head 1.161; access; symbols pkgsrc-2023Q4:1.159.0.2 pkgsrc-2023Q4-base:1.159 pkgsrc-2023Q3:1.158.0.2 pkgsrc-2023Q3-base:1.158 pkgsrc-2023Q2:1.157.0.4 pkgsrc-2023Q2-base:1.157 pkgsrc-2023Q1:1.157.0.2 pkgsrc-2023Q1-base:1.157 pkgsrc-2022Q4:1.156.0.2 pkgsrc-2022Q4-base:1.156 pkgsrc-2022Q3:1.155.0.2 pkgsrc-2022Q3-base:1.155 pkgsrc-2022Q2:1.154.0.2 pkgsrc-2022Q2-base:1.154 pkgsrc-2022Q1:1.152.0.2 pkgsrc-2022Q1-base:1.152 pkgsrc-2021Q4:1.150.0.2 pkgsrc-2021Q4-base:1.150 pkgsrc-2021Q3:1.148.0.4 pkgsrc-2021Q3-base:1.148 pkgsrc-2021Q2:1.148.0.2 pkgsrc-2021Q2-base:1.148 pkgsrc-2021Q1:1.147.0.2 pkgsrc-2021Q1-base:1.147 pkgsrc-2020Q4:1.146.0.2 pkgsrc-2020Q4-base:1.146 pkgsrc-2020Q3:1.145.0.2 pkgsrc-2020Q3-base:1.145 pkgsrc-2020Q2:1.144.0.2 pkgsrc-2020Q2-base:1.144 pkgsrc-2020Q1:1.142.0.2 pkgsrc-2020Q1-base:1.142 pkgsrc-2019Q4:1.141.0.4 pkgsrc-2019Q4-base:1.141 pkgsrc-2019Q3:1.139.0.2 pkgsrc-2019Q3-base:1.139 pkgsrc-2019Q2:1.134.0.4 pkgsrc-2019Q2-base:1.134 pkgsrc-2019Q1:1.134.0.2 pkgsrc-2019Q1-base:1.134 pkgsrc-2018Q4:1.132.0.2 pkgsrc-2018Q4-base:1.132 pkgsrc-2018Q3:1.130.0.2 pkgsrc-2018Q3-base:1.130 pkgsrc-2018Q2:1.128.0.10 pkgsrc-2018Q2-base:1.128 pkgsrc-2018Q1:1.128.0.8 pkgsrc-2018Q1-base:1.128 pkgsrc-2017Q4:1.128.0.6 pkgsrc-2017Q4-base:1.128 pkgsrc-2017Q3:1.128.0.4 pkgsrc-2017Q3-base:1.128 pkgsrc-2017Q2:1.126.0.2 pkgsrc-2017Q2-base:1.126 pkgsrc-2017Q1:1.123.0.2 pkgsrc-2017Q1-base:1.123 pkgsrc-2016Q4:1.121.0.4 pkgsrc-2016Q4-base:1.121 pkgsrc-2016Q3:1.121.0.2 pkgsrc-2016Q3-base:1.121 pkgsrc-2016Q2:1.118.0.6 pkgsrc-2016Q2-base:1.118 pkgsrc-2016Q1:1.118.0.4 pkgsrc-2016Q1-base:1.118 pkgsrc-2015Q4:1.118.0.2 pkgsrc-2015Q4-base:1.118 pkgsrc-2015Q3:1.117.0.2 pkgsrc-2015Q3-base:1.117 pkgsrc-2015Q2:1.115.0.2 pkgsrc-2015Q2-base:1.115 pkgsrc-2015Q1:1.112.0.2 pkgsrc-2015Q1-base:1.112 pkgsrc-2014Q4:1.110.0.2 pkgsrc-2014Q4-base:1.110 pkgsrc-2014Q3:1.107.0.2 pkgsrc-2014Q3-base:1.107 pkgsrc-2014Q2:1.106.0.2 pkgsrc-2014Q2-base:1.106 pkgsrc-2014Q1:1.105.0.2 pkgsrc-2014Q1-base:1.105 pkgsrc-2013Q4:1.100.0.2 pkgsrc-2013Q4-base:1.100 pkgsrc-2013Q3:1.96.0.2 pkgsrc-2013Q3-base:1.96 pkgsrc-2013Q2:1.93.0.2 pkgsrc-2013Q2-base:1.93 pkgsrc-2013Q1:1.92.0.2 pkgsrc-2013Q1-base:1.92 pkgsrc-2012Q4:1.91.0.2 pkgsrc-2012Q4-base:1.91 pkgsrc-2012Q3:1.89.0.2 pkgsrc-2012Q3-base:1.89 pkgsrc-2012Q2:1.84.0.2 pkgsrc-2012Q2-base:1.84 pkgsrc-2012Q1:1.82.0.2 pkgsrc-2012Q1-base:1.82 pkgsrc-2011Q4:1.80.0.2 pkgsrc-2011Q4-base:1.80 pkgsrc-2011Q3:1.77.0.2 pkgsrc-2011Q3-base:1.77 pkgsrc-2011Q2:1.73.0.2 pkgsrc-2011Q2-base:1.73 pkgsrc-2011Q1:1.70.0.2 pkgsrc-2011Q1-base:1.70 pkgsrc-2010Q4:1.68.0.2 pkgsrc-2010Q4-base:1.68 pkgsrc-2010Q3:1.64.0.2 pkgsrc-2010Q3-base:1.64 pkgsrc-2010Q2:1.63.0.2 pkgsrc-2010Q2-base:1.63 pkgsrc-2010Q1:1.62.0.4 pkgsrc-2010Q1-base:1.62 pkgsrc-2009Q4:1.62.0.2 pkgsrc-2009Q4-base:1.62 pkgsrc-2009Q3:1.60.0.2 pkgsrc-2009Q3-base:1.60 pkgsrc-2009Q2:1.57.0.2 pkgsrc-2009Q2-base:1.57 pkgsrc-2009Q1:1.52.0.2 pkgsrc-2009Q1-base:1.52 pkgsrc-2008Q4:1.51.0.2 pkgsrc-2008Q4-base:1.51 pkgsrc-2008Q3:1.46.0.2 pkgsrc-2008Q3-base:1.46 cube-native-xorg:1.45.0.2 cube-native-xorg-base:1.45 pkgsrc-2008Q2:1.44.0.4 pkgsrc-2008Q2-base:1.44 cwrapper:1.44.0.2 pkgsrc-2008Q1:1.43.0.2 pkgsrc-2008Q1-base:1.43 pkgsrc-2007Q4:1.42.0.2 pkgsrc-2007Q4-base:1.42 pkgsrc-2007Q3:1.38.0.2 pkgsrc-2007Q3-base:1.38 pkgsrc-2007Q2:1.36.0.2 pkgsrc-2007Q2-base:1.36 pkgsrc-2007Q1:1.34.0.2 pkgsrc-2007Q1-base:1.34 pkgsrc-2006Q4:1.32.0.2 pkgsrc-2006Q4-base:1.32 pkgsrc-2006Q3:1.31.0.2 pkgsrc-2006Q3-base:1.31 pkgsrc-2006Q2:1.28.0.2 pkgsrc-2006Q2-base:1.28 pkgsrc-2006Q1:1.27.0.2 pkgsrc-2006Q1-base:1.27 pkgsrc-2005Q4:1.22.0.2 pkgsrc-2005Q4-base:1.22 pkgsrc-2005Q3:1.19.0.2 pkgsrc-2005Q3-base:1.19 pkgsrc-2005Q2:1.17.0.2 pkgsrc-2005Q2-base:1.17 pkgsrc-2005Q1:1.13.0.2 pkgsrc-2005Q1-base:1.13 pkgsrc-2004Q4:1.11.0.2 pkgsrc-2004Q4-base:1.11 pkgsrc-2004Q3:1.9.0.2 pkgsrc-2004Q3-base:1.9 pkgsrc-2004Q2:1.8.0.2 pkgsrc-2004Q2-base:1.8 pkgsrc-2004Q1:1.7.0.2 pkgsrc-2004Q1-base:1.7 pkgsrc-2003Q4:1.1.1.1.0.2 pkgsrc-2003Q4-base:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.161 date 2024.03.21.06.08.38; author adam; state Exp; branches; next 1.160; commitid jL1LL4XUzrKVuZ2F; 1.160 date 2024.01.17.20.23.05; author adam; state Exp; branches; next 1.159; commitid I7jOmDHXA3KChQUE; 1.159 date 2023.11.16.12.31.11; author adam; state Exp; branches; next 1.158; commitid mIYACufYfs7mFPME; 1.158 date 2023.08.08.09.33.54; author adam; state Exp; branches; next 1.157; commitid zr9ax6xnfL5jTXzE; 1.157 date 2023.02.14.16.45.21; author wiz; state Exp; branches; next 1.156; commitid xiuwL2k6iIryUvdE; 1.156 date 2022.09.28.13.25.57; author adam; state Exp; branches; next 1.155; commitid UG6y4aM2kF7chDVD; 1.155 date 2022.07.29.08.04.47; author adam; state Exp; branches; next 1.154; commitid DtGN3gVNg12usLND; 1.154 date 2022.05.28.06.03.42; author adam; state Exp; branches; next 1.153; commitid rdozQtREs0eAMMFD; 1.153 date 2022.05.18.18.26.14; author adam; state Exp; branches; next 1.152; commitid AL7dfe7wdZi9dzED; 1.152 date 2022.03.17.21.16.25; author adam; state Exp; branches; next 1.151; commitid wNm5Y60YF9Bf9CwD; 1.151 date 