branch to exports additional interfaces.  However, initial testing
suggests that few if any applications have been using any of the
internal symbols.

Although not a new change compared to 2.6.x, we'd like to remind you
interfaces have been modified so that X.509 chain verification now
also checks activation/expiration times on certificates.  The affected
functions are:

gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.

This change in behaviour was made during the GnuTLS 2.6.x cycle, and
we gave our rationale for it in earlier release notes.

The following symbols have been added to the library:

gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_key_id: ADDED.
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED
gnutls_x509_crt_verify_hash: ADDED

The following interfaces have been added to the header files:

GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.
GNUTLS_EXTRA_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION.

The following interfaces have been deprecated:

LIBGNUTLS_VERSION: DEPRECATED.
LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
LIBGNUTLS_VERSION_MINOR: DEPRECATED.
LIBGNUTLS_VERSION_PATCH: DEPRECATED.
LIBGNUTLS_VERSION_NUMBER: DEPRECATED.
LIBGNUTLS_EXTRA_VERSION: DEPRECATED.

* Version 2.7.14 (released 2009-05-26)

** libgnutls: Fix namespace issue with version symbol for libgnutls-extra.
The symbol LIBGNUTLS_EXTRA_VERSION were renamed to
GNUTLS_EXTRA_VERSION.  The old symbol will continue to work but is
deprecated.

** Doc: Several typo fixes in documentation.
Reported by Peter Hendrickson <pdh@wiredyne.com>.

** API and ABI modifications:
GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION.
LIBGNUTLS_EXTRA_VERSION: DEPRECATED.

* Version 2.7.13 (released 2009-05-25)

** libgnutls: Fix version of some exported symbols in the shared library.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3576>.

** tests: Handle recently expired certificates in chainverify self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3580>.

** API and ABI modifications:
No changes since last version.

* Version 2.7.12 (released 2009-05-20)

** gnutls-serv, gnutls-cli-debug: Make them work on Windows.

** tests/crq_key_id: Don't read entropy from /dev/random in self-test.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3570>.

** Fix build failures.
Missing sa_family_t and vsnprintf on IRIX.  Reported by "Tom
G. Christensen" <tgc@jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3571>.

** minitasn1: Internal copy updated to libtasn1 v2.2.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.

** API and ABI modifications:
No changes since last version.

* Version 2.7.11 (released 2009-05-18)

** minitasn1: Fix build failure when using internal libtasn1.
Reported by "Tom G. Christensen" <tgc@jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3548>.

** libgnutls: Fix build failure with --disable-cxx.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3557>.

** gnutls-serv: Fix build failure for unportable NI_MAXHOST/NI_MAXSERV.
Reported by "Tom G. Christensen" <tgc@jupiterrise.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3560>

** Building with many warning flags now requires --enable-gcc-warnings.
This avoids crying wolf for normal compiles.

** API and ABI modifications:
No changes since last version.

* Version 2.7.10 (released 2009-05-13)

** examples: Now released into the public domain.
This makes the license of the example code compatible with more
licenses, including the (L)GPL.

** minitasn1: Internal copy updated to libtasn1 v2.1.
GnuTLS should work fine with libtasn1 v1.x and that is still
supported.

** libgnutls: Fix crash in signature verification
The fix for the CVE-2009-1415 problem wasn't merged completely.

** doc: Fixes for GTK-DOC output.

** API and ABI modifications:
No changes since last version.

* Version 2.7.9 (released 2009-05-11)

** doc: Fix strings in man page of gnutls_priority_init.

** doc: Fix tables of error codes and supported algorithms.

** Fix build failure when cross-compiled using MinGW.

** Fix build failure when LZO is enabled.
Reported by Arfrever Frehtes Taifersar Arahesis
<arfrever.fta@gmail.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3522>.

** Fix build failure on systems without AF_INET6, e.g., Solaris 2.6.
Reported by "Tom G. Christensen" <tgc@jupiterrise.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3524>.

** Fix warnings in self-tests.

** API and ABI modifications:
No changes since last version.

* Version 2.7.8 (released 2009-05-03)

** libgnutls: Fix DSA key generation.
Merged from stable branch.  [GNUTLS-SA-2009-2] [CVE-2009-1416]

** libgnutls: Check expiration/activation time on untrusted certificates.
Merged from stable branch.  Reported by Romain Francoise
<romain@orebokech.com>.  This changes the semantics of
gnutls_x509_crt_list_verify, which in turn is used by
gnutls_certificate_verify_peers and gnutls_certificate_verify_peers2.
We add two new gnutls_certificate_status_t codes for reporting the new
error condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED.
We also add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour.  [GNUTLS-SA-2009-3] [CVE-2009-1417]

** lib: Linker version scripts reduces number of exported symbols.
The linker version script now lists all exported ABIs explicitly, to
avoid accidentally exporting unintended functions.  Compared to
before, most symbols beginning with _gnutls* are no longer exported.
These functions have never been intended for use by applications, and
there were no prototypes for these function in the public header
files.  Thus we believe it is possible to do this without incrementing
the library ABI version which normally has to be done when removing an
interface.

** lib: Limit exported symbols on systems without LD linker scripts.
Before all symbols were exported.  Now we limit the exported symbols
to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls)
_gnutls*.  This is a superset of the actual supported ABI, but still
an improvement compared to before.  This is implemented using Libtool
-export-symbols-regex.  It is more portable than linker version
scripts.

** libgnutls: Incremented CURRENT/AGE libtool version to reflect new symbols.
This should have been done in the last release.

** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6.
Reported by Peter Hendrickson <pdh@wiredyne.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3476>.

** doc: Improved sections for the info manual.
We now follow the advice given by the texinfo manual on which
directory categories to use.  In particular, libgnutls moved from the
'GNU Libraries' section to the 'Software libraries' and the command
line tools moved from 'Network Applications' to 'System
Administration'.

** API and ABI modifications:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.

* Version 2.7.7 (released 2009-04-20)

** libgnutls: Applied patch by Cedric Bail to add functions
gnutls_x509_crt_verify_hash() and gnutls_x509_crt_get_verify_algorithm().

** gnutls.pc: Add -ltasn1 to 'pkg-config --libs --static gnutls' output.
Reported by Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3467>.

** minitasn1: Internal copy updated to libtasn1 v1.8.
GnuTLS is also internally ready to be used with libtasn1 v2.0.

** doc: Fix build failure of errcodes/printlist.
Reported by Roman Bogorodskiy <novel@FreeBSD.org> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3435>.

** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'.
It is currently only used by the core library.  This will enable a new
domain 'gnutls' for translations of the command line tools.

** Corrected possible memory corruption on signature verification failure.
Reported by Miroslav Kratochvil <exa.exa@gmail.com>

** API and ABI modifications:
gnutls_x509_crt_verify_hash: ADDED
gnutls_x509_crt_get_verify_algorithm: ADDED

* Version 2.7.6 (released 2009-02-27)

** certtool: Query for multiple dnsName subjectAltName in interactive mode.
This applies both to generating certificates and certificate requests.

** pkix.asn: Removed unneeded definitions to reduce memory usage.

** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify.
Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to
be used for chain verification.

** gnutls-serv: No longer disable MAC padding by default.
Use --priority NORMAL:%COMPAT to disable MAC padding again.

** gnutls-cli: Certificate information output format changed.
The tool now uses libgnutls' functions to print certificate
information.  This avoids code duplication.

** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5
** and %VERIFY_ALLOW_X509_V1_CA_CRT.
They can be used to override the default certificate chain validation
behaviour.

** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to
specify the client hello message record version. Used to overcome buggy
TLS servers. Report by Martin von Gagern.

** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode.

** libgnutls: gnutls_openpgp_crt_print supports oneline mode.

** doc: Update gnutls-cli and gnutls-serv --help output descriptions.

** API and ABI modifications:
No changes since last version.

* Version 2.7.5 (released 2009-02-06)

** libgnutls: Accept chains where intermediary certs are trusted.
Before GnuTLS needed to validate the entire chain back to a
self-signed certificate.  GnuTLS will now stop looking when it has
found an intermediary trusted certificate.  The new behaviour is
useful when chains, for example, contains a top-level CA, an
intermediary CA signed using RSA-MD5, and an end-entity certificate.
To avoid chain validation errors due to the RSA-MD5 cert, you can
explicitly add the intermediary RSA-MD5 cert to your trusted certs.
The signature on trusted certificates are not checked, so the chain
has a chance to validate correctly.  Reported by "Douglas E. Engert"
<deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.

** libgnutls: result_size in gnutls_hex_encode now holds
the size of the result. Report by John Brooks <special@dereferenced.net>.

** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.
Reported by Tristan Hill <stan@saticed.me.uk>.

** libgnutls: Permit V1 Certificate Authorities properly.
Before they were mistakenly rejected even though
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied.  Reported by
"Douglas E. Engert" <deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.

** API and ABI modifications:
No changes since last version.

* Version 2.7.4 (released 2009-01-07)

** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
This is a bugfix -- the previous attempt to do this from internal x509
certificate verification procedures did not return the correct value
for certificates using a weak hash.  Reported by Daniel Kahn Gillmor
<dkg@fifthhorseman.net> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>,
debugged and patch by Tomas Mraz <tmraz@redhat.com> and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>.

** libgnutls: New interface to get key id for certificate requests.
Patch from David Mar√≠n Carre√Īo <davefx@gmail.com> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3321>.

** libgnutls: gnutls_x509_crq_print will now also print public key id.

** certtool: --verify-chain now prints results of using library verification.
Earlier, certtool --verify-chain used its own validation algorithm
which wasn't guaranteed to give the same result as the libgnutls
internal validation algorithm.  Now this command print a new final
line with header 'Chain verification output:' that contains the result
from using the internal verification algorithm on the same chain.

** tests: Add crq_key_id self-test of gnutls_x509_crq_get_key_id.

** API and ABI modifications:
gnutls_x509_crq_get_key_id: ADDED.

* Version 2.7.3 (released 2008-12-10)

** libgnutls: Fix chain verification for chains that ends with RSA-MD2 CAs.
Reported by Michael Kiefer <Michael-Kiefer@web.de> in
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507633> forwarded by
Andreas Metzler <ametzler@downhill.at.eu.org> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3309>.

** libgnutls: Libgcrypt initialization changed.
If libgcrypt has not already been initialized, GnuTLS will now
initialize libgcrypt with disabled secure memory.  Initialize
libgcrypt explicitly in your application if you want to enable secure
memory.  Before GnuTLS initialized libgcrypt to use GnuTLS's memory
allocation functions, which doesn't use secure memory, so there is no
real change in behaviour.

** libgnutls: Fix memory leak in PSK authentication.
Reported by Michael Weiser <michael@weiser.dinsnail.net> in
<http://permalink.gmane.org/gmane.network.gnutls.general/1465>.

** libgnutls: Small byte reads via gnutls_record_recv() optimized.

** certtool: Move gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0) call earlier.
It needs to be invoked before libgcrypt is initialized.

** gnutls-cli: Return non-zero exit code on error conditions.

** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.

** tests: Added chainverify self-test that tests X.509 chain verifications.

** API and ABI modifications:
No changes since last version.

* Version 2.7.2 (released 2008-11-18)

** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3]
The flaw makes it possible for man in the middle attackers (i.e.,
active attackers) to assume any name and trick GNU TLS clients into
trusting that name.  Thanks for report and analysis from Martin von
Gagern <Martin.vGagern@gmx.net>.  [CVE-2008-4989]

Any updates with more details about this vulnerability will be added
to <http://www.gnu.org/software/gnutls/security.html>

** libgnutls: Fix namespace issue with version symbols.
The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR,
LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and
LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER,
GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and
GNUTLS_VERSION_NUMBER respectively.  The old symbols will continue to
work but are deprecated.

** certtool: allow setting arbitrary key purpose object identifiers.

** libgnutls: Fix detection of C99 macros, to make debug logging work again.

** libgnutls: Add missing prototype for gnutls_srp_set_prime_bits.
Reported by Kevin Quick <quick@sparq.org> in
<https://savannah.gnu.org/support/index.php?106454>.

** libgnutls-extra: Make building with LZO compression work again.
Build failure reported by Arfrever Frehtes Taifersar Arahesis
<arfrever.fta@gmail.com> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3194>.

** libgnutls: Change detection of when to use a linker version script.
Use --enable-ld-version-script or --disable-ld-version-script to
override auto-detection logic.

** doc: Change license on the manual to GFDLv1.3+.

** doc: GTK-DOC fixes for new splitted configuration system.

** doc: Texinfo stylesheet uses white background.

** tests: Add cve-2008-4989.c self-test.
Tests regressions of the GNUTLS-SA-2008-3 security problem, and the
follow-on problem with crashes on length 1 certificate chains.

** gnulib: Deprecated modules removed.
Modules include memchr and memcmp.

** Fix warnings and build GnuTLS with more warnings enabled.

** minitasn1: Internal copy updated to libtasn1 v1.7.

** API and ABI modifications:
gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED
GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION.
GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR.
GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR.
GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH.
GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER.
LIBGNUTLS_VERSION: DEPRECATED.
LIBGNUTLS_VERSION_MAJOR: DEPRECATED.
LIBGNUTLS_VERSION_MINOR: DEPRECATED.
LIBGNUTLS_VERSION_PATCH: DEPRECATED.
LIBGNUTLS_VERSION_NUMBER: DEPRECATED.

