The NetBSD Project

CVS log for pkgsrc/security/gnutls/

[BACK] Up to [] / pkgsrc / security / gnutls

Request diff between arbitrary revisions

Default branch: MAIN

Revision 1.45 / (download) - annotate - [select for diffs], Wed Oct 26 10:31:07 2022 UTC (3 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base, pkgsrc-2022Q4, HEAD
Changes since 1.44: +2 -2 lines
Diff to previous 1.44 (colored)

*: bump PKGREVISION for libunistring shlib major bump

Revision 1.44 / (download) - annotate - [select for diffs], Tue Jun 28 11:35:35 2022 UTC (7 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)

*: recursive bump for perl 5.36

Revision 1.43 / (download) - annotate - [select for diffs], Thu Mar 17 21:16:25 2022 UTC (10 months, 2 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base, pkgsrc-2022Q2, pkgsrc-2022Q1-base, pkgsrc-2022Q1
Changes since 1.42: +1 -4 lines
Diff to previous 1.42 (colored)

gnutls: updated to 3.7.4

Version 3.7.4 (released 2022-03-17)

** libgnutls: Added support for certificate compression as defined in RFC8879.
** certtool: Added option --compress-cert that allows user to specify compression
   methods for certificate compression.
** libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure
   option to enforce stricter certificate sanity checks that are compliant
   with RFC5280.
** libgnutls: Removed IA5String type from DirectoryString within issuer
   and subject name to make DirectoryString RFC5280 compliant.
** libgnutls: Added function to retrieve the name of current ciphersuite
   from session.

** API and ABI modifications:
GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
gnutls_compress_certificate_get_selected_method: Added
gnutls_compress_certificate_set_methods: Added

Revision 1.42 / (download) - annotate - [select for diffs], Mon Jan 3 12:36:53 2022 UTC (12 months, 4 weeks ago) by wiz
Branch: MAIN
Changes since 1.41: +4 -2 lines
Diff to previous 1.41 (colored)

gnutls: add lzo option

Based on PR 56601 by Vladimir Stupin.

Revision 1.41 / (download) - annotate - [select for diffs], Wed Sep 29 19:00:12 2021 UTC (16 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base, pkgsrc-2021Q4
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)

revbump for boost-libs

Revision 1.40 / (download) - annotate - [select for diffs], Wed Apr 21 13:24:15 2021 UTC (21 months, 1 week ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base, pkgsrc-2021Q3, pkgsrc-2021Q2-base, pkgsrc-2021Q2
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)

revbump for boost-libs

Revision / (download) - annotate - [select for diffs], Tue Jun 9 11:55:34 2020 UTC (2 years, 7 months ago) by bsiegert
Branch: pkgsrc-2020Q1
Changes since 1.36: +7 -1 lines
Diff to previous 1.36 (colored) next main 1.37 (colored)

Pullup ticket #6232 - requested by maya
security/gnutls: security fix

Revisions pulled up:
- security/gnutls/Makefile                                      1.210-1.213
- security/gnutls/PLIST                                         1.70-1.71
- security/gnutls/PLIST.guile                                   1.1
- security/gnutls/                                 1.37
- security/gnutls/distinfo                                      1.143-1.144
- security/gnutls/                                    1.3
- security/gnutls/patches/patch-configure                       1.5

   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Wed Apr  1 08:24:07 UTC 2020

   Modified Files:
           pkgsrc/security/gnutls: Makefile PLIST distinfo
   Added Files:
           pkgsrc/security/gnutls/patches: patch-configure

   Log Message:
   gnutls: updated to 3.6.13

   Version 3.6.13:

   ** libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3.
      The DTLS client would not contribute any randomness to the DTLS negotiation,
      breaking the security guarantees of the DTLS protocol
      [GNUTLS-SA-2020-03-31, CVSS: high]

   ** libgnutls: Added new APIs to access KDF algorithms.

   ** libgnutls: Added new callback gnutls_keylog_func that enables a custom
      logging functionality.

   ** libgnutls: Added support for non-null terminated usernames in PSK

   ** gnutls-cli-debug: Improved support for old servers that only support
      SSL 3.0.

   ** API and ABI modifications:
   gnutls_hkdf_extract: Added
   gnutls_hkdf_expand: Added
   gnutls_pbkdf2: Added
   gnutls_session_get_keylog_function: Added
   gnutls_session_set_keylog_function: Added
   gnutls_prf_hash_get: Added
   gnutls_psk_server_get_username2: Added
   gnutls_psk_set_client_credentials2: Added
   gnutls_psk_set_client_credentials_function2: Added
   gnutls_psk_set_server_credentials_function2: Added

   Module Name:    pkgsrc
   Committed By:   nikita
   Date:           Thu May 14 14:30:02 UTC 2020

   Modified Files:
           pkgsrc/security/gnutls: Makefile
   Added Files:
           pkgsrc/security/gnutls: PLIST.guile

   Log Message:
   security/gnutls: revbump, add support for building guile bindings

   Module Name:    pkgsrc
   Committed By:   leot
   Date:           Mon Jun  8 19:48:14 UTC 2020

   Modified Files:
           pkgsrc/security/gnutls: Makefile PLIST distinfo

   Log Message:
   gnutls: Update to 3.6.14

    * libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
      The TLS server would not bind the session ticket encryption key with a
      value supplied by the application until the initial key rotation, allowing
      attacker to bypass authentication in TLS 1.3 and recover previous
      conversations in TLS 1.2 (#1011).
      [GNUTLS-SA-2020-06-03, CVSS: high]

    * libgnutls: Fixed handling of certificate chain with cross-signed
      intermediate CA certificates (#1008).

    * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).

    * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
      (, decodes certificate policy OIDs (!1245), and prints Authority
      Key Identifier (AKI) properly (#989, #991).

    * certtool: PKCS #7 attributes are now printed with symbolic names (!1246).

    * libgnutls: Added several improvements on Windows Vista and later releases
      (!1257, !1254, !1256). Most notably the system random number generator now
      uses Windows BCrypt* API if available (!1255).

    * libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
      Also both accelerated and non-accelerated implementations check key block
      according to FIPS-140-2 IG A.9 (!1233).

    * libgnutls: Added support for AES-SIV ciphers (#463).

    * libgnutls: Added support for 192-bit AES-GCM cipher (!1267).

    * libgnutls: No longer use internal symbols exported from Nettle (!1235)

    * API and ABI modifications:
        GNUTLS_CIPHER_AES_128_SIV: Added
        GNUTLS_CIPHER_AES_256_SIV: Added
        GNUTLS_CIPHER_AES_192_GCM: Added
        gnutls_pkcs7_print_signature_info: Added

Revision 1.39 / (download) - annotate - [select for diffs], Tue Jun 9 09:53:11 2020 UTC (2 years, 7 months ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1, pkgsrc-2020Q4-base, pkgsrc-2020Q4, pkgsrc-2020Q3-base, pkgsrc-2020Q3, pkgsrc-2020Q2-base, pkgsrc-2020Q2
Changes since 1.38: +5 -3 lines
Diff to previous 1.38 (colored)

gnutls: fix detection of build options

Revision 1.38 / (download) - annotate - [select for diffs], Fri May 22 10:55:50 2020 UTC (2 years, 8 months ago) by adam
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)

revbump after updating security/nettle

Revision 1.37 / (download) - annotate - [select for diffs], Thu May 14 14:30:02 2020 UTC (2 years, 8 months ago) by nikita
Branch: MAIN
Changes since 1.36: +7 -1 lines
Diff to previous 1.36 (colored)

security/gnutls: revbump, add support for building guile bindings

Revision 1.36 / (download) - annotate - [select for diffs], Sun Mar 8 16:48:06 2020 UTC (2 years, 10 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base
Branch point for: pkgsrc-2020Q1
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)

*: recursive bump for libffi

Revision 1.35 / (download) - annotate - [select for diffs], Sat Jul 20 22:46:04 2019 UTC (3 years, 6 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4, pkgsrc-2019Q3-base, pkgsrc-2019Q3
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored)