2022.01.19.21.11.11; author adam; state Exp; branches; next 1.150; commitid xPxOmV0GditKWhpD; 1.150 date 2021.10.26.11.17.06; author nia; state Exp; branches; next 1.149; commitid PNswNV9GDLZeojeD; 1.149 date 2021.10.07.14.53.50; author nia; state Exp; branches; next 1.148; commitid nfjKlj1wTplMcTbD; 1.148 date 2021.05.31.11.08.45; author wiz; state Exp; branches; next 1.147; commitid MEfXenshmClI6iVC; 1.147 date 2021.03.14.07.58.20; author wiz; state Exp; branches; next 1.146; commitid eeJe8EHLhOqOyfLC; 1.146 date 2020.12.03.12.27.38; author nia; state Exp; branches; next 1.145; commitid vol67hC5mphtiiyC; 1.145 date 2020.09.07.15.47.15; author leot; state Exp; branches; next 1.144; commitid WTouGfBgiAxnc8nC; 1.144 date 2020.06.08.19.48.14; author leot; state Exp; branches; next 1.143; commitid vsmgw6CDHAkmssbC; 1.143 date 2020.04.01.08.24.07; author adam; state Exp; branches; next 1.142; commitid 7tvs6xUmmfx5RE2C; 1.142 date 2020.02.09.13.56.28; author wiz; state Exp; branches 1.142.2.1; next 1.141; commitid mSC7V0hPUjsIm0WB; 1.141 date 2019.12.06.14.00.08; author nia; state Exp; branches; next 1.140; commitid bRZvfuqYaALWsENB; 1.140 date 2019.10.04.17.25.53; author nia; state Exp; branches; next 1.139; commitid rdCe8hPOVk2MDzFB; 1.139 date 2019.09.30.09.51.16; author maya; state Exp; branches; next 1.138; commitid beVfCSgQIGbCf1FB; 1.138 date 2019.09.16.17.01.46; author nros; state Exp; branches; next 1.137; commitid mWvDJ2SF8xvq5gDB; 1.137 date 2019.09.16.00.28.48; author nia; state Exp; branches; next 1.136; commitid z9ZSRAmG7qGpAaDB; 1.136 date 2019.08.15.15.46.15; author sevan; state Exp; branches; next 1.135; commitid nJlS9Ydq9uZaH8zB; 1.135 date 2019.07.11.14.53.36; author sevan; state Exp; branches; next 1.134; commitid I8VJWDpipJoQwDuB; 1.134 date 2019.03.27.16.46.40; author leot; state Exp; branches; next 1.133; commitid fKw2lJBCWYtNy1hB; 1.133 date 2019.03.20.06.27.11; author adam; state Exp; branches; next 1.132; commitid uSe0PCzv9jhcm4gB; 1.132 date 2018.12.09.20.12.41; author leot; state Exp; branches; next 1.131; commitid WE2KQBAURBQPaa3B; 1.131 date 2018.11.09.18.03.45; author nia; state Exp; branches; next 1.130; commitid jW536Ghc0HpfqiZA; 1.130 date 2018.08.16.11.05.47; author wiz; state Exp; branches 1.130.2.1; next 1.129; commitid S8MF4RVdP0kpQkOA; 1.129 date 2018.07.06.16.15.28; author prlw1; state Exp; branches; next 1.128; commitid pX0TVsJIZAM2S5JA; 1.128 date 2017.09.06.13.41.26; author wiz; state Exp; branches; next 1.127; commitid PEeJenCtPACqL86A; 1.127 date 2017.08.31.10.18.12; author wiz; state Exp; branches; next 1.126; commitid FYpuYoto0y6FPl5A; 1.126 date 2017.06.30.06.15.44; author wiz; state Exp; branches; next 1.125; commitid lgut4RurO8hZtmXz; 1.125 date 2017.05.18.07.54.26; author he; state Exp; branches; next 1.124; commitid zzg6pvVYSIylpQRz; 1.124 date 2017.04.10.10.43.49; author jperkin; state Exp; branches; next 1.123; commitid J53vGvnLl8SrzYMz; 1.123 date 2017.02.26.09.19.56; author adam; state Exp; branches 1.123.2.1; next 1.122; commitid DBvAiNAnMEDiurHz; 1.122 date 2017.01.10.16.23.49; author wiz; state Exp; branches; next 1.121; commitid oznBYfpCrYHklrBz; 1.121 date 2016.09.19.15.32.47; author wiz; state Exp; branches 1.121.4.1; next 1.120; commitid 8BrwxZgEJZOXGUmz; 1.120 date 2016.09.19.13.01.09; author wiz; state Exp; branches; next 1.119; commitid OzClrkvwBrW6RTmz; 1.119 date 2016.09.19.12.33.10; author wiz; state Exp; branches; next 1.118; commitid D5ph752nhR6vHTmz; 1.118 date 2015.11.04.01.17.45; author agc; state Exp; branches; next 1.117; commitid agUNgZr58GM2fIHy; 1.117 date 2015.09.14.00.29.45; author mef; state Exp; branches; next 1.116; commitid OYcCA6rArWiBC9By; 1.116 date 2015.08.14.11.48.55; author wiz; state Exp; branches; next 1.115; commitid FDPnKooniuNpnexy; 1.115 date 2015.06.08.13.44.56; author joerg; state Exp; branches; next 1.114; commitid R33WsquvSyTGaDoy; 1.114 date 2015.06.04.09.43.53; author jperkin; state Exp; branches; next 1.113; commitid V4MmkYAc8aL0Y5oy; 1.113 date 2015.06.01.21.50.22; author spz; state Exp; branches; next 1.112; commitid Ra90IWxW89m24Mny; 1.112 date 2015.02.11.11.25.57; author adam; state Exp; branches 1.112.2.1; next 1.111; commitid 2SOtWZOP4CofaA9y; 1.111 date 2014.12.31.16.05.07; author rumko; state Exp; branches; next 1.110; commitid Wk9KFLuXzuns3d4y; 1.110 date 2014.12.05.12.43.24; author khorben; state Exp; branches; next 1.109; commitid pVENhXVhbxUVLQ0y; 1.109 date 2014.12.05.12.25.42; author khorben; state Exp; branches; next 1.108; commitid UutXe3WelnrTFQ0y; 1.108 date 2014.10.10.11.40.15; author adam; state Exp; branches; next 1.107; commitid w04clIK3yLQceETx; 1.107 date 2014.08.30.12.45.11; author adam; state Exp; branches; next 1.106; commitid Utg65WN4m0IaUnOx; 1.106 date 2014.05.30.13.20.23; author wiz; state Exp; branches; next 1.105; commitid JWha2ElqAMUw3zCx; 1.105 date 2014.03.04.09.34.19; author adam; state Exp; branches 1.105.2.1; next 1.104; commitid 4hRUeMEQn28uBmrx; 1.104 date 2014.02.14.17.24.27; author drochner; state Exp; branches; next 1.103; commitid jjm4UBKiMeywM5px; 1.103 date 