* Version 2.7.1 (released 2008-10-31)

** certtool: print a PKCS #8 key even if it is not encrypted.

** Old libgnutls.m4 and libgnutls-config scripts removed.
Please use pkg-config instead.

** Configuration system modified.
There is now a configure script in lib/ and libextra/ as well, because
gnulib works better with a config.h per gnulib directory.

** API and ABI modifications:
No changes since last version.

* Version 2.7.0 (released 2008-10-16)

** libgnutls: Added functions to handle CRL extensions.

** libgnutls: Added functions to handle X.509 extensions in Certificate
Requests.

** libgnutls: Improved error string for GNUTLS_E_AGAIN.
Suggested by "Lavrentiev, Anton (NIH/NLM/NCBI) [C]" <lavr@ncbi.nlm.nih.gov>.

** certtool: Print and set CRL and CRQ extensions.

** libgnutls-extra: Protect internal symbols with static.
Fixes problem when linking certtool statically.  Tiny patch from Aaron
Ucko <ucko@ncbi.nlm.nih.gov>.

** libgnutls-openssl: fix out of bounds access.
Problem in X509_get_subject_name and X509_get_issuer_name.  Tiny patch
from Thomas Viehmann <tv@beamnet.de>.

** libgnutlsxx: Define server_session::get_srp_username even if no SRP.

** tests: Make tests compile when using internal libtasn1.
Patch by ludo@gnu.org (Ludovic Courtès).

** Changed detection of libtasn1 and libgcrypt to avoid depending on *-config.
We now require a libgcrypt that has Camellia constants declared in
gcrypt.h, which means v1.3.0 or later.

** API and ABI modifications:
gnutls_x509_crl_get_authority_key_id: ADDED
gnutls_x509_crl_get_number: ADDED
gnutls_x509_crl_get_extension_oid: ADDED
gnutls_x509_crl_get_extension_info: ADDED
gnutls_x509_crl_get_extension_data: ADDED
gnutls_x509_crl_set_authority_key_id: ADDED
gnutls_x509_crl_set_number: ADDED
gnutls_x509_crq_get_key_rsa_raw: ADDED
gnutls_x509_crq_get_attribute_info: ADDED
gnutls_x509_crq_get_attribute_data: ADDED
gnutls_x509_crq_get_extension_info: ADDED
gnutls_x509_crq_get_extension_data: ADDED
gnutls_x509_crq_get_key_usage: ADDED
gnutls_x509_crq_get_basic_constraints: ADDED
gnutls_x509_crq_get_subject_alt_name: ADDED
gnutls_x509_crq_get_subject_alt_othername_oid: ADDED
gnutls_x509_crq_get_extension_by_oid: ADDED
gnutls_x509_crq_set_subject_alt_name: ADDED
gnutls_x509_crq_set_basic_constraints: ADDED
gnutls_x509_crq_set_key_usage: ADDED
gnutls_x509_crq_get_key_purpose_oid: ADDED
gnutls_x509_crq_set_key_purpose_oid: ADDED
gnutls_x509_crq_print: ADDED
gnutls_x509_crt_set_crq_extensions: ADDED

Revision 1.82 / (download) - annotate - [select for diffs], Wed May 20 00:58:26 2009 UTC (13 years, 10 months ago) by wiz
Branch: MAIN
Changes since 1.81: +2 -1 lines
Diff to previous 1.81 (colored)

Recursive ABI depends update and PKGREVISION bump for readline-6.0 shlib
major change.

Reported by Robert Elz in PR 41345.

Revision 1.81 / (download) - annotate - [select for diffs], Tue May 19 08:59:31 2009 UTC (13 years, 10 months ago) by wiz
Branch: MAIN
Changes since 1.80: +1 -2 lines
Diff to previous 1.80 (colored)

Use standard location for LICENSE line (in MAINTAINER/HOMEPAGE/COMMENT
block). Uncomment some commented out LICENSE lines while here.

Revision 1.77.2.1 / (download) - annotate - [select for diffs], Wed May 6 09:34:11 2009 UTC (13 years, 10 months ago) by spz
Branch: pkgsrc-2009Q1
Changes since 1.77: +8 -9 lines
Diff to previous 1.77 (colored) next main 1.78 (colored)

Pullup ticket 2756 - requested by tnn
Security fix

Revisions pulled up:
- pkgsrc/security/gnutls/Makefile		1.80
- pkgsrc/security/gnutls/distinfo		1.54

   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Mon Apr 20 13:11:57 UTC 2009

   Modified Files:
   	pkgsrc/security/gnutls: Makefile distinfo

   Log Message:
   Update to 2.6.5. Update commented out LICENSE (needs two).

   * Version 2.6.5 (released 2009-04-11)

   ** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to
   specify the client hello message record version. Used to overcome buggy
   TLS servers. Report by Martin von Gagern.

   ** GnuTLS no longer uses the libtasn1-config script to find libtasn1.
   Libtasn1 0.3.4 or later is required.  This is to align with the
   upcoming libtasn1 v2.0 release that doesn't have a libtasn1-script.

   ** API and ABI modifications:
   No changes since last version.


   To generate a diff of this commit:
   cvs rdiff -u -r1.77 -r1.78 pkgsrc/security/gnutls/Makefile
   cvs rdiff -u -r1.52 -r1.53 pkgsrc/security/gnutls/distinfo


   Module Name:	pkgsrc
   Committed By:	zafer
   Date:		Fri May  1 13:49:07 UTC 2009

   Modified Files:
   	pkgsrc/security/gnutls: Makefile

   Log Message:
   replace non working mirrors with working ones.


   To generate a diff of this commit:
   cvs rdiff -u -r1.78 -r1.79 pkgsrc/security/gnutls/Makefile


   Module Name:	pkgsrc
   Committed By:	tnn
   Date:		Sat May  2 20:04:33 UTC 2009

   Modified Files:
   	pkgsrc/security/gnutls: Makefile distinfo

   Log Message:
   Update to gnutls-2.6.6.

   * Version 2.6.6 (released 2009-04-30)

   libgnutls: Corrected double free on signature verification failure.
     Reported by Miroslav Kratochvil.  See the advisory
     for more details.  [GNUTLS-SA-2009-1] [CVE-2009-1415]

   libgnutls: Fix DSA key generation.
     Noticed when investigating the previous GNUTLS-SA-2009-1 problem.  All
     DSA keys generated using GnuTLS 2.6.x are corrupt.  See the advisory
     for more details.  [GNUTLS-SA-2009-2] [CVE-2009-1416]


   To generate a diff of this commit:
   cvs rdiff -u -r1.79 -r1.80 pkgsrc/security/gnutls/Makefile
   cvs rdiff -u -r1.53 -r1.54 pkgsrc/security/gnutls/distinfo

Revision 1.80 / (download) - annotate - [select for diffs], Sat May 2 20:04:32 2009 UTC (13 years, 10 months ago) by tnn
Branch: MAIN
Changes since 1.79: +2 -2 lines
Diff to previous 1.79 (colored)

Update to gnutls-2.6.6.

* Version 2.6.6 (released 2009-04-30)

libgnutls: Corrected double free on signature verification failure.
  Reported by Miroslav Kratochvil.  See the advisory
  for more details.  [GNUTLS-SA-2009-1] [CVE-2009-1415]

libgnutls: Fix DSA key generation.
  Noticed when investigating the previous GNUTLS-SA-2009-1 problem.  All
  DSA keys generated using GnuTLS 2.6.x are corrupt.  See the advisory
  for more details.  [GNUTLS-SA-2009-2] [CVE-2009-1416]

libgnutls: Check expiration/activation time on untrusted certificates.
  Reported by Romain Francoise.  Before the
  library did not check activation/expiration times on certificates, and
  was documented as not doing so.  We have realized that many
  applications that use libgnutls, including gnutls-cli, fail to perform
  proper checks.  Implementing similar logic in all applications leads
  to code duplication.  Hence, we decided to check whether the current
  time (as reported by the time function) is within the
  activation/expiration period of certificates when verifying untrusted
  certificates.

This changes the semantics of gnutls_x509_crt_list_verify, which in
turn is used by gnutls_certificate_verify_peers and
gnutls_certificate_verify_peers2.  We add two new
gnutls_certificate_status_t codes for reporting the new error
condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED.  We also
add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour.

API and ABI modifications:
  gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
  gnutls_certificate_verify_peers: Likewise.
  gnutls_certificate_verify_peers2: Likewise.
  GNUTLS_CERT_NOT_ACTIVATED: ADDED.
  GNUTLS_CERT_EXPIRED: ADDED.
  GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.

Revision 1.79 / (download) - annotate - [select for diffs], Fri May 1 13:49:07 2009 UTC (13 years, 10 months ago) by zafer
Branch: MAIN
Changes since 1.78: +2 -3 lines
Diff to previous 1.78 (colored)

replace non working mirrors with working ones.

Revision 1.78 / (download) - annotate - [select for diffs], Mon Apr 20 13:11:57 2009 UTC (13 years, 11 months ago) by wiz
Branch: MAIN
Changes since 1.77: +7 -7 lines
Diff to previous 1.77 (colored)

Update to 2.6.5. Update commented out LICENSE (needs two).

* Version 2.6.5 (released 2009-04-11)

** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to
specify the client hello message record version. Used to overcome buggy
TLS servers. Report by Martin von Gagern.

** GnuTLS no longer uses the libtasn1-config script to find libtasn1.
Libtasn1 0.3.4 or later is required.  This is to align with the
upcoming libtasn1 v2.0 release that doesn't have a libtasn1-script.

** API and ABI modifications:
No changes since last version.

Revision 1.77 / (download) - annotate - [select for diffs], Sat Feb 21 13:45:31 2009 UTC (14 years, 1 month ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2009Q1-base
Branch point for: pkgsrc-2009Q1
Changes since 1.76: +2 -2 lines
Diff to previous 1.76 (colored)

Update to 2.6.4:

* Version 2.6.4 (released 2009-02-06)

** libgnutls: Accept chains where intermediary certs are trusted.
Before GnuTLS needed to validate the entire chain back to a
self-signed certificate.  GnuTLS will now stop looking when it has
found an intermediary trusted certificate.  The new behaviour is
useful when chains, for example, contains a top-level CA, an
intermediary CA signed using RSA-MD5, and an end-entity certificate.
To avoid chain validation errors due to the RSA-MD5 cert, you can
explicitly add the intermediary RSA-MD5 cert to your trusted certs.
The signature on trusted certificates are not checked, so the chain
has a chance to validate correctly.  Reported by "Douglas E. Engert"
<deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.

** libgnutls: result_size in gnutls_hex_encode now holds
the size of the result. Report by John Brooks <special@dereferenced.net>.

** libgnutls: gnutls_handshake when sending client hello during a
rehandshake, will not offer a version number larger than the current.
Reported by Tristan Hill <stan@saticed.me.uk>.

** libgnutls: Permit V1 Certificate Authorities properly.
Before they were mistakenly rejected even though
GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied.  Reported by
"Douglas E. Engert" <deengert@anl.gov> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3351>.

** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
This is a bugfix -- the previous attempt to do this from internal x509
certificate verification procedures did not return the correct value
for certificates using a weak hash.  Reported by Daniel Kahn Gillmor
<dkg@fifthhorseman.net> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>,
debugged and patch by Tomas Mraz <tmraz@redhat.com> and Daniel Kahn
Gillmor <dkg@fifthhorseman.net>.

** libgnutls: Fix compile error with Sun CC.
Reported by Jeff Cai <jeff.cai@sun.com> in
<https://savannah.gnu.org/support/?106549>.

Revision 1.76 / (download) - annotate - [select for diffs], Fri Dec 19 15:43:20 2008 UTC (14 years, 3 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2008Q4-base, pkgsrc-2008Q4
Changes since 1.75: +2 -2 lines
Diff to previous 1.75 (colored)

Changes 2.6.3
* gnutls: Fix chain verification for chains that ends with RSA-MD2 CAs.
* gnutls: Fix memory leak in PSK authentication.
* certtool: Move gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0) call earlier.
  It needs to be invoked before libgcrypt is initialized.
* gnutls-cli: Return non-zero exit code on error conditions.
* gnutls-cli: Corrected bug which caused a rehandshake request to be ignored.

Revision 1.75 / (download) - annotate - [select for diffs], Sat Nov 15 23:02:09 2008 UTC (14 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.74: +5 -6 lines
Diff to previous 1.74 (colored)

Update to 2.6.2:

* Version 2.6.2 (released 2008-11-12)

** libgnutls: Fix crash in X.509 validation code for self-signed certificates.
The patch to fix the security problem GNUTLS-SA-2008-3 introduced a
problem for certificate chains that contained just one self-signed
certificate.  Reported by Michael Meskes <meskes@debian.org> in
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505279>.

** API and ABI modifications:
No changes since last version.

Revision 1.74 / (download) - annotate - [select for diffs], Mon Nov 10 17:33:20 2008 UTC (14 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.73: +2 -2 lines
Diff to previous 1.73 (colored)

Update to 2.6.1:

* Version 2.6.1 (released 2008-11-10)

** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3]
The flaw makes it possible for man in the middle attackers (i.e.,
active attackers) to assume any name and trick GNU TLS clients into
trusting that name.  Thanks for report and analysis from Martin von
Gagern <Martin.vGagern@gmx.net>.  [CVE-2008-4989]

Any updates with more details about this vulnerability will be added
to <http://www.gnu.org/software/gnutls/security.html>

** libgnutls: Add missing prototype for gnutls_srp_set_prime_bits.
Reported by Kevin Quick <quick@sparq.org> in
<https://savannah.gnu.org/support/index.php?106454>.