*: recursive bump for nettle 3.5.1

Revision 1.34 / (download) - annotate - [select for diffs], Sun Dec 9 20:12:41 2018 UTC (4 years, 1 month ago) by leot
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2, pkgsrc-2019Q1-base, pkgsrc-2019Q1, pkgsrc-2018Q4-base, pkgsrc-2018Q4
Changes since 1.33: +2 -1 lines
Diff to previous 1.33 (colored)

gnutls: Update security/gnutls to 3.6.5

pkgsrc changes:
- Remove comments regarding bash and tests (bash was added
  unconditionally due REPLACE_BASH usages)

** libgnutls: Provide the option of transparent re-handshake/reauthentication
   when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
** libgnutls: The priority functions will ignore and not enable TLS1.3 if
   requested with legacy TLS versions enabled but not TLS1.2. That is because
   if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled)
   servers which do not support TLS1.3 will negotiate TLS1.2 which will be
   rejected by the client as disabled (#621).
** libgnutls: Change RSA decryption to use a new side-channel silent function.
   This addresses a security issue where memory access patterns as well as timing
   on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
   attacks. Side-channel resistant code is slower due to the need to mask
   access and timings. When used in TLS the new functions cause RSA based
   handshakes to be between 13% and 28% slower on average (Numbers are indicative,
   the tests where performed on a relatively modern Intel CPU, results vary
   depending on the CPU and architecture used). This change makes nettle 3.4.1
   the minimum requirement of gnutls (#630). [CVSS: medium]
** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
   in the priority string. It is only accepted as legacy option and is ignored.
** libgnutls: Added support for EdDSA under PKCS#11 (#417)
** libgnutls: Added support for AES-CFB8 cipher (#357)
** libgnutls: Added support for AES-CMAC MAC (#351)
** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers
   have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
   S-BOXes). They are fixed now.
** libgnutls: Added support for GOST key unmasking and unwrapped GOST private
   keys parsing, as specified in R 50.1.112-2016.
** gnutls-serv: It applies the default settings when no --priority option is given,
   using gnutls_set_default_priority().
** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin
   option (#561)
** certtool: Add parameter --no-text that prevents certtool from outputting
   text before PEM-encoded private key, public key, certificate, CRL or CSR.

** API and ABI modifications:
gnutls_record_get_max_early_data_size: Added
gnutls_record_send_early_data: Added
gnutls_record_recv_early_data: Added
gnutls_db_check_entry_expire_time: Added
gnutls_anti_replay_set_add_function: Added
gnutls_anti_replay_init: Added
gnutls_anti_replay_deinit: Added
gnutls_anti_replay_set_window: Added
gnutls_anti_replay_enable: Added
gnutls_privkey_decrypt_data2: Added

Revision 1.33 / (download) - annotate - [select for diffs], Thu Apr 19 22:12:25 2018 UTC (4 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3, pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.32: +3 -2 lines
Diff to previous 1.32 (colored)

Commit missing part of gnutls recursive bump.

Noted by Patrick Welche.

Revision / (download) - annotate - [select for diffs], Thu Jan 19 19:56:48 2017 UTC (6 years ago) by bsiegert
Branch: pkgsrc-2016Q4
Changes since 1.31: +2 -1 lines
Diff to previous 1.31 (colored) next main 1.32 (colored)

Pullup ticket #5185 (second part) - requested by wiz
security/gnutls: build fix

Revisions pulled up:
- security/gnutls/                                 1.32

   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Wed Jan 11 17:06:52 UTC 2017

   Modified Files:

   Log Message:
   Add libunistring to, it's linked into libgnutls{,xx}.so.

   PR 51830

Revision 1.32 / (download) - annotate - [select for diffs], Wed Jan 11 17:06:52 2017 UTC (6 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1, pkgsrc-2017Q4-base, pkgsrc-2017Q4, pkgsrc-2017Q3-base, pkgsrc-2017Q3, pkgsrc-2017Q2-base, pkgsrc-2017Q2, pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.31: +2 -1 lines
Diff to previous 1.31 (colored)

Add libunistring to, it's linked into libgnutls{,xx}.so.

PR 51830

Revision 1.31 / (download) - annotate - [select for diffs], Mon Sep 19 13:02:35 2016 UTC (6 years, 4 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q3-base, pkgsrc-2016Q3
Branch point for: pkgsrc-2016Q4
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)

Remove another obsolete patch.

Revision 1.30 / (download) - annotate - [select for diffs], Sun Aug 23 14:30:35 2015 UTC (7 years, 5 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2, pkgsrc-2016Q1-base, pkgsrc-2016Q1, pkgsrc-2015Q4-base, pkgsrc-2015Q4, pkgsrc-2015Q3-base, pkgsrc-2015Q3
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)

Bump PKGREVISION for nettle shlib major bump.

Revision 1.29 / (download) - annotate - [select for diffs], Mon Jun 1 21:50:22 2015 UTC (7 years, 8 months ago) by spz
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2
Changes since 1.28: +3 -3 lines
Diff to previous 1.28 (colored)

update to gnutls 3.3.15
patch refresh grace of mkpatches

upstream notable changes list since the 3.2 to 3.3 branch point (excerpt
of the NEWS file):

* Version 3.3.15 (released 2015-05-03)

** libgnutls: gnutls_certificate_get_ours: will return the certificate even
if a callback was used to send it.

** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by
Karthikeyan Bhargavan [GNUTLS-SA-2015-2].

** libgnutls: Check for invalid length in the X.509 version field. Without the check
certificates with invalid length would be detected as having an arbitrary
version. Reported by Hanno Böck.

** API and ABI modifications:
No changes since last version.

* Version 3.3.14 (released 2015-03-30)

** libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo
structures use BER to decode them (requires libtasn1 4.3). That allows
to decode some more complex structures.

** libgnutls: When an end-certificate with no name is present and there
are CA name constraints, don't reject the certificate. This follows RFC5280
advice closely. Reported by Fotis Loukos.

** libgnutls: Fixed handling of supplemental data with types > 255.
Patch by Thierry Quemerais.

** libgnutls: Fixed double free in the parsing of CRL distribution points certificate
extension. Reported by Robert wicki.

** libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That
protocol is not enabled by default (used by openconnect VPN).

** libgnutls: The maximum user data send size is set to be the same for
block and non-block ciphersuites. This addresses a regression with wine:

** libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN,
and CKA_DECRYPT when needed.

** libgnutls: Allow names with zero size to be set using
gnutls_server_name_set(). That will disable the Server Name Indication.
Resolves issue with wine:

** API and ABI modifications:
No changes since last version.

* Version 3.3.13 (released 2015-02-25)

** libgnutls: Enable AESNI in GCM on x86

** libgnutls: Fixes in DTLS message handling

** libgnutls: Check certificate algorithm consistency, i.e.,
check whether the signatureAlgorithm field matches the signature
field inside TBSCertificate.

** gnutls-cli: Fixes in OCSP verification.

** API and ABI modifications:
No changes since last version.

* Version 3.3.12 (released 2015-01-17)

** libgnutls: When negotiating TLS use the lowest enabled version in
the client hello, rather than the lowest supported. In addition, do
not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0
is the only protocol supported. That addresses issues with servers that
immediately drop the connection when the encounter SSL 3.0 as the record
version number. See:

** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters.

** libgnutls: Handle zero length plaintext for VIA PadLock functions.
This solves a potential crash on AES encryption for small size plaintext.
Patch by Matthias-Christian Ott.

** libgnutls: In DTLS don't combine multiple packets which exceed MTU.
Reported by Andreas Schultz.

** libgnutls: In DTLS decode all handshake packets present in a record
packet, in a single pass. Reported by Andreas Schultz.

** libgnutls: When importing a CA file with a PKCS #11 URL, simply
import the certificates, if the URL specifies objects, rather than
treating it as trust module.