2014.02.10.12.01.19; author tron; state Exp; branches; next 1.102; commitid gJkzaIUqxMRo7yox; 1.102 date 2014.01.25.10.59.22; author wiz; state Exp; branches; next 1.101; commitid EfeJwz9q98Rgiumx; 1.101 date 2014.01.16.10.14.09; author wiz; state Exp; branches; next 1.100; commitid WU2cVCi1rsESkklx; 1.100 date 2013.11.29.22.55.29; author wiz; state Exp; branches 1.100.2.1; next 1.99; commitid xBZraJaonYlG5efx; 1.99 date 2013.10.31.14.41.48; author wiz; state Exp; branches; next 1.98; commitid 2HNChqLf71N9isbx; 1.98 date 2013.10.27.23.13.09; author wiz; state Exp; branches; next 1.97; commitid rfbs8AnqLExyfZax; 1.97 date 2013.10.25.09.03.12; author jperkin; state Exp; branches; next 1.96; commitid khbJ8VfzzYfUBEax; 1.96 date 2013.08.01.20.00.59; author adam; state Exp; branches; next 1.95; commitid v4r26f4sRJxSYMZw; 1.95 date 2013.07.15.08.19.15; author wiz; state Exp; branches; next 1.94; commitid zg41usJsurh9ExXw; 1.94 date 2013.07.08.08.30.01; author wiz; state Exp; branches; next 1.93; commitid FpVKBJxGUngNVDWw; 1.93 date 2013.04.10.15.09.10; author drochner; state Exp; branches; next 1.92; 1.92 date 2013.02.12.13.16.25; author drochner; state Exp; branches; next 1.91; 1.91 date 2012.11.06.19.01.36; author drochner; state Exp; branches 1.91.2.1; next 1.90; 1.90 date 2012.10.10.11.44.31; author drochner; state Exp; branches; next 1.89; 1.89 date 2012.08.09.18.58.11; author drochner; state Exp; branches; next 1.88; 1.88 date 2012.08.02.09.37.32; author jperkin; state Exp; branches; next 1.87; 1.87 date 2012.07.24.18.34.06; author drochner; state Exp; branches; next 1.86; 1.86 date 2012.07.02.18.53.02; author drochner; state Exp; branches; next 1.85; 1.85 date 2012.07.02.16.30.01; author drochner; state Exp; branches; next 1.84; 1.84 date 2012.05.30.06.51.37; author adam; state Exp; branches; next 1.83; 1.83 date 2012.04.17.17.53.01; author drochner; state Exp; branches; next 1.82; 1.82 date 2012.03.15.16.41.48; author adam; state Exp; branches; next 1.81; 1.81 date 2012.01.17.14.54.19; author drochner; state Exp; branches; next 1.80; 1.80 date 2011.11.09.18.41.46; author drochner; state Exp; branches; next 1.79; 1.79 date 2011.10.30.18.07.56; author drochner; state Exp; branches; next 1.78; 1.78 date 2011.10.06.17.56.25; author drochner; state Exp; branches; next 1.77; 1.77 date 2011.09.12.17.31.40; author drochner; state Exp; branches; next 1.76; 1.76 date 2011.08.22.15.14.58; author wiz; state Exp; branches; next 1.75; 1.75 date 2011.08.11.11.03.35; author adam; state Exp; branches; next 1.74; 1.74 date 2011.07.11.16.10.29; author drochner; state Exp; branches; next 1.73; 1.73 date 2011.05.02.09.27.43; author obache; state Exp; branches; next 1.72; 1.72 date 2011.04.27.16.56.43; author tnn; state Exp; branches; next 1.71; 1.71 date 2011.04.26.10.35.29; author adam; state Exp; branches; next 1.70; 1.70 date 2011.03.09.10.52.25; author drochner; state Exp; branches; next 1.69; 1.69 date 2011.03.07.13.45.34; author adam; state Exp; branches; next 1.68; 1.68 date 2010.12.13.16.03.20; author tron; state Exp; branches; next 1.67; 1.67 date 2010.12.12.11.58.53; author wiz; state Exp; branches; next 1.66; 1.66 date 2010.11.26.17.56.14; author drochner; state Exp; branches; next 1.65; 1.65 date 2010.10.16.16.43.42; author wiz; state Exp; branches; next 1.64; 1.64 date 2010.09.01.16.32.17; author drochner; state Exp; branches; next 1.63; 1.63 date 2010.04.13.16.31.27; author drochner; state Exp; branches; next 1.62; 1.62 date 2009.11.03.00.15.41; author wiz; state Exp; branches; next 1.61; 1.61 date 2009.10.31.01.16.42; author wiz; state Exp; branches; next 1.60; 1.60 date 2009.08.13.18.56.32; author snj; state Exp; branches; next 1.59; 1.59 date 2009.07.22.16.50.07; author drochner; state Exp; branches; next 1.58; 1.58 date 2009.07.18.10.32.32; author wiz; state Exp; branches; next 1.57; 1.57 date 2009.06.18.10.19.47; author drochner; state Exp; branches 1.57.2.1; next 1.56; 1.56 date 2009.06.17.17.54.46; author drochner; state Exp; branches; next 1.55; 1.55 date 2009.06.09.18.56.37; author wiz; state Exp; branches; next 1.54; 1.54 date 2009.05.02.20.04.33; author tnn; state Exp; branches; next 1.53; 1.53 date 2009.04.20.13.11.57; author wiz; state Exp; branches; next 1.52; 1.52 date 2009.02.21.13.45.31; author wiz; state Exp; branches 1.52.2.1; next 1.51; 1.51 date 2008.12.19.15.43.20; author adam; state Exp; branches; next 1.50; 1.50 date 2008.11.15.23.02.09; author wiz; state Exp; branches; next 1.49; 1.49 date 2008.11.10.17.33.20; author wiz; state Exp; branches; next 1.48; 1.48 date 2008.10.29.11.45.34; author wiz; state Exp; branches; next 1.47; 1.47 date 2008.10.18.11.55.11; author adam; state Exp; branches; next 1.46; 1.46 date 2008.09.27.23.11.37; author tonnerre; state Exp; branches; next 1.45; 1.45 date 2008.07.30.17.17.21; author kefren; state Exp; branches; next 1.44; 1.44 date 2008.05.22.13.18.52; author tnn; state Exp; branches 1.44.4.1; next 1.43; 1.43 date 2008.03.06.14.52.13; author wiz; state Exp; branches 1.43.2.1; next 1.42; 1.42 date 2007.11.25.23.45.16; author wiz; state Exp; branches; next 1.41; 