** libgnutls-extra: Protect internal symbols with static.
Fixes problem when linking certtool statically.  Tiny patch from Aaron
Ucko <ucko@ncbi.nlm.nih.gov>.

** libgnutls-openssl: Fix patch against X509_get_issuer_name.
It incorrectly returned the subject DN instead of issuer DN in v2.6.0.
Thanks to Thomas Viehmann <tv@beamnet.de> for report.

** certtool: Print a PKCS #8 key even if it is not encrypted.

** tests: Make tests compile when using internal libtasn1.
Patch by ludo@gnu.org (Ludovic Courtès).

** API and ABI modifications:
No changes since last version.

Revision 1.73 / (download) - annotate - [select for diffs], Sat Oct 18 11:55:11 2008 UTC (14 years, 5 months ago) by adam
Branch: MAIN
Changes since 1.72: +2 -3 lines
Diff to previous 1.72 (colored)

Changes 2.6.0:
* libgnutls: Correct printing and parsing of IPv6 addresses.
* libgnutls-openssl: fix out of bounds access.
* certtool: Use inet_pton for parsing IPv6 addresses.
* Added API to replace and update the crypto backend.
* certtool: can add several subject alternative names via template file.
* opencdk: Parse (but not decrypt) encrypted secret keys.
* more...

Revision 1.72 / (download) - annotate - [select for diffs], Sat Sep 27 23:11:36 2008 UTC (14 years, 5 months ago) by tonnerre
Branch: MAIN
CVS Tags: pkgsrc-2008Q3-base, pkgsrc-2008Q3
Changes since 1.71: +2 -1 lines
Diff to previous 1.71 (colored)

If strverscmp() is not present, gnutls shouldn't export a symbol of the
same name, breaking the builds of libraries trying to both link against
libcurl and use strverscmp(). Bump PKGREVISION.

Fixes PR 39640.

Revision 1.70.4.1 / (download) - annotate - [select for diffs], Mon Aug 18 12:26:48 2008 UTC (14 years, 7 months ago) by rtr
Branch: pkgsrc-2008Q2
Changes since 1.70: +2 -2 lines
Diff to previous 1.70 (colored) next main 1.71 (colored)

pullup ticket #2497 - requested by kefren
gnutls: update package for fixes

revisions pulled up:
pkgsrc/security/gnutls/Makefile		1.71
pkgsrc/security/gnutls/PLIST		1.32
pkgsrc/security/gnutls/distinfo		1.45
pkgsrc/security/gnutls/patches/patch-ad	r0

   Module Name:    pkgsrc
   Committed By:   kefren
   Date:           Wed Jul 30 17:17:21 UTC 2008

   Modified Files:
           pkgsrc/security/gnutls: Makefile PLIST distinfo
   Removed Files:
           pkgsrc/security/gnutls/patches: patch-ad

   Log Message:
   update to gnutls-2.4.1

   Changes:

   ** libgnutls: Fix local crash in gnutls_handshake. [GNUTLS-SA-2008-2]
   ** libgnutls: Fix memory leaks when doing a re-handshake.
   ** Fix compiler warnings.
   ** Fix ordering of -I's to avoid opencdk.h conflict with system headers.
   ** srptool: Fix a problem where --verify check does not succeed.

Revision 1.71 / (download) - annotate - [select for diffs], Wed Jul 30 17:17:21 2008 UTC (14 years, 7 months ago) by kefren
Branch: MAIN
CVS Tags: cube-native-xorg-base, cube-native-xorg
Changes since 1.70: +2 -2 lines
Diff to previous 1.70 (colored)

update to gnutls-2.4.1

Changes:

** libgnutls: Fix local crash in gnutls_handshake. [GNUTLS-SA-2008-2]
** libgnutls: Fix memory leaks when doing a re-handshake.
** Fix compiler warnings.
** Fix ordering of -I's to avoid opencdk.h conflict with system headers.
** srptool: Fix a problem where --verify check does not succeed.

Revision 1.70 / (download) - annotate - [select for diffs], Sat May 24 04:59:59 2008 UTC (14 years, 10 months ago) by obache
Branch: MAIN
CVS Tags: pkgsrc-2008Q2-base, cwrapper
Branch point for: pkgsrc-2008Q2
Changes since 1.69: +3 -3 lines
Diff to previous 1.69 (colored)

Require libgcrypt>=1.2.2.  Noticed by Steve Bellovin in pkgsrc-users@.
And also require opencdk>=0.6.5.

Revision 1.68.2.1 / (download) - annotate - [select for diffs], Fri May 23 11:39:51 2008 UTC (14 years, 10 months ago) by rtr
Branch: pkgsrc-2008Q1
Changes since 1.68: +2 -2 lines
Diff to previous 1.68 (colored) next main 1.69 (colored)

pullup ticket #2397 - requested by tnn
gnutls: update for security fixes

revisions pulled up:
- pkgsrc/security/gnutls/Makefile	1.69
- pkgsrc/security/gnutls/distinfo	1.44

   Module Name:	pkgsrc
   Committed By:	tnn
   Date:		Thu May 22 13:18:52 UTC 2008

   Modified Files:
   	pkgsrc/security/gnutls: Makefile distinfo

   Log Message:
   Update to gnutls-2.2.5.
   * Version 2.2.5 (released 2008-05-19)
    Fix flaw in fix for GNUTLS-SA-2008-1-3.
   * Version 2.2.4 (released 2008-05-19)
    Fix three security vulnerabilities.  [GNUTLS-SA-2008-1]
    [GNUTLS-SA-2008-1-1]
     libgnutls: Fix crash when sending invalid server name.
    [GNUTLS-SA-2008-1-2]
     libgnutls: Fix crash when sending repeated client hellos.
    [GNUTLS-SA-2008-1-3]
     libgnutls: Fix crash in cipher padding decoding for invalid record
   lengths.
   * Version 2.2.3 (released 2008-05-06)
    Increase default handshake packet size limit to 48kb.
    Fix compilation error related to __FUNCTION__ on some systems.
    Documented the --priority option to gnutls-cli and gnutls-serv.
    Fix fopen file descriptor leak in PSK server code.
    Build Guile code with -fgnu89-inline only when supported.
    Make Camellia encryption work.

Revision 1.69 / (download) - annotate - [select for diffs], Thu May 22 13:18:52 2008 UTC (14 years, 10 months ago) by tnn
Branch: MAIN
Changes since 1.68: +2 -2 lines
Diff to previous 1.68 (colored)

Update to gnutls-2.2.5.
* Version 2.2.5 (released 2008-05-19)
  Fix flaw in fix for GNUTLS-SA-2008-1-3.
* Version 2.2.4 (released 2008-05-19)
  Fix three security vulnerabilities.  [GNUTLS-SA-2008-1]
  [GNUTLS-SA-2008-1-1]
   libgnutls: Fix crash when sending invalid server name.
  [GNUTLS-SA-2008-1-2]
   libgnutls: Fix crash when sending repeated client hellos.
  [GNUTLS-SA-2008-1-3]
   libgnutls: Fix crash in cipher padding decoding for invalid record lengths.
* Version 2.2.3 (released 2008-05-06)
  Increase default handshake packet size limit to 48kb.
  Fix compilation error related to __FUNCTION__ on some systems.
  Documented the --priority option to gnutls-cli and gnutls-serv.
  Fix fopen file descriptor leak in PSK server code.
  Build Guile code with -fgnu89-inline only when supported.
  Make Camellia encryption work.

Revision 1.68 / (download) - annotate - [select for diffs], Thu Mar 6 14:52:12 2008 UTC (15 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2008Q1-base
Branch point for: pkgsrc-2008Q1
Changes since 1.67: +2 -2 lines
Diff to previous 1.67 (colored)

Update to 2.2.2:

* Version 2.2.2 (released 2008-02-21)

** Cipher priority string handling now handle strings that starts with NULL.
Thanks to Laurence Withers <l@lwithers.me.uk>.

** Corrected memory leaks in session resuming and DHE ciphersuites. Reported
by Daniel Stenberg.

** Increased the default certificate verification chain limits and allowed
for checks without limitation.

** Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name()
and gnutls_x509_crt_get_subject_alt_name() to not null terminate binary
strings and return the proper size.

** API and ABI modifications:
No changes since last version.

* Version 2.2.1 (released 2008-01-17)

** Prevent linking libextra against previously installed libgnutls.
Tiny patch from "Alon Bar-Lev" <alon.barlev@gmail.com>, see
<http://bugs.gentoo.org/show_bug.cgi?id=202269>.

** Fixes the post_client_hello_function(). The extensions are now parsed
in a callback friendly way.

** Fix for certificate selection in servers with certificate callbacks.

** API and ABI modifications:
No changes since last version.

* Version 2.2.0 (released 2007-12-14)

Major changes compared to the v2.0 branch:

* SRP support aligned with newly published RFC 5054.

* OpenPGP support aligned with newly published RFC 5081.

* Support for DSA2 keys.

* Support for Camellia cipher.

* Support for Opaque PRF Input extension.

* PKCS#8 parser now handle DSA keys.

* Change from GPLv2 to GPLv3 for command-line tools, libgnutls-extra,
etc.  Notice that liblzo2 2.02 is licensed under GPLv2 only.  Earlier
versions, such as 2.01 which is included with GnuTLS, is available under
GPLv2 or later.  If this incompatibility causes problems, we recommend
you to disable LZO using --without-lzo.  LZO compression is not a
standard TLS compression algorithm, so the impact should be minimal.

* Functions for disabling record protocol padding.
Works around bugs on Nokia/Ericsson phones.

* New functions gnutls_priority_set() for setting cipher priorities easily.
Priorities like "COMPAT" also enables other work arounds, such as
disabling padding.

* Other minor improvements and bug fixes.

Minor changes compared to the latest v2.1.8 release candidate:

* Update internal copy of libtasn1 to version 1.2.

* Certtool --verify-chain now handle inputs larger than 64kb.
This fixes the self-test "rsa-md5-collision" under MinGW+Wine with
recent versions of libgcrypt.  The problem was that Wine with the
libgcrypt RNG generates huge amounts of debugging output.

* Translation updates.
Added Dutch translation.  Updated Polish and Swedish translation.

Backwards incompatible API/ABI changes in GnuTLS 2.2
====================================================

To adapt to changes in the TLS extension specifications for OpenPGP
and SRP, the GnuTLS API had to be modified.  This means breaking the
API and ABI backwards compatibility.  That is something we try to
avoid unless it is necessary.  We decided to also remove the already
deprecated stub functions for X.509 to XML conversion and TLS
authorization (see below) when we had the opportunity.

Generally, most applications does not need to be modified.  Just
re-compile them against the latest GnuTLS release, and it should work
fine.

Applications that use the OpenPGP or SRP features needs to be
modified.  Below is a list of the modified APIs and discussion of what
the minimal things you need to modify in your application to make it
work with GnuTLS 2.2.

Note that GnuTLS 2.2 also introduces new APIs -- such as
gnutls_set_priority() that is superior to
gnutls_set_default_priority() -- that you may want to start using.
However, using those new APIs is not required to use GnuTLS 2.2 since
the old functions continue are still supported.  This text only
discuss what you minimally have to modify.

XML related changes
-------------------

The function `gnutls_x509_crt_to_xml' has been removed.  It has been
deprecated and only returned an error code since GnuTLS version
1.2.11.  Nobody has complained, so users doesn't seem to miss the
functionality.  We don't know of any other library to convert X.509
certificates into XML format, but we decided (long ago) that GnuTLS
isn't the right place for this kind of functionality.  If you want
help to find some other library to use here, please explain and
discuss your use case on help-gnutls <at> gnu.org.

TLS Authorization related changes
---------------------------------

Everything related to TLS authorizations have been removed, they were
only stub functions that returned an error code:

 GNUTLS_SUPPLEMENTAL_AUTHZ_DATA
 gnutls_authz_data_format_type_t
 gnutls_authz_recv_callback_func
 gnutls_authz_send_callback_func
 gnutls_authz_enable
 gnutls_authz_send_x509_attr_cert
 gnutls_authz_send_saml_assertion
 gnutls_authz_send_x509_attr_cert_url
 gnutls_authz_send_saml_assertion_url

SRP related changes
-------------------

The callback gnutls_srp_client_credentials_function has a new
prototype, and its semantic has changed.  You need to rewrite the
callback, see the updated function documentation and SRP example code
(doc/examples/ex-client-srp.c and doc/examples/ex-serv-srp.c) for more
information.

The alert codes GNUTLS_A_MISSING_SRP_USERNAME and
GNUTLS_A_UNKNOWN_SRP_USERNAME are no longer used by the SRP
specification, instead the GNUTLS_A_UNKNOWN_PSK_IDENTITY alert is
used.  There are #define's to map the old names to the new.  You may
run into problems if you have a switch-case with cases for both SRP
alerts, since they are now mapped to the same value.  The solution is
to drop the SRP alerts from such switch cases, as they are now
deprecated in favor of GNUTLS_A_UNKNOWN_PSK_IDENTITY.

OpenPGP related changes
-----------------------

The function `gnutls_certificate_set_openpgp_keyserver' have been
removed.  There is no replacement functionality inside GnuTLS.  If you
need keyserver functionality, consider using the GnuPG tools.