** libgnutls: When importing a PKCS #11 URL and we know the type of
object we are importing, don't require the object type in the URL.

** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2
was used by the server.

** guile: Fix compilation on MinGW. Previously only the static version of the
'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile.

** guile: Fix harmless warning during compilation of gnutls.scm
Initially reported at <>.

** certtool: --pubkey-info will also attempt to load a public key
from stdin.

** gnutls-cli: Added --starttls-proto option. That allows to specify a
protocol for starttls negotiation.

** API and ABI modifications:
No changes since last version.

* Version 3.3.11 (released 2014-12-11)

** libgnutls: Corrected regression introduced in 3.3.9 related to
session renegotiation. Reported by Dan Winship.

** libgnutls: Corrected parsing issue with OCSP responses.

** API and ABI modifications:
No changes since last version.

* Version 3.3.10 (released 2014-11-10)

** libgnutls: Refuse to import v1 or v2 certificates that contain

** libgnutls: Fixes in usage of PKCS #11 token callback

** libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used
with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag.
Reported by David Woodhouse.

** libgnutls: Removed superfluous random generator refresh on every call
of gnutls_deinit(). That reduces load and usage of /dev/urandom.

** libgnutls: Corrected issue in export of ECC parameters to X9.63 format.
Reported by Sean Burford [GNUTLS-SA-2014-5].

** libgnutls: When gnutls_global_init() is called for a second time, it
will check whether the /dev/urandom fd kept is still open and matches
the original one. That behavior works around issues with servers that
close all file descriptors.

** libgnutls: Corrected behavior with PKCS #11 objects that are marked

** certtool: The default cipher for PKCS #12 structures is 3des-pkcs12.
That option is more compatible than AES or RC4.

** API and ABI modifications:
No changes since last version.

* Version 3.3.9 (released 2014-10-13)

** libgnutls: Fixes in the transparent import of PKCS #11 certificates.
Reported by Joseph Peruski.

** libgnutls: Fixed issue with unexpected non-fatal errors resetting the
handshake's hash buffer, in applications using the heartbeat extension
or DTLS. Reported by Joeri de Ruiter.

** libgnutls: When both a trust module and additional CAs are present
account the latter as well; reported by David Woodhouse.

** libgnutls: added GNUTLS_TL_GET_COPY flag for
gnutls_x509_trust_list_get_issuer(). That allows the function to be used
in a thread safe way when PKCS #11 trust modules are in use.

** libgnutls: fix issue in DTLS retransmission when session tickets
were in use; reported by Manuel Pégourié-Gonnard.

** libgnutls-dane: Do not require the CA on a ca match to be direct CA.

** libgnutls: Prevent abort() in library if getrusage() fails. Try to
detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work.

** guile: new 'set-session-server-name!' procedure; see the manual for

** certtool: The authority key identifier will be set in a certificate only
if the CA's subject key identifier is set.

** API and ABI modifications:
No changes since last version.

* Version 3.3.8 (released 2014-09-18)

** libgnutls: Updates in the name constraints checks. No name constraints
will be checked for intermediate certificates. As our support for name
constraints is limited to e-mail addresses in DNS names, it is pointless
to check them on intermediate certificates.

** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple
object listing would fail completely if a single object could not be exported.

** libgnutls: Improved the performance of PKCS #11 object listing/retrieving,
by retrieving them in large batches. Report and suggestion by David

** libgnutls: Fixed issue with certificates being sanitized by gnutls prior
to signature verification. That resulted to certain non-DER compliant modifications
of valid certificates, being corrected by libtasn1's parser and restructured as
the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from

** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle
strings with embedded spaces and escaped commas.

** libgnutls: when comparing a CA certificate with the trusted list compare
the name and key only instead of the whole certificate. That is to handle
cases where a CA certificate was superceded by a different one with the same
name and the same key.

** libgnutls: when verifying a certificate against a p11-kit trusted
module, use the attached extensions in the module to override the CA's
extensions (that requires p11-kit 0.20.7).

** libgnutls: In DTLS prevent sending zero-size fragments in certain cases
of MTU split. Reported by Manuel Pégourié-Gonnard.

** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows
verifying using a hostname and a purpose (extended key usage). That
enhances PKCS #11 trust module verification, as it can now check the purpose
when this function is used.

** libgnutls: Corrected gnutls_x509_crl_verify() which would always report
a CRL signature as invalid. Reported by Armin Burgmeier.

** libgnutls: added option --disable-padlock to allow disabling the padlock
CPU acceleration.

** p11tool: when listing tokens, list their type as well.

** p11tool: when listing objects from a trust module print any attached
extensions on certificates.

** API and ABI modifications:
gnutls_x509_crq_get_extension_by_oid2: Added
gnutls_x509_crt_get_extension_by_oid2: Added
gnutls_x509_trust_list_verify_crt2: Added
gnutls_x509_ext_print: Added
gnutls_x509_ext_deinit: Added
gnutls_x509_othername_to_virtual: Added
gnutls_pkcs11_obj_get_exts: Added

* Version 3.3.7 (released 2014-08-24)

** libgnutls: Added function to export the public key of a PKCS #11
private key. Contributed by Wolfgang Meyer zu Bergsten.

** libgnutls: Explicitly set the exponent in PKCS #11 key generation.
That improves compatibility with certain PKCS #11 modules. Contributed by
Wolfgang Meyer zu Bergsten.

** libgnutls: When generating a PKCS #11 private key allow setting
the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten.

** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session
to the key.

** libgnutls: bundle replacements of inet_pton and inet_aton if not

** libgnutls: initialize parameters variable on PKCS #8 decryption.

** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1

** libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125
requirement of checking the Common Name (CN) part of DN only if there is
a single CN present in the certificate.

** libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used
to force the FIPS mode, when set to 1.

** libgnutls: In DTLS ignore only errors that relate to unexpected packets
and decryption failures.

** p11tool: Added --info parameter.

** certtool: Added --mark-wrap parameter.

** danetool: --check will attempt to retrieve the server's certificate
chain and verify against it.

** danetool/gnutls-cli-debug: Added --app-proto parameters which can
be used to enforce starttls (currently only SMTP and IMAP) on the connection.

** danetool: Added openssl linking exception, to allow linking
with libunbound.

** API and ABI modifications:
gnutls_pkcs11_privkey_export_pubkey: Added
gnutls_pkcs11_obj_flags_get_str: Added
gnutls_pkcs11_obj_get_flags: Added

* Version 3.3.6 (released 2014-07-23)

** libgnutls: Use inet_ntop to print IP addresses when available

** libgnutls: gnutls_x509_crt_check_hostname and friends will also check
IP addresses, and match documented behavior. Reported by David Woodhouse.

** libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024
bit parameters.

** libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens
being usable after a reinitialization.

** libgnutls: fixed PKCS #11 private key operations after a fork.

** libgnutls: fixed PKCS #11 ECDSA key generation.

** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to
explicitly enable/disable the use of certain CPU capabilities. Note that CPU
detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel
CPU. The currently available options are:
  0x1: Disable all run-time detected optimizations
  0x2: Enable AES-NI
  0x4: Enable SSSE3
  0x8: Enable PCLMUL
  0x100000: Enable VIA padlock
  0x200000: Enable VIA PHE
  0x400000: Enable VIA PHE SHA512

** libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott.

** p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set.

** p11tool: ask for label when one isn't provided.

** p11tool: added --batch parameter to disable any interactivity.

** p11tool: will not implicitly enable so-login for certain types of
objects. That avoids issues with tokens that require different login

** certtool/p11tool: Added the --curve parameter which allows to explicitly
specify the curve to use.

** API and ABI modifications:
gnutls_certificate_set_x509_trust_dir: Added
gnutls_x509_trust_list_add_trust_dir: Added

* Version 3.3.5 (released 2014-06-26)

** libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit().
These functions provide a variant of gnutls_record_recv() that avoids
the final memcpy of data.