1.41 date 2007.11.11.19.28.27; author wiz; state Exp; branches; next 1.40; 1.40 date 2007.11.03.23.45.56; author rillig; state Exp; branches; next 1.39; 1.39 date 2007.10.23.11.43.56; author wiz; state Exp; branches; next 1.38; 1.38 date 2007.09.14.12.03.37; author joerg; state Exp; branches; next 1.37; 1.37 date 2007.09.05.21.51.21; author drochner; state Exp; branches; next 1.36; 1.36 date 2007.06.01.20.12.45; author wiz; state Exp; branches; next 1.35; 1.35 date 2007.04.20.06.07.16; author wiz; state Exp; branches; next 1.34; 1.34 date 2007.01.24.15.58.04; author tron; state Exp; branches; next 1.33; 1.33 date 2007.01.20.17.38.06; author wiz; state Exp; branches; next 1.32; 1.32 date 2006.11.13.18.15.14; author drochner; state Exp; branches; next 1.31; 1.31 date 2006.09.16.06.21.22; author wiz; state Exp; branches; next 1.30; 1.30 date 2006.09.10.21.12.21; author wiz; state Exp; branches; next 1.29; 1.29 date 2006.07.17.17.02.02; author wiz; state Exp; branches; next 1.28; 1.28 date 2006.05.17.21.50.22; author wiz; state Exp; branches 1.28.2.1; next 1.27; 1.27 date 2006.03.09.17.25.54; author cube; state Exp; branches; next 1.26; 1.26 date 2006.03.04.23.45.07; author wiz; state Exp; branches; next 1.25; 1.25 date 2006.02.10.12.39.25; author drochner; state Exp; branches; next 1.24; 1.24 date 2006.01.20.21.14.04; author adam; state Exp; branches; next 1.23; 1.23 date 2005.12.31.00.02.58; author wiz; state Exp; branches; next 1.22; 1.22 date 2005.11.14.18.17.49; author wiz; state Exp; branches 1.22.2.1; next 1.21; 1.21 date 2005.10.20.00.43.32; author wiz; state Exp; branches; next 1.20; 1.20 date 2005.09.30.13.11.34; author wiz; state Exp; branches; next 1.19; 1.19 date 2005.08.30.14.29.00; author adam; state Exp; branches; next 1.18; 1.18 date 2005.07.14.19.19.43; author wiz; state Exp; branches; next 1.17; 1.17 date 2005.05.31.17.48.30; author wiz; state Exp; branches; next 1.16; 1.16 date 2005.05.02.12.59.24; author wiz; state Exp; branches; next 1.15; 1.15 date 2005.04.08.15.50.41; author wiz; state Exp; branches; next 1.14; 1.14 date 2005.04.03.04.50.21; author minskim; state Exp; branches; next 1.13; 1.13 date 2005.02.24.13.10.06; author agc; state Exp; branches 1.13.2.1; next 1.12; 1.12 date 2005.02.19.00.14.23; author wiz; state Exp; branches; next 1.11; 1.11 date 2004.11.28.12.59.10; author recht; state Exp; branches; next 1.10; 1.10 date 2004.11.08.19.34.46; author jmmv; state Exp; branches; next 1.9; 1.9 date 2004.08.27.13.16.16; author drochner; state Exp; branches; next 1.8; 1.8 date 2004.05.22.10.09.53; author adam; state Exp; branches; next 1.7; 1.7 date 2004.03.01.15.14.45; author jmmv; state Exp; branches; next 1.6; 1.6 date 2004.01.12.22.57.38; author xtraeme; state Exp; branches; next 1.5; 1.5 date 2003.12.22.23.08.04; author jmmv; state Exp; branches; next 1.4; 1.4 date 2003.12.21.10.17.30; author xtraeme; state Exp; branches; next 1.3; 1.3 date 2003.12.18.06.04.10; author xtraeme; state Exp; branches; next 1.2; 1.2 date 2003.12.06.00.52.21; author xtraeme; state Exp; branches; next 1.1; 1.1 date 2003.05.14.03.46.44; author salo; state Exp; branches 1.1.1.1; next ; 1.142.2.1 date 2020.06.09.11.55.34; author bsiegert; state Exp; branches; next ; commitid NoJaps39mEehOxbC; 1.130.2.1 date 2018.11.22.05.45.13; author spz; state Exp; branches; next ; commitid oa1bbQPcFC0dVT0B; 1.123.2.1 date 2017.04.17.14.40.50; author bsiegert; state Exp; branches; next ; commitid ijAlzA3T6TTOETNz; 1.121.4.1 date 2017.01.19.19.55.17; author bsiegert; state Exp; branches; next ; commitid j0SzarN2GdU3eCCz; 1.112.2.1 date 2015.06.13.10.50.01; author spz; state Exp; branches; next ; commitid C8XDMSqKCeZQ2gpy; 1.105.2.1 date 2014.06.04.16.15.38; author schnoebe; state Exp; branches; next ; commitid 4M8seLe6Sb0URdDx; 1.100.2.1 date 2014.02.20.12.31.26; author tron; state Exp; branches; next ; commitid m61fYLaZfEUNXPpx; 1.91.2.1 date 2013.02.15.14.46.47; author tron; state Exp; branches; next ; 1.57.2.1 date 2009.08.29.09.49.14; author spz; state Exp; branches; next ; 1.52.2.1 date 2009.05.06.09.34.11; author spz; state Exp; branches; next ; 1.44.4.1 date 2008.08.18.12.26.48; author rtr; state Exp; branches; next ; 1.43.2.1 date 2008.05.23.11.39.51; author rtr; state Exp; branches; next ; 1.28.2.1 date 2006.09.17.09.09.38; author salo; state Exp; branches; next ; 1.22.2.1 date 2006.02.14.17.35.33; author salo; state Exp; branches; next ; 1.13.2.1 date 2005.04.03.17.36.27; author salo; state Exp; branches; next 1.13.2.2; 1.13.2.2 date 2005.05.02.20.14.06; author salo; state Exp; branches; next ; 1.1.1.1 date 2003.05.14.03.46.44; author salo; state Exp; branches; next ; desc @@ 1.161 log @gnutls: updated to 3.8.4 Version 3.8.4 (released 2024-03-18) ** libgnutls: RSA-OAEP encryption scheme is now supported To use it with an unrestricted RSA private key, one would need to initialize a gnutls_x509_spki_t object with necessary parameters for RSA-OAEP and attach it to the private key. It is also possible to import restricted private keys if they are stored in PKCS#8 format. ** libgnutls: Fix side-channel in the