All functions, types, and error codes related to OpenPGP trustdb
format have been removed.  The trustdb format is a non-standard
GnuPG-specific format, and we recommend you to use key rings instead.
The following have been removed:
 gnutls_certificate_set_openpgp_trustdb
 gnutls_openpgp_trustdb_init
 gnutls_openpgp_trustdb_deinit
 gnutls_openpgp_trustdb_import
 gnutls_openpgp_key_verify_trustdb
 gnutls_openpgp_trustdb_t
 GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED

The following functions has an added parameter of the (new) type
`gnutls_openpgp_crt_fmt_t'.  The type specify the format of the data
(binary or base64).  The functions are:
 gnutls_certificate_set_openpgp_key_file
 gnutls_certificate_set_openpgp_key_mem
 gnutls_certificate_set_openpgp_keyring_mem
 gnutls_certificate_set_openpgp_keyring_file

To improve terminology and align with the X.509 interface, some
functions have been renamed.  Compatibility mappings exists.  The old
and new names of the affected functions and types are:

        Old name                                New name
 gnutls_openpgp_key_t                    gnutls_openpgp_crt_t
 gnutls_openpgp_key_fmt_t                gnutls_openpgp_crt_fmt_t
 gnutls_openpgp_key_status_t             gnutls_openpgp_crt_status_t
 GNUTLS_OPENPGP_KEY                      GNUTLS_OPENPGP_CERT
 GNUTLS_OPENPGP_KEY_FINGERPRINT          GNUTLS_OPENPGP_CERT_FINGERPRINT
 gnutls_openpgp_key_init                 gnutls_openpgp_crt_init
 gnutls_openpgp_key_deinit               gnutls_openpgp_crt_deinit
 gnutls_openpgp_key_import               gnutls_openpgp_crt_import
 gnutls_openpgp_key_export               gnutls_openpgp_crt_export
 gnutls_openpgp_key_get_key_usage        gnutls_openpgp_crt_get_key_usage
 gnutls_openpgp_key_get_fingerprint      gnutls_openpgp_crt_get_fingerprint
 gnutls_openpgp_key_get_pk_algorithm     gnutls_openpgp_crt_get_pk_algorithm
 gnutls_openpgp_key_get_name             gnutls_openpgp_crt_get_name
 gnutls_openpgp_key_get_version          gnutls_openpgp_crt_get_version
 gnutls_openpgp_key_get_creation_time    gnutls_openpgp_crt_get_creation_time
 gnutls_openpgp_key_get_expiration_time  gnutls_openpgp_crt_get_expiration_time
 gnutls_openpgp_key_get_id               gnutls_openpgp_crt_get_id
 gnutls_openpgp_key_check_hostname       gnutls_openpgp_crt_check_hostname
 gnutls_openpgp_send_key                 gnutls_openpgp_send_cert


* Version 2.0.0 (released 2007-09-04)

The following changes have been made since GnuTLS 1.6:

* Support for external RSA/DSA signing for TLS client authentication.
  This allows you to secure the private key better, for example by using
  privilege-separation techniques between the private key and the
  network client/server.

* Support for signing X.509 certificates using RSA with SHA-256/384/512.

* Experimental support for TLS 1.2 (disabled by default).  The TLS 1.2
  specification is not finalized yet, but we implement a draft version
  for testing.

* Support for X.509 Proxy Certificates (RFC 3820)

* Support for Supplemental handshakes messages (RFC 4680).

* Support for TLS authorization extension (draft-housley-tls-authz-extns-07).

* Support for the X.509 'otherName' Subject Altnerative Names (for XMPP).

* Guile bindings for GnuTLS have been added, thanks to Ludovic Courtes.

* Improve logic of gnutls_set_default_priority() which can now be more
  recommended.

* New APIs to enumerate supported algorithms in the library.

* New APIs to access X.509 Certificate extension sequentially.

* New APIs to print X.509 Certificates and CRLs in human readable formats.

* New APIs to extract X.509 Distinguished Names from certificates.

* New APIs to handle pathLenConstraint in X.509 Basic Constraints.

* Certtool can export more than one certificate to PKCS#12.

* Several message translation improvements.

* Instructions and improvements to easily set up a HTTPS test server.

* Included copies updated to Libtasn1 1.1 and OpenCDK 0.6.4.

* Build improvements for Windows, Mac OS X, uClinux, etc.

* GnuTLS is now developed in GIT.

* Improved manual

* Many bugfixes and minor improvements.

Revision 1.67 / (download) - annotate - [select for diffs], Sun Nov 25 23:45:15 2007 UTC (15 years, 3 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2007Q4-base, pkgsrc-2007Q4
Changes since 1.66: +2 -2 lines
Diff to previous 1.66 (colored)

Update to 2.0.4:

* Version 2.0.4 (released 2007-11-16)

** Corrected bug in decompression of expanded compression data.

** API and ABI modifications:
No changes since last version.

Revision 1.66 / (download) - annotate - [select for diffs], Sun Nov 11 19:28:27 2007 UTC (15 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.65: +3 -2 lines
Diff to previous 1.65 (colored)

Update to 2.0.3:

* Version 2.0.3 (released 2007-11-10)

** This version backports several fixes from the 2.1.x branch.

** Fixed PKCS #3 parameter export.

** Added gnutls_record_disable_padding() to allow servers talking to
buggy clients that complain if the TLS 1.0 record protocol padding is
used.

** Introduced gnutls_session_enable_compatibility_mode() to allow enabling
all supported compatibility options (like disabling padding).

** Corrected bug which did not allow a server to run without supporting
certificates.

** API and ABI modifications:
gnutls_session_enable_compatibility_mode: ADDED
gnutls_record_disable_padding: ADDED

Add LICENSE, commented out; it contains both LGPL-2.1 and GPL2 code.

Revision 1.65 / (download) - annotate - [select for diffs], Tue Oct 23 11:43:56 2007 UTC (15 years, 5 months ago) by wiz
Branch: MAIN
Changes since 1.64: +2 -2 lines
Diff to previous 1.64 (colored)

Update to 2.0.2:

* Version 2.0.2 (released 2007-10-17)

** TLS authorization support removed.
This technique may be patented in the future, and it is not of crucial
importance for the Internet community.  After deliberation we have
concluded that the best thing we can do in this situation is to
encourage society not to adopt this technique.  We have decided to
lead the way with our own actions.

** certtool: Fixed data corruption when using --outder.

** Fix configure-time Guile detection.

** API and ABI modifications:
GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA: ADDED.  To avoid that the
    gnutls_supplemental_data_format_type_t enum type becomes empty.

* Version 2.0.1 (released 2007-09-20)

** New directory doc/credentials/ with test credentials.
This collects the test credentials from the web page and from src/.
The script gnutls-http-serv has also been moved to that directory.

** Update SRP extension type and cipher suite with official IANA values.
This breaks backwards compatibility with SRP in older versions of
GnuTLS, but this is intentional to speed up the adoption of the
official values.  The old values we used were incorrect.

** Guile: Fix `x509-certificate-dn-oid'

** API and ABI modifications:
No changes since last version.

Revision 1.64 / (download) - annotate - [select for diffs], Thu Sep 6 01:12:33 2007 UTC (15 years, 6 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2007Q3-base, pkgsrc-2007Q3
Changes since 1.63: +2 -2 lines
Diff to previous 1.63 (colored)

Fix typo in comment.

Revision 1.63 / (download) - annotate - [select for diffs], Wed Sep 5 21:51:21 2007 UTC (15 years, 6 months ago) by drochner
Branch: MAIN
Changes since 1.62: +6 -8 lines
Diff to previous 1.62 (colored)

update to 2.0.0
While an update to a .0 version is somehow risky, it finishes the
unfortunate state that the pkgsrc gnutls didn't work with the pkgsrc
opencdk, which I wouldn't like to go into the next stable branch.
Release candidates have worked for me, and there is some time left
before the Q3 branch, so I'm confident.
changes:
* Support for external RSA/DSA signing for TLS client authentication
-many X.509 enhancements
 Support for Supplemental handshakes messages (RFC 4680)
* Support for TLS authorization extension (draft-housley-tls-authz-extns-07)
* Improve logic of gnutls_set_default_priority()
* New APIs to enumerate supported algorithms in the library
* Certtool can export more than one certificate to PKCS#12
* Several message translation improvements
* Improved manual
* Many bugfixes and minor improvements

Revision 1.62 / (download) - annotate - [select for diffs], Wed Jun 6 06:23:58 2007 UTC (15 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2007Q2-base, pkgsrc-2007Q2
Changes since 1.61: +6 -3 lines
Diff to previous 1.61 (colored)

Use included opencdk for now, opencdk-0.6.x is not compatible with
gnutls-1.6.x (the stable branch).

No further PKGREVISION bumps necessary, because opencdk caused recursive
PKGREVISION bumps and afterwards gnutls wouldn't build.

Addresses PR pkg/36448.

Revision 1.61 / (download) - annotate - [select for diffs], Tue Jun 5 05:36:59 2007 UTC (15 years, 9 months ago) by wiz
Branch: MAIN
Changes since 1.60: +2 -1 lines
Diff to previous 1.60 (colored)

opencdk shlib major changed; bump ABI depends and PKGREVISIONs of
affected packages.

Revision 1.60 / (download) - annotate - [select for diffs], Fri Jun 1 20:12:44 2007 UTC (15 years, 9 months ago) by wiz
Branch: MAIN
Changes since 1.59: +2 -2 lines
Diff to previous 1.59 (colored)

Update to 1.6.3:

* Version 1.6.3 (released 2007-05-26)

** New API functions to extract DER encoded X.509 Subject/Issuer DN.
Suggested by Nate Nielsen <nielsen-list@memberwebs.com>.  Backported
from the 1.7.x branch, see
<http://lists.gnu.org/archive/html/help-gnutls/2007-05/msg00029.html>.

** Have PKCS8 parser return better error codes.
Reported by Nate Nielsen <nielsen-list@memberwebs.com>, see
<http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001653.html> and
<http://lists.gnupg.org/pipermail/gnutls-dev/2007-May/001654.html>.

** Fix mem leak for sessions with client authentication via certificates.
Reported by Andrew W. Nosenko <andrew.w.nosenko@gmail.com>, see
<http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001539.html>.

** Fix building of 'tlsia' self test.
Earlier some gcc are known to build tlsia linking to
$prefix/lib/libgnutls-extra.so rather than the libgnutls-extra.so in
the build directory, even though command line parameters look OK.
Changing order of some parameters fixes it.

** API and ABI modifications:
gnutls_x509_crt_get_raw_issuer_dn: ADD.
gnutls_x509_crt_get_raw_dn: ADD.

Revision 1.59 / (download) - annotate - [select for diffs], Fri Apr 20 06:07:15 2007 UTC (15 years, 11 months ago) by wiz
Branch: MAIN
Changes since 1.58: +2 -3 lines
Diff to previous 1.58 (colored)

Update to 1.6.2:

* Version 1.6.2 (released 2007-04-18)

** Fix X.509 signing with RSA-PKCS#1 to set a NULL parameters fields.
Before, we remove the parameters field, which resulted in a slightly
different DER encoding which in turn caused signature verification
failures of GnuTLS-generated RSA certificates in some other
implementations (e.g., GnuPG 2.x's gpgsm).  Depending on which RFCs
you read, this may or may not be correct, but our new behaviour appear
to be consistent with other widely used implementations.

** Regenerate the PKIX ASN.1 syntax tree.
For some reason, after changing the ASN.1 type of ldap-UID in the last
release, the generated C file built from the ASN.1 schema was not
refreshed.  This can cause problems when reading/writing UID
components inside X.500 Distinguished Names.  Reported by devel
<dev001@pas-world.com>.

** Updated translations.

** API and ABI modifications:
No changes since last version.

Revision 1.58 / (download) - annotate - [select for diffs], Wed Jan 24 15:58:04 2007 UTC (16 years, 2 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2007Q1-base, pkgsrc-2007Q1
Changes since 1.57: +3 -10 lines
Diff to previous 1.57 (colored)

Renable and fix build of C++ library under Mac OS X.
Bump package revision because of this fix.

Revision 1.57 / (download) - annotate - [select for diffs], Sun Jan 21 18:13:55 2007 UTC (16 years, 2 months ago) by minskim
Branch: MAIN
Changes since 1.56: +11 -1 lines
Diff to previous 1.56 (colored)

Disable the C++ library on Darwin to avoid a link error (PR 35456).
According to the gnutls maintainer, the C++ compiler on Darwin is
probably broken.

Revision 1.56 / (download) - annotate - [select for diffs], Sat Jan 20 17:38:06 2007 UTC (16 years, 2 months ago) by wiz
Branch: MAIN
Changes since 1.55: +3 -2 lines
Diff to previous 1.55 (colored)

Update to 1.6.1:

* Version 1.6.1 (released 2006-12-28)

** Fix the list of trusted CAs that server's send to clients.
Before, the list contained issuer DN's instead of subject DN's of the
trusted CAs.  Reported by Max Kellermann

** Fix gnutls_certificate_set_x509_crl to initialize the CRL before using it.
Reported by Max Kellermann

** Encode UID fields in DN's as DirectoryString.
Before GnuTLS encoded and parsed UID fields as IA5String.  This was
incorrect, it should have used DirectoryString.  Now it will use
DirectoryString for the UID field, but for backwards compatibility it
will also accept IA5String UID's.  Reported by Max Kellermann

** Fix ./configure failure with non-GCC compilers.
This fixes the following error message:
configure: error: conditional "HAVE_LD_OUTPUT_DEF" was never defined.
Reported by "Michael C. Vergallen"

* Version 1.6.0 (released 2006-11-17)

** No changes since 1.5.5.
The major changes compared to the 1.4.x branch are:

*** A GnuTLS C++ library is part of the official distribution.
Currently there are no examples or documentation, but hopefully this
will change.  See gnutlsxx.h for the API.