** libgnutls: gnutls_x509_crl_iter_crt_serial() was added as a
faster variant of gnutls_x509_crl_get_crt_serial() when coping with
very large structures.

** libgnutls: When the decoding of a printable DN element fails, then treat
it as unknown and print its hex value rather than failing. That works around
an issue in a TURKTRST root certificate which improperly encodes the
X520countryName element.

** libgnutls: gnutls_x509_trust_list_add_trust_file() will return the number
of certificates present in a PKCS #11 token when loading it.

** libgnutls: Allow the post client hello callback to put the handshake on

** certtool: option --to-p12 will now consider --load-ca-certificate

** certtol: Added option to specify the PKCS #12 friendly name on command

** p11tool: Allow marking a certificate copied to a token as a CA.

** API and ABI modifications:
gnutls_x509_crl_iter_deinit: Added
gnutls_x509_crl_iter_crt_serial: Added
gnutls_record_recv_packet: Added
gnutls_packet_deinit: Added
gnutls_packet_get: Added

* Version 3.3.4 (released 2014-05-31)

** libgnutls: Updated Andy Polyakov's assembly code. That prevents a
crash on certain CPUs.

** API and ABI modifications:
No changes since last version.

* Version 3.3.3 (released 2014-05-30)

** libgnutls: Eliminated memory corruption issue in Server Hello parsing.
Issue reported by Joonas Kuorilehto of Codenomicon.

** libgnutls: gnutls_global_set_mutex() was modified to operate with the
new initialization process.

** libgnutls: Increased the maximum certificate size buffer
in the PKCS #11 subsystem.

** libgnutls: Check the return code of getpwuid_r() instead of relying
on the result value. That avoids issue in certain systems, when using
tofu authentication and the home path cannot be determined. Issue reported
by Viktor Dukhovni.

** libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to
create a full chain. This addresses points from

** gnutls-cli: --dane will only check the end certificate if PKIX validation
has been disabled.

** gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot
be emulated with the implicit initialization of gnutls.

** certtool: Allow multiple organizations and organizational unit names to
be specified in a template.

** certtool: Warn when invalid configuration options are set to a template.

** ocsptool: Include path in ocsp request. This resolves #108582
(, reported by Matt McCutchen.

** API and ABI modifications:
gnutls_credentials_get: Added

* Version 3.3.2 (released 2014-05-06)

** libgnutls: Added the 'very weak' certificate verification profile
that corresponds to 64-bit security level.

** libgnutls: Corrected file descriptor leak on random generator

** libgnutls: Corrected file descriptor leak on PSK password file
reading. Issue identified using the Codenomicon TLS test suite.

** libgnutls: Avoid deinitialization if initialization has failed.

** libgnutls: null-terminate othername alternative names.

** libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly
on a PKCS #11 trust list.

** libgnutls: Several small bug fixes identified using valgrind and
the Codenomicon TLS test suite.

** libgnutls-dane: Accept a certificate using DANE if there is at least one
entry that matches the certificate. Patch by simon [at]

** libgnutls-guile: Fixed compilation issue.

** certtool: Allow exporting a CRL on DER format.

** certtool: The ECDSA keys generated by default use the SECP256R1 curve
which is supported more widely than the previously used SECP224R1.

** API and ABI modifications:

* Version 3.3.1 (released 2014-04-19)

** libgnutls: Enforce more strict checks to heartbeat messages
concerning padding and payload. Suggested by Peter Dettman.

** libgnutls: Allow decoding PKCS #8 files with ECC parameters
from openssl.

** libgnutls: Several small bug fixes found by coverity.

** libgnutls: The conditionally available self-test functions
were moved to self-test.h.

** libgnutls: Fixed issue with the check of incoming data when two
different recv and send pointers have been specified. Reported and
investigated by JMRecio.

** libgnutls: Fixed issue in the RSA-PSK key exchange, which would
result to illegal memory access if a server hint was provided. Reported
by André Klitzing.

** libgnutls: Fixed client memory leak in the PSK key exchange, if a
server hint was provided.

** libgnutls: Corrected the *get_*_othername_oid() functions.

** API and ABI modifications:
No changes since last version.

* Version 3.3.0 (released 2014-04-10)

** libgnutls: The initialization of the library was moved to a
constructor. That is, gnutls_global_init() is no longer required
unless linking with a static library or a system that does not
support library constructors.

** libgnutls: static libraries are not built by default.

** libgnutls: PKCS #11 initialization is delayed to first usage.
That avoids long delays in gnutls initialization due to broken PKCS #11

** libgnutls: The PKCS #11 subsystem is re-initialized "automatically"
on the first PKCS #11 API call after a fork.

** libgnutls: certificate verification profiles were introduced
that can be specified as flags to verification functions. They
are enumerations in gnutls_certificate_verification_profiles_t
and can be converted to flags for use in a verification function

** libgnutls: Added the ability to read system-specific initial
keywords, if they are prefixed with '@'. That allows a compile-time
specified configuration file to be used to read pre-configured priority
strings from. That can be used to impose system specific policies.

** libgnutls: Increased the default security level of priority
strings (NORMAL and PFS strings require at minimum a 1008 DH prime),
and set a verification profile by default.  The LEGACY keyword is
introduced to set the old defaults.

** libgnutls: Added support for the name constraints PKIX extension.
Currently only DNS names and e-mails are supported (no URIs, IPs
or DNs).

** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to
SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL.

** libgnutls: Added new API in x509-ext.h to handle X.509 extensions.
This API handles the X.509 extensions in isolation, allowing to parse
similarly formatted extensions stored in other structures.

** libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS
can be used to specify a particular subgroup as the number of bits in
gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256).

** libgnutls: DH parameter generation is now delegated to nettle.
That unfortunately has the side-effect that DH parameters longer than
3072 bits, cannot be generated (not without a nettle update).

** libgnutls: Separated nonce RNG from the main RNG. The nonce
random number generator is based on salsa20/12.

** libgnutls: The buffer alignment provided to crypto backend is
enforced to be 16-byte aligned, when compiled with cryptodev
support. That allows certain cryptodev drivers to operate more

** libgnutls: Return error when a public/private key pair that doesn't
match is set into a credentials structure.

** libgnutls: Depend on p11-kit 0.20.0 or later.

** libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has
been removed. It was not approved by IETF.

** libgnutls: The experimental xssl library is removed from the gnutls

** libgnutls: Reduced the number of gnulib modules used in the main library.

** libgnutls: Added priority string %DISABLE_WILDCARDS.

** libgnutls: Added the more extensible verification function
gnutls_certificate_verify_peers(), that allows checking, in addition
to a peer's DNS hostname, for the key purpose of the end certificate
(via PKIX extended key usage).

** certtool: Timestamps for serial numbers were increased to 8 bytes,
and in batch mode to 12 (appended with 4 random bytes).

** certtool: When no CRL number is provided (or value set to -1), then
a time-based number will be used, similarly to the serial generation
number in certificates.

** certtool: Print the SHA256 fingerprint of a certificate in addition
to SHA1.

** libgnutls: Added --enable-fips140-mode configuration option (unsupported).
That option enables (when running on FIPS140-enabled system):
 o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes)
 o The DRBG-CTR-AES256 deterministic random generator from SP800-90A.
 o Self-tests on initialization on ciphers/MACs, public key algorithms
   and the random generator.
 o HMAC-SHA256 verification of the library on load.
 o MD5 is included for TLS purposes but cannot be used by the high level
   hashing functions.
 o All ciphers except AES are disabled.
 o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5).
 o All keys (temporal and long term) are zeroized after use.
 o Security levels are adjusted to the FIPS140-2 recommendations (rather
   than ECRYPT).