deterministic ECDSA. [GNUTLS-SA-2023-12-04, CVSS: medium] [CVE-2024-28834] ** libgnutls: Fixed a bug where certtool crashed when verifying a certificate chain with more than 16 certificates. [GNUTLS-SA-2024-01-23, CVSS: medium] [CVE-2024-28835] ** libgnutls: Compression libraries are now loaded dynamically as needed instead of all being loaded during gnutls library initialization. As a result, the library initialization should be faster. ** build: The gnutls library can now be linked with the static library of GMP. Note that in order for this to work libgmp.a needs to be compiled with -fPIC and libhogweed in Nettle also has to be linked to the static library of GMP. This can be used to prevent custom memory allocators from being overriden by other applications. @ text @$NetBSD: distinfo,v 1.160 2024/01/17 20:23:05 adam Exp $ BLAKE2s (gnutls-3.8.4.tar.xz) = b6849ece462ad2ee2331760ff5743ee9dabb40dcb133ca0a7e3615f28bf0048f SHA512 (gnutls-3.8.4.tar.xz) = af748610392b7eec8a6294d28d088f323450207cdcda1aa2138a0fd71023994c662f7aff72b2b3cd888e7b770750611981c2cde5f2ddc45f852fc0034cdebaff Size (gnutls-3.8.4.tar.xz) = 6487520 bytes SHA1 (patch-configure) = 866d8a365b8338348230e47518788f494279b139 @ 1.160 log @gnutls: updated to 3.8.3 Version 3.8.3 (released 2024-01-16) ** libgnutls: Fix more timing side-channel inside RSA-PSK key exchange [GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553] ** libgnutls: Fix assertion failure when verifying a certificate chain with a cycle of cross signatures [GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567] ** libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token certtool was unable to handle Ed25519 keys generated on PKCS#11 with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.159 2023/11/16 12:31:11 adam Exp $ d3 3 a5 3 BLAKE2s (gnutls-3.8.3.tar.xz) = bd0ccb51008095555b5a93c53cbf30e51df5a61ed4b14c81e9952b608458b1ae SHA512 (gnutls-3.8.3.tar.xz) = 74eddba01ce4c2ffdca781c85db3bb52c85f1db3c09813ee2b8ceea0608f92ca3912fd9266f55deb36a8ba4d01802895ca5d5d219e7d9caec45e1a8534e45a84 Size (gnutls-3.8.3.tar.xz) = 6463720 bytes @ 1.159 log @gnutls: updated to 3.8.2 Version 3.8.2 (released 2023-11-14) ** libgnutls: Fix timing side-channel inside RSA-PSK key exchange. [GNUTLS-SA-2023-10-23, CVSS: medium] [CVE-2023-5981] ** libgnutls: Add API functions to perform ECDH and DH key agreement The functionality has been there for a long time though they were not available as part of the public API. This enables applications to implement custom protocols leveraging non-interactive key agreement with ECDH and DH. ** libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452) The new algorithms GNUTLS_CIPHER_AES_128_SIV_GCM and GNUTLS_CIPHER_AES_256_SIV_GCM have been added to be used through the AEAD interface. Note that, unlike GNUTLS_CIPHER_AES_{128,256}_SIV_GCM, the authentication tag is appended to the ciphertext, not prepended. ** libgnutls: transparent KTLS support is extended to FreeBSD kernel The kernel TLS feature can now be enabled on FreeBSD as well as Linux when compiled with the --enable-ktls configure option. ** gnutls-cli: New option --starttls-name Depending on deployment, application protocols such as XMPP may require a different origin address than the external address to be presented prior to STARTTLS negotiation. The --starttls-name can be used to specify specify the addresses separately. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.158 2023/08/08 09:33:54 adam Exp $ d3 3 a5 3 BLAKE2s (gnutls-3.8.2.tar.xz) = dcfa9d5ff11b94b54201386d216c3e6f3a9a1fd66c3685401a89bc5b51a96db9 SHA512 (gnutls-3.8.2.tar.xz) = b3aa6e0fa7272cfca0bb0d364fe5dc9ca70cfd41878631d57271ba0a597cf6020a55a19e97a2c02f13a253455b119d296cf6f701be2b4e6880ebeeb07c93ef38 Size (gnutls-3.8.2.tar.xz) = 6456540 bytes @ 1.158 log @gnutls: updated to 3.8.1 Version 3.8.1 (released 2023-08-03) ** libgnutls: ClientHello extensions are randomized by default To make fingerprinting harder, TLS extensions in ClientHello messages are shuffled. As this behavior may cause compatibility issue with legacy applications that do not accept the last extension without payload, the behavior can be reverted with the %NO_SHUFFLE_EXTENSIONS priority keyword. ** libgnutls: Add support for RFC 9258 external PSK importer. This enables to deploy the same PSK across multiple TLS versions (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application needs to set up a callback that formats the PSK identity using gnutls_psk_format_imported_identity(). ** libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to %GNUTLS_NO_DEFAULT_EXTENSIONS. ** libgnutls: Add additional PBKDF limit checks in FIPS mode as defined in SP 800-132. Minimum salt length is 128 bits and minimum iterations bound is 1000 for PBKDF in FIPS mode. ** libgnutls: Add a mechanism to control whether to enforce extended master secret (RFC 7627). FIPS 140-3 mandates the use of TLS session hash (extended master secret, EMS) in TLS 1.2. To enforce this, a new priority keyword %FORCE_SESSION_HASH is added and if it is set and EMS is not set, the peer aborts