*** Windows is a supported platform.
There are, however, two know bugs.  One is related to select() in
command line tools (not, nota bene, in the library), the other is a
problem with libgcrypt that causes delays.  Help is needed to resolve
those issues, so we feel we can't delay the release because of this.

*** New APIs for custom push/pull function error reporting.
The new APIs are gnutls_transport_set_errno and
gnutls_transport_set_global_errno.  See the release notes for version
1.5.4 for more information.

*** Self tests are run under valgrind, if available.  See --disable-valgrind.

Revision 1.55 / (download) - annotate - [select for diffs], Fri Dec 8 05:44:19 2006 UTC (16 years, 3 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2006Q4-base, pkgsrc-2006Q4
Changes since 1.54: +2 -1 lines
Diff to previous 1.54 (colored)

Needs PKGLOCALEDIR.

Revision 1.54 / (download) - annotate - [select for diffs], Mon Nov 13 18:15:14 2006 UTC (16 years, 4 months ago) by drochner
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored)

update to 1.4.5
changes: minor bugfixes

Revision 1.53 / (download) - annotate - [select for diffs], Sun Nov 5 17:35:58 2006 UTC (16 years, 4 months ago) by joerg
Branch: MAIN
Changes since 1.52: +6 -8 lines
Diff to previous 1.52 (colored)

DESTDIR support.

Revision 1.49.2.1 / (download) - annotate - [select for diffs], Sun Sep 17 09:09:38 2006 UTC (16 years, 6 months ago) by salo
Branch: pkgsrc-2006Q2
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored) next main 1.50 (colored)

Pullup ticket 1830 - requested by wiz
security update for gnutls

Revisions pulled up:
- pkgsrc/security/gnutls/Makefile		1.50, 1.51, 1.52
- pkgsrc/security/gnutls/PLIST			1.22
- pkgsrc/security/gnutls/distinfo		1.29, 1.30, 1.31

   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Mon Jul 17 17:02:02 UTC 2006

   Modified Files:
   	pkgsrc/security/gnutls: Makefile PLIST distinfo

   Log Message:
   Update to 1.4.1:

   * Version 1.4.1 (released 2006-06-14)

   ** Replaced inactive ifdefs to enable openpgp support in test programs.

   ** Fixed bug in OpenPGP authentication handshake.

   ** Fixed typographical in man pages.

   ** Build fixes of the manual.

   ** Added Swedish translation.

   ** API and ABI modifications:
   No changes since last version.
---
   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Sun Sep 10 21:12:21 UTC 2006

   Modified Files:
   	pkgsrc/security/gnutls: Makefile distinfo

   Log Message:
   Update to 1.4.3:

   * Version 1.4.3 (released 2006-09-08)

   ** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's
   ** Crypto 06 rump session attack.
   In particular, we check that the digestAlgorithm.parameters field is
   empty, to avoid that it can contain "garbage" that may be used to
   alter the numeric properties of the signature.  See
   <http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html> (which is
   not exactly the same as the problem we fix here).  Reported by Yutaka
   OIWA <y.oiwa@aist.go.jp>.

   See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more
   up to date information.

   ** Fix PKCS#1 decryption to avoid Bleichenbacher's Crypto 98 attack.
   See <http://www.bell-labs.com/user/bleichen/papers/pkcs.ps.gz>.
   Reported by Werner Koch <wk@gnupg.org>.

   See GNUTLS-SA-2006-3 on http://www.gnutls.org/security.html for more
   up to date information.

   ** Fix crash in gnutls_x509_crt_sign2 if passed a NULL issuer_key.

   ** API and ABI modifications:
   No changes since last version.

   * Version 1.4.2 (released 2006-08-12)

   ** Fix a crash (strcmp() on a NULL value) in the certificate verification logic.
   This can happen if you call gnutls_certificate_verify_peers2 and have
   a certain mix of local CA certificates and the peer send special
   certificates, that together trigger certain behaviour.  It is not
   known at this point whether the crash can be triggered without the
   special local CA certificate, and thus turn this into a remote crash
   of clients that verify server certificates when they talk to a server
   with the special server certificate.  See GNUTLS-SA-2006-2 on
   http://www.gnu.org/software/gnutls/security.html for more up to date
   information.  Reported by satyakumar <satyam_kkd@hyd.hellosoft.com>.

   ** Change SRP and Cert-Type extensions to match IANA registry.

   ** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support.

   ** Make --without-included-libtasn1 work.
   Reported by Daniel Black <dragonheart@gentoo.org>.

   ** API and ABI modifications:
   No changes since last version.
---
   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Sat Sep 16 06:21:22 UTC 2006

   Modified Files:
   	pkgsrc/security/gnutls: Makefile distinfo

   Log Message:
   Update to 1.4.4:

   * Version 1.4.4 (released 2006-09-12)

   ** Relax the test that caught signatures that exploit the variant of
   ** Bleichenbacher's Crypto 06 rump session attack on our
   ** verification logic flaw.
   In particular, we now permit the digestAlgorithm.parameters field to
   be present but empty, whereas in 1.4.3 we actually checked that the
   field was absent.

   ** Revert the removal of debug information for the GNUTLS-SA-2006-3 problem.
   The messages are only printed in debug mode, which is not recommended
   for normal use, and thus logging this situation cannot be abused as an
   oracle in typical recommended situations.

   ** API and ABI modifications:
   No changes since last version.

Revision 1.52 / (download) - annotate - [select for diffs], Sat Sep 16 06:21:22 2006 UTC (16 years, 6 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2006Q3-base, pkgsrc-2006Q3
Changes since 1.51: +2 -2 lines
Diff to previous 1.51 (colored)

Update to 1.4.4:

* Version 1.4.4 (released 2006-09-12)

** Relax the test that caught signatures that exploit the variant of
** Bleichenbacher's Crypto 06 rump session attack on our
** verification logic flaw.
In particular, we now permit the digestAlgorithm.parameters field to
be present but empty, whereas in 1.4.3 we actually checked that the
field was absent.

** Revert the removal of debug information for the GNUTLS-SA-2006-3 problem.
The messages are only printed in debug mode, which is not recommended
for normal use, and thus logging this situation cannot be abused as an
oracle in typical recommended situations.

** API and ABI modifications:
No changes since last version.

Revision 1.51 / (download) - annotate - [select for diffs], Sun Sep 10 21:12:21 2006 UTC (16 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.50: +2 -2 lines
Diff to previous 1.50 (colored)

Update to 1.4.3:

* Version 1.4.3 (released 2006-09-08)

** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's
** Crypto 06 rump session attack.
In particular, we check that the digestAlgorithm.parameters field is
empty, to avoid that it can contain "garbage" that may be used to
alter the numeric properties of the signature.  See
<http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html> (which is
not exactly the same as the problem we fix here).  Reported by Yutaka
OIWA <y.oiwa@aist.go.jp>.

See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more
up to date information.

** Fix PKCS#1 decryption to avoid Bleichenbacher's Crypto 98 attack.
See <http://www.bell-labs.com/user/bleichen/papers/pkcs.ps.gz>.
Reported by Werner Koch <wk@gnupg.org>.

See GNUTLS-SA-2006-3 on http://www.gnutls.org/security.html for more
up to date information.

** Fix crash in gnutls_x509_crt_sign2 if passed a NULL issuer_key.

** API and ABI modifications:
No changes since last version.

* Version 1.4.2 (released 2006-08-12)

** Fix a crash (strcmp() on a NULL value) in the certificate verification logic.
This can happen if you call gnutls_certificate_verify_peers2 and have
a certain mix of local CA certificates and the peer send special
certificates, that together trigger certain behaviour.  It is not
known at this point whether the crash can be triggered without the
special local CA certificate, and thus turn this into a remote crash
of clients that verify server certificates when they talk to a server
with the special server certificate.  See GNUTLS-SA-2006-2 on
http://www.gnu.org/software/gnutls/security.html for more up to date
information.  Reported by satyakumar <satyam_kkd@hyd.hellosoft.com>.

** Change SRP and Cert-Type extensions to match IANA registry.

** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support.

** Make --without-included-libtasn1 work.
Reported by Daniel Black <dragonheart@gentoo.org>.

** API and ABI modifications:
No changes since last version.

Revision 1.50 / (download) - annotate - [select for diffs], Mon Jul 17 17:02:02 2006 UTC (16 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored)

Update to 1.4.1:

* Version 1.4.1 (released 2006-06-14)

** Replaced inactive ifdefs to enable openpgp support in test programs.

** Fixed bug in OpenPGP authentication handshake.

** Fixed typographical in man pages.

** Build fixes of the manual.

** Added Swedish translation.

** API and ABI modifications:
No changes since last version.

Revision 1.49 / (download) - annotate - [select for diffs], Wed May 17 21:50:22 2006 UTC (16 years, 10 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2006Q2-base
Branch point for: pkgsrc-2006Q2
Changes since 1.48: +3 -3 lines
Diff to previous 1.48 (colored)

Update to 1.4.0:

* Version 1.4.0 (released 2006-05-15)

** Remove GnuTLS 0.8.x compatibility functions.

** The libgcrypt RNG is initialized in gnutls_global_init().

** TLS/IA API changes from Emile van Bergen.
A dummy credential structure is not needed now, if you wish to use the
low-level TLS/IA API, simply call gnutls_ia_enable to enable TLS/IA on
a session.

** The self-tests are now run under valgrind, if it is installed.

** Libtasn1 is updated to 0.3.4, and that version is now required.

** The command line tools now use getaddrinfo and support IPv6.

** API and ABI modifications:
_gnutls_x509_get_raw_crt_activation_time,
_gnutls_x509_get_raw_crt_expiration_time: Removed.
gnutls_ia_require_inner_phase: Removed, replaced by gnutls_ia_enable.
gnutls_ia_enable: Added.

Revision 1.48 / (download) - annotate - [select for diffs], Thu Apr 6 06:22:38 2006 UTC (16 years, 11 months ago) by reed
Branch: MAIN
Changes since 1.47: +4 -4 lines
Diff to previous 1.47 (colored)

Over 1200 files touched but no revisions bumped :)

RECOMMENDED is removed. It becomes ABI_DEPENDS.

BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.

BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.

BUILDLINK_DEPENDS does not change.

IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".

Added to obsolete.mk checking for IGNORE_RECOMMENDED.

I did not manually go through and fix any aesthetic tab/spacing issues.

I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.

I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.

As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.

As discussed on tech-pkg.

I will commit to revbump, pkglint, pkg_install, createbuildlink separately.

Note that if you use wip, it will fail!  I will commit to pkgsrc-wip
later (within day).

Revision 1.47 / (download) - annotate - [select for diffs], Fri Mar 31 23:56:29 2006 UTC (16 years, 11 months ago) by jlam
Branch: MAIN
Changes since 1.46: +2 -3 lines
Diff to previous 1.46 (colored)

List the info pages directly in the PLIST and ensure that we honor
PKGINFODIR.

Revision 1.46 / (download) - annotate - [select for diffs], Thu Mar 9 17:25:54 2006 UTC (17 years ago) by cube
Branch: MAIN
CVS Tags: pkgsrc-2006Q1-base, pkgsrc-2006Q1
Changes since 1.45: +3 -4 lines
Diff to previous 1.45 (colored)

Update to version 1.3.5.  Fixes build failures related to libtasn1.

- Error messages are now translated using GNU Gettext.

- The function gnutls_x509_crt_to_xml now return an internal error.
This means that the code to convert X.509 certificates to XML format
does not work any more.  The reason is that the function called
libtasn1 internal functions.  It seems unclean for libtasn1 to export
the APIs needed here.  Instead it would be better to implement XML
support inside libtasn1 properly.  If you need this functionality
strongly, please consider looking into implementing this suggested
approach instead.  As a workaround, you may also modify lib/x509/xml.c
(change '#if 1' to '#if 0') and build using --with-included-libtasn1.

- Doc fixes to explain that gnutls_record_send can block.

- gnutls-cli can now recognize services and port numbers with the -p option.

Revision 1.45 / (download) - annotate - [select for diffs], Sun Mar 5 00:33:54 2006 UTC (17 years ago) by grant
Branch: MAIN
Changes since 1.44: +2 -1 lines
Diff to previous 1.44 (colored)

bump PKGREVISION for libtasn1 depends change

Revision 1.44 / (download) - annotate - [select for diffs], Sat Mar 4 23:45:07 2006 UTC (17 years ago) by wiz
Branch: MAIN
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)

Fix build with libtasn1-0.3.0, and depend on it.

Revision 1.43 / (download) - annotate - [select for diffs], Sat Mar 4 21:30:34 2006 UTC (17 years ago) by jlam
Branch: MAIN
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)

Point MAINTAINER to pkgsrc-users@NetBSD.org in the case where no
developer is officially maintaining the package.

The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list).  Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.

Revision 1.37.2.1 / (download) - annotate - [select for diffs], Tue Feb 14 17:35:33 2006 UTC (17 years, 1 month ago) by salo
Branch: pkgsrc-2005Q4
Changes since 1.37: +3 -3 lines
Diff to previous 1.37 (colored) next main 1.38 (colored)

Pullup ticket 1125 - requested by Matthias Drochner
security updates for libtasn1 and gnutls

Revisions pulled up:
- pkgsrc/security/libtasn1/Makefile		1.20
- pkgsrc/security/libtasn1/distinfo		1.11

Gnutls updated via patch.