** API and ABI modifications:
gnutls_certificate_verify_peers: Added
gnutls_privkey_generate: Added
gnutls_pkcs11_crt_is_known: Added
gnutls_fips140_mode_enabled: Added
gnutls_sec_param_to_symmetric_bits: Added
gnutls_pubkey_export_ecc_x962: Added (replaces gnutls_pubkey_get_pk_ecc_x962)
gnutls_pubkey_export_ecc_raw: Added (replaces gnutls_pubkey_get_pk_ecc_raw)
gnutls_pubkey_export_dsa_raw: Added (replaces gnutls_pubkey_get_pk_dsa_raw)
gnutls_pubkey_export_rsa_raw: Added (replaces gnutls_pubkey_get_pk_rsa_raw)
gnutls_pubkey_verify_params: Added
gnutls_privkey_export_ecc_raw: Added
gnutls_privkey_export_dsa_raw: Added
gnutls_privkey_export_rsa_raw: Added
gnutls_privkey_import_ecc_raw: Added
gnutls_privkey_import_dsa_raw: Added
gnutls_privkey_import_rsa_raw: Added
gnutls_privkey_verify_params: Added
gnutls_x509_crt_check_hostname2: Added
gnutls_openpgp_crt_check_hostname2: Added
gnutls_x509_name_constraints_init: Added
gnutls_x509_name_constraints_deinit: Added
gnutls_x509_crt_get_name_constraints: Added
gnutls_x509_name_constraints_add_permitted: Added
gnutls_x509_name_constraints_add_excluded: Added
gnutls_x509_crt_set_name_constraints: Added
gnutls_x509_name_constraints_get_permitted: Added
gnutls_x509_name_constraints_get_excluded: Added
gnutls_x509_name_constraints_check: Added
gnutls_x509_name_constraints_check_crt: Added
gnutls_x509_crl_get_extension_data2: Added
gnutls_x509_crt_get_extension_data2: Added
gnutls_x509_crq_get_extension_data2: Added
gnutls_subject_alt_names_init: Added
gnutls_subject_alt_names_deinit: Added
gnutls_subject_alt_names_get: Added
gnutls_subject_alt_names_set: Added
gnutls_x509_ext_import_subject_alt_names: Added
gnutls_x509_ext_export_subject_alt_names: Added
gnutls_x509_crl_dist_points_init: Added
gnutls_x509_crl_dist_points_deinit: Added
gnutls_x509_crl_dist_points_get: Added
gnutls_x509_crl_dist_points_set: Added
gnutls_x509_ext_import_crl_dist_points: Added
gnutls_x509_ext_export_crl_dist_points: Added
gnutls_x509_ext_import_name_constraints: Added
gnutls_x509_ext_export_name_constraints: Added
gnutls_x509_aia_init: Added
gnutls_x509_aia_deinit: Added
gnutls_x509_aia_get: Added
gnutls_x509_aia_set: Added
gnutls_x509_ext_import_aia: Added
gnutls_x509_ext_export_aia: Added
gnutls_x509_ext_import_subject_key_id: Added
gnutls_x509_ext_export_subject_key_id: Added
gnutls_x509_ext_export_authority_key_id: Added
gnutls_x509_ext_import_authority_key_id: Added
gnutls_x509_aki_init: Added
gnutls_x509_aki_get_id: Added
gnutls_x509_aki_get_cert_issuer: Added
gnutls_x509_aki_set_id: Added
gnutls_x509_aki_set_cert_issuer: Added
gnutls_x509_aki_deinit: Added
gnutls_x509_ext_import_private_key_usage_period: Added
gnutls_x509_ext_export_private_key_usage_period: Added
gnutls_x509_ext_import_basic_constraints: Added
gnutls_x509_ext_export_basic_constraints: Added
gnutls_x509_ext_import_key_usage: Added
gnutls_x509_ext_export_key_usage: Added
gnutls_x509_ext_import_proxy: Added
gnutls_x509_ext_export_proxy: Added
gnutls_x509_policies_init: Added
gnutls_x509_policies_deinit: Added
gnutls_x509_policies_get: Added
gnutls_x509_policies_set: Added
gnutls_x509_ext_import_policies: Added
gnutls_x509_ext_export_policies: Added
gnutls_x509_key_purpose_init: Added
gnutls_x509_key_purpose_deinit: Added
gnutls_x509_key_purpose_set: Added
gnutls_x509_key_purpose_get: Added
gnutls_x509_ext_import_key_purposes: Added
gnutls_x509_ext_export_key_purposes: Added
gnutls_digest_self_test: Added (conditionally)
gnutls_mac_self_test: Added (conditionally)
gnutls_pk_self_test: Added (conditionally)
gnutls_cipher_self_test: Added (conditionally)
gnutls_global_set_mem_functions: Deprecated

Revision 1.28 / (download) - annotate - [select for diffs], Mon Jul 2 18:53:02 2012 UTC (10 years, 7 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base, pkgsrc-2015Q1, pkgsrc-2014Q4-base, pkgsrc-2014Q4, pkgsrc-2014Q3-base, pkgsrc-2014Q3, pkgsrc-2014Q2-base, pkgsrc-2014Q2, pkgsrc-2014Q1-base, pkgsrc-2014Q1, pkgsrc-2013Q4-base, pkgsrc-2013Q4, pkgsrc-2013Q3-base, pkgsrc-2013Q3, pkgsrc-2013Q2-base, pkgsrc-2013Q2, pkgsrc-2013Q1-base, pkgsrc-2013Q1, pkgsrc-2012Q4-base, pkgsrc-2012Q4, pkgsrc-2012Q3-base, pkgsrc-2012Q3
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)

update to 3.0,20
This switches to the new stable release branch.

Revision 1.27 / (download) - annotate - [select for diffs], Mon Jul 11 16:10:29 2011 UTC (11 years, 6 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base, pkgsrc-2012Q2, pkgsrc-2012Q1-base, pkgsrc-2012Q1, pkgsrc-2011Q4-base, pkgsrc-2011Q4, pkgsrc-2011Q3-base, pkgsrc-2011Q3
Changes since 1.26: +1 -2 lines
Diff to previous 1.26 (colored)

update to 2.12.7
-minor feature additions
pkgsrc change: since the pkg was changed to build against "nettle"
instead of libgcrypt (whether this was a good idea or not...), the
latter isn't needed anymore, so remove the stale dependency
This can cause build breakage -- in this case addition of a local
dependency should restore the old state. (This dependency is technically
unnecessary often, but the assumption that gnutls needs libgcrypt
is sometimes hardwired in configure scripts and/or code.)

Revision 1.26 / (download) - annotate - [select for diffs], Wed Apr 27 07:19:06 2011 UTC (11 years, 9 months ago) by obache
Branch: MAIN
CVS Tags: pkgsrc-2011Q2-base, pkgsrc-2011Q2
Changes since 1.25: +2 -1 lines
Diff to previous 1.25 (colored)

need to buildlink with security/nettle.
fixes PR#44909.

Revision 1.25 / (download) - annotate - [select for diffs], Tue Apr 26 10:35:29 2011 UTC (11 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.24: +3 -3 lines
Diff to previous 1.24 (colored)

Changes 2.12.3:
* libgnutls: Several minor bugfixes.
* libgnutls: Restored HMAC-MD5 for compatibility. Although considered weak,
  several sites require it for connection. It is enabled for "NORMAL" and
  "PERFORMANCE" priority strings.
* libgnutls: depend on libdl.
* libgnutls: gnutls_transport_set_global_errno() was deprecated. Use your
  system's errno fascility or gnutls_transport_set_errno().
* gnutls-cli: Correction with usage of select to check for pending data in
  gnutls sessions. It now uses gnutls_record_check_pending().
* tests: More fixes and updates for win32. Patches by LRN.
* libgnutls: Several files unnecessarily included <gcrypt.h>; this has been
** API and ABI modifications: gnutls_transport_set_global_errno: DEPRECATED

Changes 2.12.2:
* libgnutls: Several updates and fixes for win32. Patches by LRN.
* libgnutls: Several bug and memory leak fixes.
* srptool: Accepts the -d option to enable debugging.
* libgnutls: Corrected bug in gnutls_srp_verifier() that prevented the
  allocation of a verifier. Reported by Andrew Wiseman.