the connection. This behavior is the default in FIPS mode, though it can be overridden through the configuration file with the "tls-session-hash" option. In either case non-EMS PRF is reported as a non-approved operation through the FIPS service indicator. ** New option --attime to specify current time. To make testing with different timestamp to the system easier, the tools doing certificate verification now provide a new option --attime, which takes an arbitrary time. ** API and ABI modifications: gnutls_psk_client_credentials_function3: New typedef gnutls_psk_server_credentials_function3: New typedef gnutls_psk_set_server_credentials_function3: New function gnutls_psk_set_client_credentials_function3: New function gnutls_psk_format_imported_identity: New function GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.157 2023/02/14 16:45:21 wiz Exp $ d3 3 a5 3 BLAKE2s (gnutls-3.8.1.tar.xz) = 60446b094b25207f8a77a88cc7aac1c6e6a643f6d7a8f50a677a4b5ee25a64c6 SHA512 (gnutls-3.8.1.tar.xz) = 22e78db86b835843df897d14ad633d8a553c0f9b1389daa0c2f864869c6b9ca889028d434f9552237dc4f1b37c978fbe0cce166e3768e5d4e8850ff69a6fc872 Size (gnutls-3.8.1.tar.xz) = 6447056 bytes @ 1.157 log @gnutls: update to 3.8.0. * Version 3.8.0 (unreleased 2023-02-09) ** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] ** libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. ** libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. ** libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. ** libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. ** libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any indentation issues if you make code modifications. ** guile: Guile-bindings removed. They have been extracted into a separate project to reduce complexity and to simplify maintenance, see . ** minitasn1: Upgraded to libtasn1 version 4.19. ** API and ABI modifications: GNUTLS_NO_STATUS_REQUEST: New flag GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member * Version 3.7.8 (released 2022-09-27) ** libgnutls: In FIPS140 mode, RSA signature verification is an approved operation if the key has modulus with known sizes (1024, 1280, 1536, and 1792 bits), in addition to any modulus sizes larger than 2048 bits, according to SP800-131A rev2. ** libgnutls: gnutls_session_channel_binding performs additional checks when GNUTLS_CB_TLS_EXPORTER is requested. According to RFC9622 4.2, the "tls-exporter" channel binding is only usable when the handshake is bound to a unique master secret (i.e., either TLS 1.3 or extended master secret extension is negotiated). Otherwise the function now returns error. ** libgnutls: usage of the following functions, which are designed to loosen restrictions imposed by allowlisting mode of configuration, has been additionally restricted. Invoking them is now only allowed if system-wide TLS priority string has not been initialized yet: gnutls_digest_set_secure gnutls_sign_set_secure gnutls_sign_set_secure_for_certs gnutls_protocol_set_enabled ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (gnutls-3.8.0.tar.xz) = 55bd4cb00bd6436a77565000e30099675c15b8752fc22c82ce24b1c6a2943692 SHA512 (gnutls-3.8.0.tar.xz) = 2507b3133423fdaf90fbd826ccb1142e9ff6fc90fcd5531720218f19ddf0e6bbb8267d23bad35c0954860e5a4179da74823e0c8357db56a14f252e6ec9d59629 Size (gnutls-3.8.0.tar.xz) = 6378480 bytes a6 1 SHA1 (patch-lib_system_certs.c) = fba74b2834a36d66bddcd7d3405d0c91c1b14efc @ 1.156 log @gnutls: updated to 3.7.8 ersion 3.7.8 (released 2022-09-27) ** libgnutls: In FIPS140 mode, RSA signature verification is an approved operation if the key has modulus with known sizes (1024, 1280, 1536, and 1792 bits), in addition to any modulus sizes larger than 2048 bits, according to SP800-131A rev2. ** libgnutls: gnutls_session_channel_binding performs additional checks when GNUTLS_CB_TLS_EXPORTER is requested. According to RFC9622 4.2, the "tls-exporter" channel binding is only usable when the handshake is bound to a unique master secret (i.e., either TLS 1.3 or extended master secret extension is negotiated). Otherwise the function now returns error. ** libgnutls: usage of the following functions, which are designed to loosen restrictions imposed by allowlisting mode of configuration, has been additionally restricted. Invoking them is now only allowed if system-wide TLS priority string has not been initialized yet: gnutls_digest_set_secure gnutls_sign_set_secure gnutls_sign_set_secure_for_certs gnutls_protocol_set_enabled ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.155 2022/07/29 08:04:47 adam Exp $ d3 4 a6 4 BLAKE2s (gnutls-3.7.8.tar.xz) = a0f16a832acf448fd3a92c3c7389dbb962bf5a847c2637b1c865e40ef3bec1a0 SHA512 (gnutls-3.7.8.tar.xz) = 4199bcf7c9e3aab2f52266aadceefc563dfe2d938d0ea1f3ec3be95d66f4a8c8e5494d3a800c03dd02ad386dec1738bd63e1fe0d8b394a2ccfc7d6c6a0cc9359 Size (gnutls-3.7.8.tar.xz) = 6029220 bytes SHA1 (patch-configure) = 6a4a78de339d4958557bba1dfea77a249237cabd @ 1.155 log @gnutls: updated to 3.7.7 Version 3.7.7 (released 2022-07-28) ** libgnutls: Fixed double free during verification of pkcs7 