   Module Name:		pkgsrc
   Committed By:	drochner
   Date:		Fri Feb 10 12:39:25 UTC 2006

   Modified Files:
   	pkgsrc/security/gnutls: Makefile distinfo
   	pkgsrc/security/libtasn1: Makefile distinfo

   Log Message:
   update libtasn1 to 0.2.18 and gnutls to 1.2.10
   fixes possible DOS (crash by invalid DER input) "GNUTLS-SA-2006-1"

Revision 1.42 / (download) - annotate - [select for diffs], Mon Feb 13 11:04:54 2006 UTC (17 years, 1 month ago) by drochner
Branch: MAIN
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)

"configure" checks for libtasn1>=0.2.18, so require it explicitely

Revision 1.41 / (download) - annotate - [select for diffs], Fri Feb 10 12:39:25 2006 UTC (17 years, 1 month ago) by drochner
Branch: MAIN
Changes since 1.40: +2 -3 lines
Diff to previous 1.40 (colored)

update libtasn1 to 0.2.18 and gnutls to 1.3.4,
fixes possible DOS (crash by invalid DER input) "GNUTLS-SA-2006-1"

Revision 1.40 / (download) - annotate - [select for diffs], Sun Feb 5 23:10:43 2006 UTC (17 years, 1 month ago) by joerg
Branch: MAIN
Changes since 1.39: +2 -1 lines
Diff to previous 1.39 (colored)

Recursive revision bump / recommended bump for gettext ABI change.

Revision 1.39 / (download) - annotate - [select for diffs], Fri Jan 20 21:14:04 2006 UTC (17 years, 2 months ago) by adam
Branch: MAIN
Changes since 1.38: +3 -2 lines
Diff to previous 1.38 (colored)

Changes 1.3.3:
** New API to access the TLS master secret.
When possible, you should use the TLS PRF functions instead.

** Improved handling when multiple libraries use GnuTLS at the same time.
Now gnutls_global_init() can be called multiple times, and
gnutls_global_deinit() will only deallocate the structure when it has
been called as many times as gnutls_global_init() was called.

** Added a self test of TLS resume functionality.

** Fix crash in TLS resume code, caused by TLS/IA changes.

** Add 'const' keywords in various places, from Frediano ZIGLIO.

** The code was indented again, including the external header files.

** API and ABI modifications:
New functions to retrieve the master secret value:
  gnutls_session_get_master_secret

Add a 'const' keyword to existing API:
  gnutls_x509_crq_get_challenge_password

Revision 1.38 / (download) - annotate - [select for diffs], Sat Dec 31 00:02:58 2005 UTC (17 years, 2 months ago) by wiz
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)

Update to 1.3.2:

* Version 1.3.2 (released 2005-12-15)

** GnuTLS now support TLS Inner application (TLS/IA).
This is per draft-funk-tls-inner-application-extension-01.  This
functionality is added to libgnutls-extra, so it is licensed under the
GNU General Public License.

** New APIs to access the TLS Pseudo-Random-Function (PRF).
The PRF is used by some protocols building on TLS, such as EAP-PEAP
and EAP-TTLS.  One function to access the raw PRF and one to access
the PRF seeded with the client/server random fields are provided.
Suggested by Jouni Malinen <jkmaline@cc.hut.fi>.

** New APIs to acceess the client and server random fields in a session.
These fields can be useful by protocols using TLS.  Note that these
fields are typically used as input to the TLS PRF, and if this is your
intended use, you should use the TLS PRF API that use the
client/server random field directly.  Suggested by Jouni Malinen
<jkmaline@cc.hut.fi>.

** Internal type cleanups.
The uint8, uint16, uint32 types have been replaced by uint8_t,
uint16_t, uint32_t.  Gnulib is used to guarantee the presence of
correct types on platforms that lack them.  The uint type have been
replaced by unsigned.

** API and ABI modifications:
New functions to invoke the TLS Pseudo-Random-Function (PRF):
  gnutls_prf
  gnutls_prf_raw

New functions to retrieve the session's client and server random values:
  gnutls_session_get_server_random
  gnutls_session_get_client_random

New function, to perform TLS/IA handshake:
  gnutls_ia_handshake

New function to decide whether to do a TLS/IA handshake:
  gnutls_ia_handshake_p

New functions to allocate a TLS/IA credential:
  gnutls_ia_allocate_client_credentials
  gnutls_ia_free_client_credentials
  gnutls_ia_allocate_server_credentials
  gnutls_ia_free_server_credentials

New functions to handle the AVP callback:
  gnutls_ia_set_client_avp_function
  gnutls_ia_set_client_avp_ptr
  gnutls_ia_get_client_avp_ptr
  gnutls_ia_set_server_avp_function
  gnutls_ia_set_server_avp_ptr
  gnutls_ia_get_server_avp_ptr

New functions, to toggle TLS/IA application phases:
  gnutls_ia_require_inner_phase

New function to mix session keys with inner secret:
  gnutls_ia_permute_inner_secret

Low-level API (used internally by gnutls_ia_handshake):
  gnutls_ia_endphase_send
  gnutls_ia_send
  gnutls_ia_recv

New functions that can be used after successful TLS/IA negotiation:
  gnutls_ia_generate_challenge
  gnutls_ia_extract_inner_secret

Enum type with TLS/IA modes:
  gnutls_ia_mode_t

Enum type with TLS/IA packet types:
  gnutls_ia_apptype_t

Enum values for TLS/IA alerts:
  GNUTLS_A_INNER_APPLICATION_FAILURE
  GNUTLS_A_INNER_APPLICATION_VERIFICATION

New error codes, to signal when an application phase has finished:
  GNUTLS_E_WARNING_IA_IPHF_RECEIVED
  GNUTLS_E_WARNING_IA_FPHF_RECEIVED

New error code to signal TLS/IA verify failure:
  GNUTLS_E_IA_VERIFY_FAILED

* Version 1.3.1 (released 2005-12-08)

** Support for DHE-PSK cipher suites has been added.
This method offers perfect forward secrecy.

** Fix gnutls-cli STARTTLS hang when SIGINT is sent too quickly, thanks to
Otto Maddox <ottomaddox@fastmail.fm> and Nozomu Ando <nand@mac.com>.

** Corrected a bug in certtool for 64 bit machines. Reported
by Max Kellermann <max@duempel.org>.

** New function to set a X.509 private key and certificate pairs, and/or
CRLs, from an PKCS#12 file, suggested by Emile van Bergen
<emile@e-advies.nl>.

The integrity of the PKCS#12 file is protected through a password
based MAC; public-key based signatures for integrity protection are
not supported.  PKCS#12 bags may be encrypted using password derived
symmetric keys, public-key based encryption is not supported.  The
PKCS#8 keys may be encrypted using passwords.  The API use the same
password for all operations.  We believe that any more flexibility
create too much complexity that would hurt overall security, but may
add more PKCS#12 related APIs if real-world experience indicate
otherwise.

** gnutls_x509_privkey_import_pkcs8 now accept unencrypted PEM PKCS#8 keys,
reported by Emile van Bergen <emile@e-advies.nl>.
This will enable "certtool -k -8" to parse those keys.

** Certtool now generate keys in unencrypted PKCS#8 format for empty passwords.
Use "certtool -p -8" and press press enter at the prompt.  Earlier,
certtool would have encrypted the key using an empty password.

** Certtool now accept --password for --key-info and encrypted PKCS#8 keys.
Earlier it would have prompted the user for it, even if --password was
supplied.

** Added self test of PKCS#8 parsing.
Unencrypted and encrypted (pbeWithSHAAnd3-KeyTripleDES-CBC and
pbeWithSHAAnd40BitRC2-CBC) formats are tested.  The test is in
tests/pkcs8.

** API and ABI modifications:
New function to set X.509 credentials from a PKCS#12 file:
  gnutls_certificate_set_x509_simple_pkcs12_file

New gnutls_kx_algorithm_t enum type:
  GNUTLS_KX_DHE_PSK

New API to return session data (better data types than
gnutls_session_get_data):
  gnutls_session_get_data2

New API to set PSK Diffie-Hellman parameters:
  gnutls_psk_set_server_dh_params

* Version 1.3.0 (2005-11-15)

** Support for TLS Pre-Shared Key (TLS-PSK) ciphersuites have been added.
This add several new APIs, see below.  Read the updated manual for
more information.  A new self test "pskself" has been added, that will
test this functionality.

** The session resumption data are now system independent.

** The code has been re-indented to conform to the GNU coding style.

** Removed the RIPEMD ciphersuites.

** Added a discussion of the internals of gnutls in manual.

** Fixes for Tru64 UNIX 4.0D that lack MAP_FAILED, from Albert Chin.

** Remove trailing comma in enums, for IBM C v6, from Albert Chin.

** Make sure config.h is included first in a few files, from Albert Chin.

** Don't use C++ comments ("//") as they are invalid, from Albert Chin.

** Don't install SRP programs and man pages if --disable-srp-authentication,
from Albert Chin.

** API and ABI modifications:
New gnutls_kx_algorithm_t key exchange type: GNUTLS_KX_PSK

New gnutls_credentials_type_t credential type:
  GNUTLS_CRD_PSK

New credential types:
  gnutls_psk_server_credentials_t
  gnutls_psk_client_credentials_t

New functions to allocate PSK credentials:
  gnutls_psk_allocate_client_credentials
  gnutls_psk_free_client_credentials
  gnutls_psk_free_server_credentials
  gnutls_psk_allocate_server_credentials

New enum type for PSK key flags:
  gnutls_psk_key_flags

New function prototypes for credential callback:
  gnutls_psk_client_credentials_function
  gnutls_psk_server_credentials_function

New function to set PSK username and key:
  gnutls_psk_set_client_credentials

New function to set PSK passwd file:
  gnutls_psk_set_server_credentials_file

New function to extract PSK user in server:
  gnutls_psk_server_get_username

New functions to set PSK callback:
  gnutls_psk_set_server_credentials_function
  gnutls_psk_set_client_credentials_function

Use size_t instead of int for output size parameter:
  gnutls_srp_base64_encode
  gnutls_srp_base64_decode

Revision 1.37 / (download) - annotate - [select for diffs], Mon Dec 5 20:50:56 2005 UTC (17 years, 3 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2005Q4-base
Branch point for: pkgsrc-2005Q4
Changes since 1.36: +5 -5 lines
Diff to previous 1.36 (colored)

Fixed pkglint warnings. The warnings are mostly quoting issues, for
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in

    http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html

Revision 1.36 / (download) - annotate - [select for diffs], Mon Nov 14 18:17:49 2005 UTC (17 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)

Update to 1.2.9:

* Version 1.2.9 (2005-11-07)
- Documentation was updated and improved.
- RSA-MD2 is now supported for verifying digital signatures.
- Due to cryptographic advances, verifying untrusted X.509
  certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
  GNUTLS_CERT_INSECURE_ALGORITHM verification output.  For
  applications that must remain interoperable, you can use the
  GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 or GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
  flags when verifying certificates.  Naturally, this is not
  recommended default behaviour for applications.  To enable the
  broken algorithms, call gnutls_certificate_set_verify_flags with the
  proper flag, to change the verification mode used by
  gnutls_certificate_verify_peers2.
- Make it possible to send empty data through gnutls_record_send,
  to align with the send(2) API.
- Some changes in the certificate receiving part of handshake to prevent
  some possible errors with non-blocking servers.
- Added numeric version symbols to permit simple CPP-based feature
  tests, suggested by Daniel Stenberg <daniel@haxx.se>.
- The (experimental) low-level crypto alternative to libgcrypt used
  earlier (Nettle) has been replaced with crypto code from gnulib.
  This leads to easier re-use of these components in other projects,
  leading to more review and simpler maintenance.  The new configure
  parameter --with-builtin-crypto replace the old --with-nettle, and
  must be used if you wish to enable this functionality.  See README
  under "Experimental" for more information.  Internally, GnuTLS has
  been updated to use the new "Generic Crypto" API in gl/gc.h.  The
  API is similar to the old crypto/gc.h, because the gnulib code were
  based on GnuTLS's gc.h.
- Fix compiler warning in the "anonself" self test.
- API and ABI modifications:
gnutls_x509_crt_list_verify: Added 'const' to prototype in <gnutls/x509.h>.
                             This doesn't reflect a change in behaviour,
                             so we don't break backwards compatibility.
GNUTLS_MAC_MD2: New gnutls_mac_algorithm_t value.
GNUTLS_DIG_MD2: New gnutls_digest_algorithm_t value.
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: New gnutls_certificate_verify_flags values.
                                  Use when calling
                                  gnutls_x509_crt_list_verify,
                                  gnutls_x509_crt_verify, or
                                  gnutls_certificate_set_verify_flags.
GNUTLS_CERT_INSECURE_ALGORITHM: New gnutls_certificate_status_t value,
                                used when broken signature algorithms
                                is used (currently RSA-MD2/MD5).
LIBGNUTLS_VERSION_MAJOR,
LIBGNUTLS_VERSION_MINOR,
LIBGNUTLS_VERSION_PATCH,
LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS
			  version number, can be used for feature existence
			  tests.