Changes 2.12.1:
* certtool: Generated certificate request with stricter permissions.
* libgnutls: Bug fixes in opencdk code. Reported by Vitaly Kruglikov.
* libgnutls: Corrected windows system_errno() function prototype.
* libgnutls: C++ compatibility fix for compat.h. Reported by Mark Brand.
* libgnutls: Fix size of gnutls_openpgp_keyid_t by using the
  GNUTLS_OPENPGP_KEYID_SIZE definition. Reported by Andreas Metzler.

Revision 1.24 / (download) - annotate - [select for diffs], Fri Apr 22 13:42:00 2011 UTC (11 years, 9 months ago) by obache
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)

recursive bump from gettext-lib shlib bump.

Revision 1.23 / (download) - annotate - [select for diffs], Wed Sep 1 16:32:17 2010 UTC (12 years, 5 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2011Q1-base, pkgsrc-2011Q1, pkgsrc-2010Q4-base, pkgsrc-2010Q4, pkgsrc-2010Q3-base, pkgsrc-2010Q3
Changes since 1.22: +1 -2 lines
Diff to previous 1.22 (colored)

update to 2.10.1
many fixes and API extensions, but still binary compatible afaict

Revision 1.22 / (download) - annotate - [select for diffs], Fri Mar 20 19:25:17 2009 UTC (13 years, 10 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2010Q2-base, pkgsrc-2010Q2, pkgsrc-2010Q1-base, pkgsrc-2010Q1, pkgsrc-2009Q4-base, pkgsrc-2009Q4, pkgsrc-2009Q3-base, pkgsrc-2009Q3, pkgsrc-2009Q2-base, pkgsrc-2009Q2, pkgsrc-2009Q1-base, pkgsrc-2009Q1
Changes since 1.21: +6 -13 lines
Diff to previous 1.21 (colored)

Simply and speed up files and processing.
This changes the files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.

Revision 1.21 / (download) - annotate - [select for diffs], Thu Mar 6 14:52:12 2008 UTC (14 years, 11 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2008Q4-base, pkgsrc-2008Q4, pkgsrc-2008Q3-base, pkgsrc-2008Q3, pkgsrc-2008Q2-base, pkgsrc-2008Q2, pkgsrc-2008Q1-base, pkgsrc-2008Q1, cwrapper, cube-native-xorg-base, cube-native-xorg
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)

Update to 2.2.2:

* Version 2.2.2 (released 2008-02-21)

** Cipher priority string handling now handle strings that starts with NULL.
Thanks to Laurence Withers <>.

** Corrected memory leaks in session resuming and DHE ciphersuites. Reported
by Daniel Stenberg.

** Increased the default certificate verification chain limits and allowed
for checks without limitation.

** Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name()
and gnutls_x509_crt_get_subject_alt_name() to not null terminate binary
strings and return the proper size.

** API and ABI modifications:
No changes since last version.

* Version 2.2.1 (released 2008-01-17)

** Prevent linking libextra against previously installed libgnutls.
Tiny patch from "Alon Bar-Lev" <>, see

** Fixes the post_client_hello_function(). The extensions are now parsed
in a callback friendly way.

** Fix for certificate selection in servers with certificate callbacks.

** API and ABI modifications:
No changes since last version.

* Version 2.2.0 (released 2007-12-14)

Major changes compared to the v2.0 branch:

* SRP support aligned with newly published RFC 5054.

* OpenPGP support aligned with newly published RFC 5081.

* Support for DSA2 keys.

* Support for Camellia cipher.

* Support for Opaque PRF Input extension.

* PKCS#8 parser now handle DSA keys.

* Change from GPLv2 to GPLv3 for command-line tools, libgnutls-extra,
etc.  Notice that liblzo2 2.02 is licensed under GPLv2 only.  Earlier
versions, such as 2.01 which is included with GnuTLS, is available under
GPLv2 or later.  If this incompatibility causes problems, we recommend
you to disable LZO using --without-lzo.  LZO compression is not a
standard TLS compression algorithm, so the impact should be minimal.

* Functions for disabling record protocol padding.
Works around bugs on Nokia/Ericsson phones.

* New functions gnutls_priority_set() for setting cipher priorities easily.
Priorities like "COMPAT" also enables other work arounds, such as
disabling padding.

* Other minor improvements and bug fixes.

Minor changes compared to the latest v2.1.8 release candidate:

* Update internal copy of libtasn1 to version 1.2.

* Certtool --verify-chain now handle inputs larger than 64kb.
This fixes the self-test "rsa-md5-collision" under MinGW+Wine with
recent versions of libgcrypt.  The problem was that Wine with the
libgcrypt RNG generates huge amounts of debugging output.

* Translation updates.
Added Dutch translation.  Updated Polish and Swedish translation.

Backwards incompatible API/ABI changes in GnuTLS 2.2

To adapt to changes in the TLS extension specifications for OpenPGP
and SRP, the GnuTLS API had to be modified.  This means breaking the
API and ABI backwards compatibility.  That is something we try to
avoid unless it is necessary.  We decided to also remove the already
deprecated stub functions for X.509 to XML conversion and TLS
authorization (see below) when we had the opportunity.

Generally, most applications does not need to be modified.  Just
re-compile them against the latest GnuTLS release, and it should work

Applications that use the OpenPGP or SRP features needs to be
modified.  Below is a list of the modified APIs and discussion of what
the minimal things you need to modify in your application to make it
work with GnuTLS 2.2.

Note that GnuTLS 2.2 also introduces new APIs -- such as
gnutls_set_priority() that is superior to
gnutls_set_default_priority() -- that you may want to start using.
However, using those new APIs is not required to use GnuTLS 2.2 since
the old functions continue are still supported.  This text only
discuss what you minimally have to modify.

XML related changes

The function `gnutls_x509_crt_to_xml' has been removed.  It has been
deprecated and only returned an error code since GnuTLS version
1.2.11.  Nobody has complained, so users doesn't seem to miss the
functionality.  We don't know of any other library to convert X.509
certificates into XML format, but we decided (long ago) that GnuTLS
isn't the right place for this kind of functionality.  If you want
help to find some other library to use here, please explain and
discuss your use case on help-gnutls <at>

TLS Authorization related changes

Everything related to TLS authorizations have been removed, they were
only stub functions that returned an error code:


SRP related changes

The callback gnutls_srp_client_credentials_function has a new
prototype, and its semantic has changed.  You need to rewrite the
callback, see the updated function documentation and SRP example code
(doc/examples/ex-client-srp.c and doc/examples/ex-serv-srp.c) for more

GNUTLS_A_UNKNOWN_SRP_USERNAME are no longer used by the SRP
specification, instead the GNUTLS_A_UNKNOWN_PSK_IDENTITY alert is
used.  There are #define's to map the old names to the new.  You may
run into problems if you have a switch-case with cases for both SRP
alerts, since they are now mapped to the same value.  The solution is
to drop the SRP alerts from such switch cases, as they are now
deprecated in favor of GNUTLS_A_UNKNOWN_PSK_IDENTITY.

OpenPGP related changes

The function `gnutls_certificate_set_openpgp_keyserver' have been
removed.  There is no replacement functionality inside GnuTLS.  If you
need keyserver functionality, consider using the GnuPG tools.