signatures. [CVE-2022-2509] ** libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument less than or equal to 255 times hash digest size, to comply with RFC 5869 2.3. ** libgnutls: Length limit for TLS PSK usernames has been increased from 128 to 65535 characters. ** libgnutls: AES-GCM encryption function now limits plaintext length to 2^39-256 bits, according to SP800-38D 5.2.1.1. ** libgnutls: New block cipher functions have been added to transparently handle padding. gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 can be used in combination of GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically add/remove padding if the length of the original plaintext is not a multiple of the block size. ** libgnutls: New function for manual FIPS self-testing. ** API and ABI modifications: gnutls_fips140_run_self_tests: New function gnutls_cipher_encrypt3: New function gnutls_cipher_decrypt3: New function gnutls_cipher_padding_flags_t: New enum ** guile: Guile 1.8 is no longer supported ** guile: Session record port treats premature termination as EOF Previously, a ‘gnutls-error’ exception with the ‘error/premature-termination’ value would be thrown while reading from a session record port when the underlying session was terminated prematurely. This was inconvenient since users of the port may not be prepared to handle such an exception. Reading from the session record port now returns the end-of-file object instead of throwing an exception, just like it would for a proper session termination. ** guile: Session record ports can have a ‘close’ procedure. The ‘session-record-port’ procedure now takes an optional second parameter, and a new ‘set-session-record-port-close!’ procedure is provided to specify a ‘close’ procedure for a session record port. This ‘close’ procedure lets users specify cleanup operations for when the port is closed, such as closing the file descriptor or port that backs the underlying session. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.154 2022/05/28 06:03:42 adam Exp $ d3 4 a6 4 BLAKE2s (gnutls-3.7.7.tar.xz) = 07d831b44b5803abfaa5d8b04727e5b80e43132ea28d837761286c95d4d693d5 SHA512 (gnutls-3.7.7.tar.xz) = ba00b20126379ec7e96c6bfa606cfb7bb0d9a5853318b29b5278a42a85ae40d39d8442778938e1f165debcdb1adaf9c63bcec59a4eb3387dd1ac99b08bcc5c08 Size (gnutls-3.7.7.tar.xz) = 6351664 bytes SHA1 (patch-configure) = c00675e61b23ee337d2ecedd4dc7a358fc712fcb @ 1.154 log @gnutls: updated to 3.7.6 Version 3.7.6 (released 2022-05-27) ** libgnutls: Fixed invalid write when gnutls_realloc_zero() is called with new_size < old_size. This bug caused heap corruption when gnutls_realloc_zero() has been set as gmp reallocfunc @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.153 2022/05/18 18:26:14 adam Exp $ d3 4 a6 4 BLAKE2s (gnutls-3.7.6.tar.xz) = 58d8a3d58663d0fd29fe8c29826cb82ff693e2a9de1d5d08341e4f2ddd7e6bba SHA512 (gnutls-3.7.6.tar.xz) = f872339df80ec31d292821ff00eaafbe50e0bd4cdbb86e21e4f78541cd0a26d843596d5e69c91de4db8ce7d027fc639ae6462b57d89fb116162ae63c5a97486a Size (gnutls-3.7.6.tar.xz) = 6338276 bytes SHA1 (patch-configure) = 3653f74914f874aa369f62c8b267a46fd6b78eaa @ 1.153 log @gnutls: updated to 3.7.5 Version 3.7.5 (released 2022-05-15) ** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 priority modifier have been added to disable session ticket usage in TLS 1.2 because it does not provide forward secrecy. On the other hand, since session tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now only disables session tickets in TLS 1.2. Future backward incompatibility: in the next major release of GnuTLS, we plan to remove those flag and modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect TLS 1.2. ** gnutls-cli, gnutls-serv: Channel binding for printing information has been changed from tls-unique to tls-exporter as tls-unique is not supported in TLS 1.3. ** libgnutls: Certificate sanity checks has been enhanced to make gnutls more RFC 5280 compliant (!1583). Following changes were included: - critical extensions are parsed when loading x509 certificate to prohibit any random octet strings. Requires strict-x509 configure option to be enabled - garbage bits in Key Usage extension are prohibited - empty DirectoryStrings in Distinguished name structures of Issuer and Subject name are prohibited ** libgnutls: Removed 3DES from FIPS approved algorithms. According to the section 2 of SP800-131A Rev.2, 3DES algorithm will be disallowed for encryption after December 31, 2023: https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final ** libgnutls: Optimized support for AES-SIV-CMAC algorithms. The existing AEAD API that works in a scatter-gather fashion (gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC. For further optimization, new function (gnutls_aead_cipher_set_key) has been added to set key on the existing AEAD handle without re-allocation. ** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode when used in TLS. ** The configure arguments for Brotli and Zstandard (zstd) support have changed to reflect the previous help text: they are now --with-brotli/--with-zstd