Revision 1.35 / (download) - annotate - [select for diffs], Thu Oct 20 00:43:32 2005 UTC (17 years, 5 months ago) by wiz
Branch: MAIN
Changes since 1.34: +5 -3 lines
Diff to previous 1.34 (colored)

Update to 1.2.8:

* Version 1.2.8 (2005-10-07)
- Libgcrypt 1.2.2 is required to fix a bug for forking GnuTLS servers.
- Don't install the auxilliary libexamples library used by the
  examples in doc/examples/ on "make install", report and tiny patch
  from Thomas Klausner
- If you pass a X.509 CA or PGP trust database to the command line
  tool, it will now abort the connection if the server certificate
  validation fails.  Use the parameter --insecure to continue even
  after certificate validation failures.  Inspired from discussion
  with Alexander Kotelnikov
- The test for socklen_t has been moved to gnulib.
- Link failures for duplicate or missing "program_name" symbol has been fixed,
  patch from Martin Lambers
- The command line tool and the examples no longer uses mmap or bzero,
  to make them more portable, patch from Martin Lambers
- Made the PKCS #12 API handle null passwords. Based on patch by
  Anton Altaparmakov
- The GTK-DOC manual should build with current released tools.
  (But a copy of the output is included, so the tools are not required.)
- API and ABI modifications:
  No changes since last version.

Revision 1.34 / (download) - annotate - [select for diffs], Fri Sep 30 13:11:34 2005 UTC (17 years, 5 months ago) by wiz
Branch: MAIN
Changes since 1.33: +2 -2 lines
Diff to previous 1.33 (colored)

Update to 1.2.7:

* Version 1.2.7 (2005-09-09)
- The GNUTLS and GNUTLS-EXTRA libraries are now built with versioned symbols.
- Certtool now complains when reading out-of-range X.509 serial
  numbers, suggested by Fran
- Certtool now uses the readline library (when available) when reading
  X.509 serial numbers.
- Fixed build problems in getpass on uClibc and Mingw32 platforms.
- Fixed compile warning regarding socklen_t on Mingw32, reported by
  Martin Lambers
- Fixed examples in doc/examples/, suggested by Fran
- Gnulib is now used for the core library, enabling future code cleanups.
- The gnutls-cli tool now use gnutls_certificate_verify_peers2,
  suggested by Daniel Stenberg
- Doc fixes for gnutls_transport_set_push and gnutls_transport_set_pull.
- Minilibtasn1 is now 0.2.17 (removed optional use of C99 macros).
- Disable zlib support if zlib.h is not present.
- A number of internal cleanups.
- API and ABI modifications:
  No changes since last version.

pkgsrc change: do not install libexamples (looks like a bug)

Revision 1.33 / (download) - annotate - [select for diffs], Mon Sep 5 07:34:05 2005 UTC (17 years, 6 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2005Q3-base, pkgsrc-2005Q3
Changes since 1.32: +2 -4 lines
Diff to previous 1.32 (colored)

buildlink3.mk matches Makefile now

Revision 1.32 / (download) - annotate - [select for diffs], Tue Aug 30 14:29:00 2005 UTC (17 years, 6 months ago) by adam
Branch: MAIN
Changes since 1.31: +5 -5 lines
Diff to previous 1.31 (colored)

Changes 1.2.6:
- MiniLZO updated to version 2.01 and moved to separate directory.
- Collision between system LZO header files and MiniLZO header file fixed.
- Will now test for liblzo functionality in liblzo2 too.
- Minilibtasn1 is now 0.2.14 (no code changes).
- Some code changes to avoid GTK-DOC warnings.
- API and ABI modifications:
  No changes since last version.

Revision 1.31 / (download) - annotate - [select for diffs], Thu Jul 14 20:16:23 2005 UTC (17 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.30: +3 -2 lines
Diff to previous 1.30 (colored)

Update comment about lzo.

Revision 1.30 / (download) - annotate - [select for diffs], Thu Jul 14 19:19:43 2005 UTC (17 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.29: +4 -3 lines
Diff to previous 1.29 (colored)

Update to 1.2.5:

* Version 1.2.5 (2005-07-03)
- More builddir != srcdir fixes, reported by Mike Castle
- Fixed off-by-one bug in the size parameter of gnutls_x509_crt_get*_dn,
  reported by Adam Langley
- Corrected some stuff in minilzo detection. Pointed out by
  Sergey Lipnevich.
- MiniLZO updated to version 2.00.
- gnutls_x509_crt_list_import now accept a DER formatted CRL.
- API and ABI modifications:
  No changes since last version.

Revision 1.29 / (download) - annotate - [select for diffs], Tue May 31 17:48:30 2005 UTC (17 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2005Q2-base, pkgsrc-2005Q2
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored)

Update to 1.2.4:

* Version 1.2.4 (2005-05-28)
- Corrected some bugs that could affect 64 bit systems.
- Some corrections in the header files to include the prototype
  of memmem properly (affected 64 bit systems). Report and patch
  by Yoann Vandoorselaere <yoann@prelude-ids.org>.
- Introduced the --fix-key option to certtool, which can be used to
  regenerate the (optional) parameters in a private key. It should
  be used together with --key-info.
- Corrected a bug in certificate chain verification that could lead
  to marking a trusted chain as non trusted, if the last certificate in
  the chain was a self signed one.
- Gnulib portability files were updated.
- License were updated to reflect new FSF address.

Revision 1.25.2.1 / (download) - annotate - [select for diffs], Mon May 2 20:14:06 2005 UTC (17 years, 10 months ago) by salo
Branch: pkgsrc-2005Q1
Changes since 1.25: +3 -2 lines
Diff to previous 1.25 (colored) next main 1.26 (colored)

Pullup ticket 479 - requested by Thomas Klausner
security update for gnutls

Revisions pulled up:
- pkgsrc/security/gnutls/Makefile		1.26, 1.28
- pkgsrc/security/gnutls/PLIST			1.13-1.14
- pkgsrc/security/gnutls/buildlink3.mk		1.8
- pkgsrc/security/gnutls/distinfo		1.15-1.16
- pkgsrc/security/gnutls/patches/patch-aa	removed

   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Fri Apr  8 15:50:41 UTC 2005

   Modified Files:
	pkgsrc/security/gnutls: Makefile PLIST distinfo
   Removed Files:
	pkgsrc/security/gnutls/patches: patch-aa

   Log Message:
   Update to 1.2.1:
   * Version 1.2.1 (2005-04-04)
   - gnutls_bye() will no longer fail when RDWR is used and application
     data are available for reading.
   - Added more strict checks for the SRP parameters (g,n), when they
     are not in the included list.
   - Added warning to certtool when MD5 is being used for digital
     signatures.
   - Optimizations ("-O2 -finline-functions") are not enabled by default,
     instead the standard autoconf defaults are used.  Use `./configure
     CFLAGS="-O2 -finline-functions"' to get the old optimizations.
   - Added the option --get-dh-params to certtool, in order to get the
     included in the library primes and generators.
   - Improved the semantics of GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, to
     allow only trusted Version 1 CAs and introduced
     GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT which has the old semantics.
   - Nettle self tests now build properly, reported by Pierre
   - Eliminated some memory leaks in DHE and RSA-EXPORT cipher suites.
     Reported by Yoann Vandoorselaere
   - Added the functions:
       gnutls_x509_crt_list_import(),
       gnutls_x509_crq_get_attribute_by_oid(),
       gnutls_x509_crq_set_attribute_by_oid() and
       gnutls_x509_crt_set_extension_by_oid().
   - If the library has been compiled with features disabled, a warning is
     issued during the compilation of any program.
---
   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Mon May  2 12:59:24 UTC 2005

   Modified Files:
   	pkgsrc/security/gnutls: Makefile PLIST distinfo

   Log Message:
   Update to 1.2.3:

   * Version 1.2.3
   - Corrected bug in record packet parsing that could lead
     to a denial of service attack.
   - Corrected bug in RSA key export. Previously exported keys
     can be fixed using certtool. Use certtool -k <infile >outfile
   - API and ABI modifications:
       gnutls_x509_privkey_fix(): Add.

   * Version 1.2.2 (2005-04-25)
   - gnutls_error_to_alert() now considers
     GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET.
   - Fixed error in session resuming that could cause a crash in
     a session.
   - Fixed pkcs12 friendly name and local key identifier decoding.
   - Internal cleanups, removed duplicate typedef/struct definitions,
     and made source code include external include file, to check
     function prototypes during compile time.
   - API and ABI modifications:
     No changes since last version.  At least not intentional, but due
     to the include header changes, there may be inadvertant changes,
     please let us know if you find any.
---
   Module Name:		pkgsrc
   Committed By:	salo
   Date:		Mon May  2 19:48:37 UTC 2005

   Modified Files:
   	pkgsrc/security/gnutls: buildlink3.mk

   Log Message:
   Bump BUILDLINK_RECOMMENDED after latest security update. (hi wiz!)

Revision 1.28 / (download) - annotate - [select for diffs], Mon May 2 12:59:24 2005 UTC (17 years, 10 months ago) by wiz
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)

Update to 1.2.3:

* Version 1.2.3
- Corrected bug in record packet parsing that could lead
  to a denial of service attack.
- Corrected bug in RSA key export. Previously exported keys
  can be fixed using certtool. Use certtool -k <infile >outfile
- API and ABI modifications:
    gnutls_x509_privkey_fix(): Add.

* Version 1.2.2 (2005-04-25)
- gnutls_error_to_alert() now considers
  GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET.
- Fixed error in session resuming that could cause a crash in a session.
- Fixed pkcs12 friendly name and local key identifier decoding.
- Internal cleanups, removed duplicate typedef/struct definitions,
  and made source code include external include file, to check
  function prototypes during compile time.
- API and ABI modifications:
  No changes since last version.  At least not intentional, but due
  to the include header changes, there may be inadvertant changes,
  please let us know if you find any.

Revision 1.27 / (download) - annotate - [select for diffs], Mon Apr 11 21:47:11 2005 UTC (17 years, 11 months ago) by tv
Branch: MAIN
Changes since 1.26: +1 -2 lines
Diff to previous 1.26 (colored)

Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used.

Revision 1.26 / (download) - annotate - [select for diffs], Fri Apr 8 15:50:41 2005 UTC (17 years, 11 months ago) by wiz
Branch: MAIN
Changes since 1.25: +3 -2 lines
Diff to previous 1.25 (colored)

Update to 1.2.1:
* Version 1.2.1 (2005-04-04)
- gnutls_bye() will no longer fail when RDWR is used and application
  data are available for reading.
- Added more strict checks for the SRP parameters (g,n), when they
  are not in the included list.
- Added warning to certtool when MD5 is being used for digital
  signatures.
- Optimizations ("-O2 -finline-functions") are not enabled by default,
  instead the standard autoconf defaults are used.  Use `./configure
  CFLAGS="-O2 -finline-functions"' to get the old optimizations.
- Added the option --get-dh-params to certtool, in order to get the
  included in the library primes and generators.
- Improved the semantics of GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, to
  allow only trusted Version 1 CAs and introduced
  GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT which has the old semantics.
- Nettle self tests now build properly, reported by Pierre
- Eliminated some memory leaks in DHE and RSA-EXPORT cipher suites.
  Reported by Yoann Vandoorselaere
- Added the functions:
    gnutls_x509_crt_list_import(),
    gnutls_x509_crq_get_attribute_by_oid(),
    gnutls_x509_crq_set_attribute_by_oid() and
    gnutls_x509_crt_set_extension_by_oid().
- If the library has been compiled with features disabled, a warning is
  issued during the compilation of any program.

Revision 1.25 / (download) - annotate - [select for diffs], Fri Feb 25 15:23:24 2005 UTC (18 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2005Q1-base
Branch point for: pkgsrc-2005Q1
Changes since 1.24: +2 -1 lines
Diff to previous 1.24 (colored)

Work around broken dependency handling by explicitly setting timezone
to UTC. Fixes PR 29530.

Revision 1.24 / (download) - annotate - [select for diffs], Sat Feb 19 00:14:23 2005 UTC (18 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.23: +9 -4 lines
Diff to previous 1.23 (colored)

Update to 1.2.0.  From the release announcement:

We are pleased to announce the availability of GnuTLS 1.2.0!

This release is the result of the 23 development releases made on the
development branch (1.1.x).

Major changes compared to the 1.0 branch include:

* Moved SRP password authentication from the GnuTLS-extra library
  (licensed under GPL) to the core library (licensed under LGPL).

* The API has been cleaned up, and data types now use a '_t' suffix.

* Fixes to handle denial of service problem when verifying long
  certificate chains.

* The manual has been converted to Texinfo and is consequently
  available in many formats, see:
  <http://josefsson.org/gnutls/manual/>

* A reference API manual has been added, and is available in HTML and
  DevHelp formats, thanks to GTK-DOC, see:
  <http://josefsson.org/gnutls/reference/gnutls-gnutls.html>

The 1.2.0 version is intended to be stable, and to be a drop-in
replacement of the stable 1.0.x branch.

We encourage developers to move to the 1.2 branch as soon as possible,
since we will now spend less time improving version 1.0.x.

We are not planning to open a 1.3 development branch soon, because
there are no plans to start work on any major new feature today.
Instead, we will continue to carefully improve the quality of this
release over time.

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.

Revision 1.23 / (download) - annotate - [select for diffs], Sun Nov 28 12:59:10 2004 UTC (18 years, 3 months ago) by recht
Branch: MAIN
CVS Tags: pkgsrc-2004Q4-base, pkgsrc-2004Q4
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)

update to gnutls-1.0.23

Noteworthy changes since the last release:

- Replace GNU LD version script with Libtool -export-symbols-regex,
  from Joe Orton <joe at manyfish.co.uk>.
- Copy libtasn1 has been updated to version 0.2.11.
- Corrected the write of CRL distribution points.
- It is now possible to generate PKCS#12 structures without private
  keys using "certtool --to-p12", suggested by Fabian Fagerholm
  <fabbe at paniq.net>.