All functions, types, and error codes related to OpenPGP trustdb
format have been removed.  The trustdb format is a non-standard
GnuPG-specific format, and we recommend you to use key rings instead.
The following have been removed:

The following functions has an added parameter of the (new) type
`gnutls_openpgp_crt_fmt_t'.  The type specify the format of the data
(binary or base64).  The functions are:

To improve terminology and align with the X.509 interface, some
functions have been renamed.  Compatibility mappings exists.  The old
and new names of the affected functions and types are:

        Old name                                New name
 gnutls_openpgp_key_t                    gnutls_openpgp_crt_t
 gnutls_openpgp_key_fmt_t                gnutls_openpgp_crt_fmt_t
 gnutls_openpgp_key_status_t             gnutls_openpgp_crt_status_t
 gnutls_openpgp_key_init                 gnutls_openpgp_crt_init
 gnutls_openpgp_key_deinit               gnutls_openpgp_crt_deinit
 gnutls_openpgp_key_import               gnutls_openpgp_crt_import
 gnutls_openpgp_key_export               gnutls_openpgp_crt_export
 gnutls_openpgp_key_get_key_usage        gnutls_openpgp_crt_get_key_usage
 gnutls_openpgp_key_get_fingerprint      gnutls_openpgp_crt_get_fingerprint
 gnutls_openpgp_key_get_pk_algorithm     gnutls_openpgp_crt_get_pk_algorithm
 gnutls_openpgp_key_get_name             gnutls_openpgp_crt_get_name
 gnutls_openpgp_key_get_version          gnutls_openpgp_crt_get_version
 gnutls_openpgp_key_get_creation_time    gnutls_openpgp_crt_get_creation_time
 gnutls_openpgp_key_get_expiration_time  gnutls_openpgp_crt_get_expiration_time
 gnutls_openpgp_key_get_id               gnutls_openpgp_crt_get_id
 gnutls_openpgp_key_check_hostname       gnutls_openpgp_crt_check_hostname
 gnutls_openpgp_send_key                 gnutls_openpgp_send_cert

* Version 2.0.0 (released 2007-09-04)

The following changes have been made since GnuTLS 1.6:

* Support for external RSA/DSA signing for TLS client authentication.
  This allows you to secure the private key better, for example by using
  privilege-separation techniques between the private key and the
  network client/server.

* Support for signing X.509 certificates using RSA with SHA-256/384/512.

* Experimental support for TLS 1.2 (disabled by default).  The TLS 1.2
  specification is not finalized yet, but we implement a draft version
  for testing.

* Support for X.509 Proxy Certificates (RFC 3820)

* Support for Supplemental handshakes messages (RFC 4680).

* Support for TLS authorization extension (draft-housley-tls-authz-extns-07).

* Support for the X.509 'otherName' Subject Altnerative Names (for XMPP).

* Guile bindings for GnuTLS have been added, thanks to Ludovic Courtes.

* Improve logic of gnutls_set_default_priority() which can now be more

* New APIs to enumerate supported algorithms in the library.

* New APIs to access X.509 Certificate extension sequentially.

* New APIs to print X.509 Certificates and CRLs in human readable formats.

* New APIs to extract X.509 Distinguished Names from certificates.

* New APIs to handle pathLenConstraint in X.509 Basic Constraints.

* Certtool can export more than one certificate to PKCS#12.

* Several message translation improvements.

* Instructions and improvements to easily set up a HTTPS test server.

* Included copies updated to Libtasn1 1.1 and OpenCDK 0.6.4.

* Build improvements for Windows, Mac OS X, uClinux, etc.

* GnuTLS is now developed in GIT.

* Improved manual

* Many bugfixes and minor improvements.

Revision 1.20 / (download) - annotate - [select for diffs], Thu Jan 31 01:04:26 2008 UTC (15 years ago) by reed
Branch: MAIN
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)

Increase the BUILDLINK_API_DEPENDS.gnutls to at least gnutls>=1.2.6
which is still very old.

This fixes problem where building something depending on gnutls
when old gnutls is already installed using liblzo won't buildlink
because lzo is not installed. This forces a newer gnutls to be
installed that uses lzo instead.

Revision 1.19 / (download) - annotate - [select for diffs], Wed Sep 5 21:51:21 2007 UTC (15 years, 5 months ago) by drochner
Branch: MAIN
CVS Tags: pkgsrc-2007Q4-base, pkgsrc-2007Q4, pkgsrc-2007Q3-base, pkgsrc-2007Q3
Changes since 1.18: +2 -2 lines
Diff to previous 1.18 (colored)

update to 2.0.0
While an update to a .0 version is somehow risky, it finishes the
unfortunate state that the pkgsrc gnutls didn't work with the pkgsrc
opencdk, which I wouldn't like to go into the next stable branch.
Release candidates have worked for me, and there is some time left
before the Q3 branch, so I'm confident.
* Support for external RSA/DSA signing for TLS client authentication
-many X.509 enhancements
 Support for Supplemental handshakes messages (RFC 4680)
* Support for TLS authorization extension (draft-housley-tls-authz-extns-07)
* Improve logic of gnutls_set_default_priority()
* New APIs to enumerate supported algorithms in the library
* Certtool can export more than one certificate to PKCS#12
* Several message translation improvements
* Improved manual
* Many bugfixes and minor improvements

Revision 1.18 / (download) - annotate - [select for diffs], Wed Jun 6 06:23:59 2007 UTC (15 years, 8 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2007Q2-base, pkgsrc-2007Q2
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)

Use included opencdk for now, opencdk-0.6.x is not compatible with
gnutls-1.6.x (the stable branch).

No further PKGREVISION bumps necessary, because opencdk caused recursive
PKGREVISION bumps and afterwards gnutls wouldn't build.

Addresses PR pkg/36448.

Revision 1.17 / (download) - annotate - [select for diffs], Tue Jun 5 05:36:59 2007 UTC (15 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)

opencdk shlib major changed; bump ABI depends and PKGREVISIONs of
affected packages.

Revision 1.16 / (download) - annotate - [select for diffs], Sat Jul 8 23:11:06 2006 UTC (16 years, 6 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2007Q1-base, pkgsrc-2007Q1, pkgsrc-2006Q4-base, pkgsrc-2006Q4, pkgsrc-2006Q3-base, pkgsrc-2006Q3
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)

Change the format of BUILDLINK_ORDER to contain depth information as well,
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the files included as well as the depth at
which they are included.

For example, "make show-buildlink3" in fonts/Xft2 displays:


Revision 1.15 / (download) - annotate - [select for diffs], Sat Jul 8 22:39:36 2006 UTC (16 years, 6 months ago) by jlam
Branch: MAIN
Changes since 1.14: +2 -1 lines
Diff to previous 1.14 (colored)

Track information in a new variable BUILDLINK_ORDER that informs us
of the order in which files are (recursively) included
by a package Makefile.

Revision 1.14 / (download) - annotate - [select for diffs], Thu Apr 6 06:22:38 2006 UTC (16 years, 10 months ago) by reed
Branch: MAIN
CVS Tags: pkgsrc-2006Q2-base, pkgsrc-2006Q2
Changes since 1.13: +3 -3 lines
Diff to previous 1.13 (colored)

Over 1200 files touched but no revisions bumped :)

RECOMMENDED is removed. It becomes ABI_DEPENDS. becomes becomes

BUILDLINK_DEPENDS does not change.

IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".

Added to checking for IGNORE_RECOMMENDED.

I did not manually go through and fix any aesthetic tab/spacing issues.

I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.

I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.

As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.

As discussed on tech-pkg.

I will commit to revbump, pkglint, pkg_install, createbuildlink separately.

Note that if you use wip, it will fail!  I will commit to pkgsrc-wip
later (within day).

Revision 1.13 / (download) - annotate - [select for diffs], Mon Mar 6 00:18:10 2006 UTC (16 years, 11 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2006Q1-base, pkgsrc-2006Q1
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)

Belatedly bump PKGREVISION for all libtasn1 dependencies, since
libtasn1 had a shlib major bump.
Also update dependencies in files.

Addresses PR 32998 by Robert Elz.

Revision 1.12 / (download) - annotate - [select for diffs], Sun Feb 5 23:10:43 2006 UTC (16 years, 11 months ago) by joerg
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)

Recursive revision bump / recommended bump for gettext ABI change.

Revision 1.11 / (download) - annotate - [select for diffs], Fri Jan 20 21:14:04 2006 UTC (17 years ago) by adam
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)

Changes 1.3.3:
** New API to access the TLS master secret.
When possible, you should use the TLS PRF functions instead.