Revision 1.22 / (download) - annotate - [select for diffs], Mon Nov 8 19:34:46 2004 UTC (18 years, 4 months ago) by jmmv
Branch: MAIN
Changes since 1.21: +5 -3 lines
Diff to previous 1.21 (colored)

Update to 1.0.22:

Version 1.0.22 (28/10/2004)
- Print DN of certificates with unknown characters in them, but in hexform
  only.
- Corrected bug in _gnutls_x509_get_dn_oid(), and returns the actual OID.
- Added second precision to the X.509 parsing functions.
- Add parameter --la-file to libgnutls-config and libgnutls-extra-config,
  tiny patch contributed by Joe Orton <joe@manyfish.co.uk>.
- Add pkg-config meta files, suggested by Stéphane LOEUILLET
  <stephane.loeuillet@tiscali.fr>.
- Fix memory initializaion bug in gnutls_certificate_set_x509_trust,
  tiny patch by Aleix Conchillo Flaque <aleix@member.fsf.org>.
- Fix certtool --password for PKCS #12, back ported from 1.1.x branch.
- Fix library order in libgnutls*-config --libs output, to permit
  static linking, reported by Yoann Vandoorselaere
  <yoann@prelude-ids.org>.

Version 1.0.21 (07/10/2004)
- Fix memory leak in gnutls_certificate_verify_peers and
  gnutls_certificate_free_credentials, report and patch by Simon
  Posnjak <simon.posnjak@cetrtapot.si>.
- Fix crash in `certtool --to-p12 --load-privkey foo', i.e. exporting
  a key and no certificate to PKCS#12.
- Fix objdir != srcdir builds, reported by "Gerrit P. Haase"
  <gp@familiehaase.de>.
- Avoid redefining getpass if system already has it, reported by
  Yoann Vandoorselaere <yoann@prelude-ids.org>.
- Add new example "ex-rfc2818" for certificate verification, from Nikos.
- Known bug: the library require snprintf.

Revision 1.21 / (download) - annotate - [select for diffs], Wed Oct 6 10:17:06 2004 UTC (18 years, 5 months ago) by grant
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)

rename cfg+ directory to libcfg+ so it matches the PKGNAME.

Revision 1.20 / (download) - annotate - [select for diffs], Sun Oct 3 00:18:08 2004 UTC (18 years, 5 months ago) by tv
Branch: MAIN
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)

Libtool fix for PR pkg/26633, and other issues.  Update libtool to 1.5.10
in the process.  (More information on tech-pkg.)

Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.

Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.

Revision 1.19 / (download) - annotate - [select for diffs], Mon Sep 6 20:39:13 2004 UTC (18 years, 6 months ago) by danw
Branch: MAIN
CVS Tags: pkgsrc-2004Q3-base, pkgsrc-2004Q3
Changes since 1.18: +2 -1 lines
Diff to previous 1.18 (colored)

bump PKGREVISION for devel/cfg+ soname change

Revision 1.18 / (download) - annotate - [select for diffs], Fri Aug 27 13:16:16 2004 UTC (18 years, 6 months ago) by drochner
Branch: MAIN
Changes since 1.17: +5 -2 lines
Diff to previous 1.17 (colored)

update to 1.0.20
changes:
-bugfixes
-adds some limits to the verification functions to avoid denial of
 service attacks
-selftests added

Revision 1.16.2.1 / (download) - annotate - [select for diffs], Fri Jul 30 16:20:33 2004 UTC (18 years, 7 months ago) by agc
Branch: pkgsrc-2004Q2
Changes since 1.16: +3 -1 lines
Diff to previous 1.16 (colored) next main 1.17 (colored)

Pullup ticket 89 to the pkgsrc-2004Q2 branch, requested by Grant Beattie

Build fix for gnutls

	Module Name:    pkgsrc
	Committed By:   grant
	Date:           Sun Jul 25 06:15:25 UTC 2004

	Modified Files:
		pkgsrc/security/gnutls: Makefile

	Log Message:
	one of the Makefiles uses ${RM} but doesn't define it, so pass
	RM=${RM} in MAKE_ENV.

Revision 1.17 / (download) - annotate - [select for diffs], Sun Jul 25 06:15:24 2004 UTC (18 years, 8 months ago) by grant
Branch: MAIN
Changes since 1.16: +3 -1 lines
Diff to previous 1.16 (colored)

one of the Makefiles uses ${RM} but doesn't define it, so pass
RM=${RM} in MAKE_ENV.

Revision 1.16 / (download) - annotate - [select for diffs], Sat May 22 10:09:53 2004 UTC (18 years, 10 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2004Q2-base
Branch point for: pkgsrc-2004Q2
Changes since 1.15: +9 -6 lines
Diff to previous 1.15 (colored)

Changes 1.0.13:
- Some complilation fixes.
- Added the --xml parameter to the certtool utility.

Changes 1.0.12:
- Corrected bug in OpenPGP key loading using a callback.
- Renamed gnutls-srpcrypt to srptool
- Allow handshake requests by the client.
* Things backported from the development branch:
- Added support for authority key identifier and the extended key usage
  X.509 extension fields. The certtoool was updated to support them.
- Added batch support to certtool. Now it can use templates.
- The RC2 cipher is no more included. The one in libgcrypt is now used.

Changes 1.0.11:
- Added gnutls_sign_algorithm_get_name() and gnutls_pk_algorithm_get_name()
- Corrected bug in TLS renegotiation.

Changes 1.0.10:
- Corrected bug in RSA parameters handling which could cause
  unexpected crashes.
- Corrected bug in SSL 3.0 authentication.

Revision 1.15 / (download) - annotate - [select for diffs], Thu Apr 29 10:31:16 2004 UTC (18 years, 10 months ago) by jmmv
Branch: MAIN
Changes since 1.14: +4 -1 lines
Diff to previous 1.14 (colored)

Precreate the include/gnutls directory to fix installation.  Dunno how this
worked before (maybe the joys of make replace did not expose the problem)...
Fixes PR pkg/25304.

Revision 1.14 / (download) - annotate - [select for diffs], Mon Mar 1 15:14:45 2004 UTC (19 years ago) by jmmv
Branch: MAIN
CVS Tags: pkgsrc-2004Q1-base, pkgsrc-2004Q1
Changes since 1.13: +2 -3 lines
Diff to previous 1.13 (colored)

Update to 1.0.8.  Changes since 1.0.6:

Version 1.0.8 (28/02/2004)
- Corrected bug in mutual certificate authentication in SSL 3.0.
- Several other minor bugfixes.

Version 1.0.7 (25/02/2004)
- Implemented TLS 1.1 (and also obsoleted the TLS 1.0 CBC protection hack).
- Some updates in the documentation.

Revision 1.13 / (download) - annotate - [select for diffs], Wed Feb 25 18:27:33 2004 UTC (19 years, 1 month ago) by minskim
Branch: MAIN
Changes since 1.12: +3 -1 lines
Diff to previous 1.12 (colored)

Enable pkgviews installation.

Revision 1.12 / (download) - annotate - [select for diffs], Wed Feb 25 15:53:17 2004 UTC (19 years, 1 month ago) by minskim
Branch: MAIN
Changes since 1.11: +2 -1 lines
Diff to previous 1.11 (colored)

Bump PKGREVISION due to the update of libgcrypt.

Revision 1.11 / (download) - annotate - [select for diffs], Sat Feb 14 17:21:50 2004 UTC (19 years, 1 month ago) by jlam
Branch: MAIN
Changes since 1.10: +1 -3 lines
Diff to previous 1.10 (colored)

LIBTOOL_OVERRIDE and SHLIBTOOL_OVERRIDE are now lists of shell globs
relative to ${WRKSRC}.  Remove redundant LIBTOOL_OVERRIDE settings that
are automatically handled by the default setting in bsd.pkg.mk.

Revision 1.10 / (download) - annotate - [select for diffs], Tue Feb 10 00:20:29 2004 UTC (19 years, 1 month ago) by jlam
Branch: MAIN
Changes since 1.9: +8 -9 lines
Diff to previous 1.9 (colored)

bl3ify

Revision 1.9 / (download) - annotate - [select for diffs], Mon Jan 12 22:57:38 2004 UTC (19 years, 2 months ago) by xtraeme
Branch: MAIN
Changes since 1.8: +2 -4 lines
Diff to previous 1.8 (colored)

Update to 1.0.4

Version 1.0.4 (04/01/2004)

- Changed handshake behaviour to send the lowest TLS version
  when an unsupported version was advertized. The current behaviour
  is to send the maximum version we support.
- certtool no longer asks the password in unencrypted private
  keys.
- The source is now compiled to use the reentrant libc functions.

Revision 1.8 / (download) - annotate - [select for diffs], Mon Dec 22 23:08:03 2003 UTC (19 years, 3 months ago) by jmmv
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)

Update to 1.0.3:

- Corrected bug in gnutls_bye() which made it return an error code
  of INVALID_REQUEST instead of success.
- Corrected a bug in the GNUTLS_KEY key usage definitions.

Revision 1.7 / (download) - annotate - [select for diffs], Sun Dec 21 10:17:30 2003 UTC (19 years, 3 months ago) by xtraeme
Branch: MAIN
Changes since 1.6: +3 -2 lines
Diff to previous 1.6 (colored)

Update to 1.0.2, this also closes PR pkg/23766.

Changes:

	o Corrected a bug in the RSA key generation. This was
	  generating unusable RSA keys.

Revision 1.6 / (download) - annotate - [select for diffs], Thu Dec 18 06:04:10 2003 UTC (19 years, 3 months ago) by xtraeme
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)

Update to 1.0.1 from Min Sik Kim PR pkg/23754.

Changes since 1.0.0:

- Some minor fixes in the makefiles. They now include CFLAGS
  from libgcrypt or opencdk if installed in a non standard directory.
- Fixed the SRP detection test in gnutls-cli-debug.
- Added gnutls_rsa_params_export_pkcs1() and
  gnutls_rsa_params_import_pkcs1().

Revision 1.5 / (download) - annotate - [select for diffs], Sat Dec 6 00:52:21 2003 UTC (19 years, 3 months ago) by xtraeme
Branch: MAIN
Changes since 1.4: +5 -7 lines
Diff to previous 1.4 (colored)

Updated to 1.0.0, provided by Min Sik Kim PR pkg/23661.

Changes:

- Exported the static SRP group parameters.
- Some fixes in the certificate authenticated SRP ciphersuites.
- Improved the support for draft-ietf-tls-srp-05. The two-phase
  handshake is now fully supported without any interaction with
  the application layer (except for a callback).
- Some fixes in the openpgp authentication.
- Removed the Twofish cipher.
- The openssl compatibility layer was moved to gnutls-openssl
  library instead of being included in the gnutls-extra library.
- Added the RIPEMD ciphersuites defined in draft-ietf-tls-openpgp-keys-04.
- Building with openpgp support is now mandatory.
- gnutls4 compatibility header is no longer included by default in
  gnutls.h.
- gnutls8 function usage yelds a deprecation warning in gcc3.
- gnutls_x509_*_set_dn_by_oid() and gnutls_x509_*_get_*_dn_by_oid()
  functions have a raw_flag parameter added.
- The certtool utility can now generate PKCS #12 structures
  without specifying a certificate.
- Added capability to read CRLs to certtool.
- Corrected some functions which return GNUTLS_E_SHORT_MEMORY_BUFFER
  to properly set the required buffer size.
- Corrected a bug in libgcrypt detection.

And more...

Revision 1.4 / (download) - annotate - [select for diffs], Sat Oct 18 08:10:57 2003 UTC (19 years, 5 months ago) by jmmv
Branch: MAIN
CVS Tags: pkgsrc-2003Q4-base, pkgsrc-2003Q4
Changes since 1.3: +7 -2 lines
Diff to previous 1.3 (colored)

Make this package use the libtasn library that comes with it, instead of our
own security/libtasn1 package, which is too new to work fine with gnutls.
While here, add missing dependency on devel/zlib.
Fixes PR pkg/23172; reviewed by wiz@.  Bump PKGREVISION to 1.

Revision 1.3 / (download) - annotate - [select for diffs], Thu Jul 17 22:52:55 2003 UTC (19 years, 8 months ago) by grant
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)

s/netbsd.org/NetBSD.org/

Revision 1.2 / (download) - annotate - [select for diffs], Mon Jun 2 01:17:18 2003 UTC (19 years, 9 months ago) by jschauma
Branch: MAIN
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)

Use tech-pkg@ in favor of packages@ as MAINTAINER for orphaned packages.
Should anybody feel like they could be the maintainer for any of thewe packages,
please adjust.

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Wed May 14 03:46:44 2003 UTC (19 years, 10 months ago) by salo
Branch: TNF
CVS Tags: pkgsrc-base
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)

Import of gnutls-0.8.7: GNU Transport Layer Security library.

GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL
3.0 protocols. The library does not include any patented algorithms and is
available under the GNU Lesser GPL license.

Important features of the GnuTLS library include:
- Thread safety
- Support for both TLS 1.0 and SSL 3.0 protocols
- Support for both X.509 and OpenPGP certificates
- Support for basic parsing and verification of certificates
- Support for SRP for TLS authentication
- Support for TLS Extension mechanism
- Support for TLS Compression Methods

Additionaly GnuTLS provides an emulation API for the widely used OpenSSL
library, to ease integration with existing applications.

Package provided by Juan RP via pkgsrc-wip with modifications by me.

Revision 1.1 / (download) - annotate - [select for diffs], Wed May 14 03:46:44 2003 UTC (19 years, 10 months ago) by salo
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>