** Improved handling when multiple libraries use GnuTLS at the same time.
Now gnutls_global_init() can be called multiple times, and
gnutls_global_deinit() will only deallocate the structure when it has
been called as many times as gnutls_global_init() was called.

** Added a self test of TLS resume functionality.

** Fix crash in TLS resume code, caused by TLS/IA changes.

** Add 'const' keywords in various places, from Frediano ZIGLIO.

** The code was indented again, including the external header files.

** API and ABI modifications:
New functions to retrieve the master secret value:

Add a 'const' keyword to existing API:

Revision 1.10 / (download) - annotate - [select for diffs], Sat Dec 31 11:20:11 2005 UTC (17 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)

Update to 1.3.2 bumped library major version -- bump BUILDLINK_RECOMMENDED.

Revision 1.9 / (download) - annotate - [select for diffs], Mon Sep 5 07:34:05 2005 UTC (17 years, 5 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2005Q4-base, pkgsrc-2005Q4, pkgsrc-2005Q3-base, pkgsrc-2005Q3
Changes since 1.8: +3 -2 lines
Diff to previous 1.8 (colored) matches Makefile now

Revision / (download) - annotate - [select for diffs], Mon May 2 20:14:06 2005 UTC (17 years, 9 months ago) by salo
Branch: pkgsrc-2005Q1
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored) next main 1.8 (colored)

Pullup ticket 479 - requested by Thomas Klausner
security update for gnutls

Revisions pulled up:
- pkgsrc/security/gnutls/Makefile		1.26, 1.28
- pkgsrc/security/gnutls/PLIST			1.13-1.14
- pkgsrc/security/gnutls/		1.8
- pkgsrc/security/gnutls/distinfo		1.15-1.16
- pkgsrc/security/gnutls/patches/patch-aa	removed

   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Fri Apr  8 15:50:41 UTC 2005

   Modified Files:
	pkgsrc/security/gnutls: Makefile PLIST distinfo
   Removed Files:
	pkgsrc/security/gnutls/patches: patch-aa

   Log Message:
   Update to 1.2.1:
   * Version 1.2.1 (2005-04-04)
   - gnutls_bye() will no longer fail when RDWR is used and application
     data are available for reading.
   - Added more strict checks for the SRP parameters (g,n), when they
     are not in the included list.
   - Added warning to certtool when MD5 is being used for digital
   - Optimizations ("-O2 -finline-functions") are not enabled by default,
     instead the standard autoconf defaults are used.  Use `./configure
     CFLAGS="-O2 -finline-functions"' to get the old optimizations.
   - Added the option --get-dh-params to certtool, in order to get the
     included in the library primes and generators.
   - Improved the semantics of GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, to
     allow only trusted Version 1 CAs and introduced
     GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT which has the old semantics.
   - Nettle self tests now build properly, reported by Pierre
   - Eliminated some memory leaks in DHE and RSA-EXPORT cipher suites.
     Reported by Yoann Vandoorselaere
   - Added the functions:
       gnutls_x509_crq_set_attribute_by_oid() and
   - If the library has been compiled with features disabled, a warning is
     issued during the compilation of any program.
   Module Name:		pkgsrc
   Committed By:	wiz
   Date:		Mon May  2 12:59:24 UTC 2005

   Modified Files:
   	pkgsrc/security/gnutls: Makefile PLIST distinfo

   Log Message:
   Update to 1.2.3:

   * Version 1.2.3
   - Corrected bug in record packet parsing that could lead
     to a denial of service attack.
   - Corrected bug in RSA key export. Previously exported keys
     can be fixed using certtool. Use certtool -k <infile >outfile
   - API and ABI modifications:
       gnutls_x509_privkey_fix(): Add.

   * Version 1.2.2 (2005-04-25)
   - gnutls_error_to_alert() now considers
   - Fixed error in session resuming that could cause a crash in
     a session.
   - Fixed pkcs12 friendly name and local key identifier decoding.
   - Internal cleanups, removed duplicate typedef/struct definitions,
     and made source code include external include file, to check
     function prototypes during compile time.
   - API and ABI modifications:
     No changes since last version.  At least not intentional, but due
     to the include header changes, there may be inadvertant changes,
     please let us know if you find any.
   Module Name:		pkgsrc
   Committed By:	salo
   Date:		Mon May  2 19:48:37 UTC 2005

   Modified Files:

   Log Message:
   Bump BUILDLINK_RECOMMENDED after latest security update. (hi wiz!)

Revision 1.8 / (download) - annotate - [select for diffs], Mon May 2 19:48:37 2005 UTC (17 years, 9 months ago) by salo
Branch: MAIN
CVS Tags: pkgsrc-2005Q2-base, pkgsrc-2005Q2
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)

Bump BUILDLINK_RECOMMENDED after latest security update. (hi wiz!)

Revision 1.7 / (download) - annotate - [select for diffs], Sun Oct 3 00:18:08 2004 UTC (18 years, 4 months ago) by tv
Branch: MAIN
CVS Tags: pkgsrc-2005Q1-base, pkgsrc-2004Q4-base, pkgsrc-2004Q4
Branch point for: pkgsrc-2005Q1
Changes since 1.6: +2 -1 lines
Diff to previous 1.6 (colored)

Libtool fix for PR pkg/26633, and other issues.  Update libtool to 1.5.10
in the process.  (More information on tech-pkg.)

Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.

Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.

Revision 1.6 / (download) - annotate - [select for diffs], Sat May 22 10:17:47 2004 UTC (18 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2004Q3-base, pkgsrc-2004Q3, pkgsrc-2004Q2-base, pkgsrc-2004Q2
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)

Shared library major version change, so has to be updated, right?

Revision 1.5 / (download) - annotate - [select for diffs], Thu Mar 18 09:12:14 2004 UTC (18 years, 10 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2004Q1-base, pkgsrc-2004Q1
Changes since 1.4: +2 -3 lines
Diff to previous 1.4 (colored)

Fix serious bug where BUILDLINK_PACKAGES wasn't being ordered properly
by moving the inclusion of files outside of the protected
region.  This bug would be seen by users that have set PREFER_PKGSRC
or PREFER_NATIVE to non-default values.

BUILDLINK_PACKAGES should be ordered so that for any package in the
list, that package doesn't depend on any packages to the left of it
in the list.  This ordering property is used to check for builtin
packages in the correct order.  The problem was that including a file for <pkg> correctly ensured that <pkg> was removed
from BUILDLINK_PACKAGES and appended to the end.  However, since the
inclusion of any other files within that
was in a region that was protected against multiple inclusion, those
dependencies weren't also moved to the end of BUILDLINK_PACKAGES.

Revision 1.4 / (download) - annotate - [select for diffs], Tue Mar 16 17:58:01 2004 UTC (18 years, 10 months ago) by jlam
Branch: MAIN
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)

BUILDLINK_DEPENDS.<pkg> should be appended to, not set.

Revision 1.3 / (download) - annotate - [select for diffs], Fri Mar 5 19:25:39 2004 UTC (18 years, 11 months ago) by jlam
Branch: MAIN
Changes since 1.2: +12 -9 lines
Diff to previous 1.2 (colored)

Reorder location and setting of BUILDLINK_PACKAGES to match template file in revision 1.101 of

Revision 1.2 / (download) - annotate - [select for diffs], Mon Mar 1 15:14:45 2004 UTC (18 years, 11 months ago) by jmmv
Branch: MAIN
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)

Update to 1.0.8.  Changes since 1.0.6:

Version 1.0.8 (28/02/2004)
- Corrected bug in mutual certificate authentication in SSL 3.0.
- Several other minor bugfixes.

Version 1.0.7 (25/02/2004)
- Implemented TLS 1.1 (and also obsoleted the TLS 1.0 CBC protection hack).
- Some updates in the documentation.

Revision 1.1 / (download) - annotate - [select for diffs], Tue Feb 10 00:21:28 2004 UTC (18 years, 11 months ago) by jlam
Branch: MAIN file for security/gnutls (used by mail/dovecot).

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

CVSweb <>