respectively. ** Detecting the Zstandard (zstd) library in configure has been fixed. ** API and ABI modifications: GNUTLS_NO_TICKETS_TLS12: New flag gnutls_aead_cipher_set_key: New function @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.152 2022/03/17 21:16:25 adam Exp $ d3 3 a5 3 BLAKE2s (gnutls-3.7.5.tar.xz) = e6a818e9f5e44970e01639f3506620279befc63b8a72304527dcd2cb52d968b1 SHA512 (gnutls-3.7.5.tar.xz) = 2e4898e6aeff4f82abd48e6a442f5c9ebe4ecaeb0c038b76e2da8e468f6a7ae37fef5e8de17d90346f29aa0b56a08abf67fe8b81ba09dcf4612cc3b97b830bec Size (gnutls-3.7.5.tar.xz) = 6321392 bytes @ 1.152 log @gnutls: updated to 3.7.4 Version 3.7.4 (released 2022-03-17) ** libgnutls: Added support for certificate compression as defined in RFC8879. ** certtool: Added option --compress-cert that allows user to specify compression methods for certificate compression. ** libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure option to enforce stricter certificate sanity checks that are compliant with RFC5280. ** libgnutls: Removed IA5String type from DirectoryString within issuer and subject name to make DirectoryString RFC5280 compliant. ** libgnutls: Added function to retrieve the name of current ciphersuite from session. ** API and ABI modifications: GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member gnutls_compress_certificate_get_selected_method: Added gnutls_compress_certificate_set_methods: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.151 2022/01/19 21:11:11 adam Exp $ d3 3 a5 3 BLAKE2s (gnutls-3.7.4.tar.xz) = 12888540cd6d75baa40b32bd4bcbc896e39c02d91b331cd979d3a477751b192d SHA512 (gnutls-3.7.4.tar.xz) = 38b488ca1223d9aa8fc25756df08db6f29aaf76fb5816fdeaa14bd89fb431a2e1c495fefc64094f726337d5b89e198146ec7dc22e9a1bca6841a9d881b0d99e6 Size (gnutls-3.7.4.tar.xz) = 6131772 bytes @ 1.151 log @gnutls: updated to 3.7.3 Version 3.7.3 (released 2022-01-17) ** libgnutls: The allowlisting configuration mode has been added to the system-wide settings. In this mode, all the algorithms are initially marked as insecure or disabled, while the applications can re-enable them either through the [overrides] section of the configuration file or the new API. ** The build infrastructure no longer depends on GNU AutoGen for generating command-line option handling, template file parsing in certtool, and documentation generation. This change also removes run-time or bundled dependency on the libopts library, and requires Python 3.6 or later to regenerate the distribution tarball. Note that this brings in known backward incompatibility in command-line tools, such as long options are now case sensitive, while previously they were treated in a case insensitive manner: for example --RSA is no longer a valid option of certtool. The existing scripts using GnuTLS tools may need adjustment for this change. ** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and used as a gnutls_privkey_t. The code was originally written for the OpenConnect VPN project by David Woodhouse. To generate such blobs, use the tpm2tss-genkey tool from tpm2-tss-engine: https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations or the tpm2_encodeobject tool from unreleased tpm2-tools. ** libgnutls: The library now transparently enables Linux KTLS (kernel TLS) when the feature is compiled in with --enable-ktls configuration option. If the KTLS initialization fails it automatically falls back to the user space implementation. ** certtool: The certtool command can now read the Certificate Transparency (RFC 6962) SCT extension. New API functions are also provided to access and manipulate the extension values. ** certtool: The certtool command can now generate, manipulate, and evaluate x25519 and x448 public keys, private keys, and certificates. ** libgnutls: Disabling a hashing algorithm through "insecure-hash" configuration directive now also disables TLS ciphersuites that use it as a PRF algorithm. ** libgnutls: PKCS#12 files are now created with modern algorithms by default. Previously certtool used PKCS12-3DES-SHA1 for key derivation and HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the default PBKDF2 iteration count has been increased to 600000. ** libgnutls: PKCS#12 keys derived using GOST algorithm now uses HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to conform with the latest TC-26 requirements. ** libgnutls: The library now provides a means to report the status of approved cryptographic operations. To adhere to the FIPS140-3 IG 2.4.C., this complements the existing mechanism to prohibit the use of unapproved algorithms by making the library unusable state. ** gnutls-cli: The gnutls-cli command now provides a --list-config option to print the library configuration. ** libgnutls: Fixed possible race condition in gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared among multiple threads. [GNUTLS-SA-2022-01-17, CVSS: low] ** API and ABI modifications: GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags gnutls_ecc_curve_set_enabled: Added. gnutls_sign_set_secure: Added. gnutls_sign_set_secure_for_certs: Added. gnutls_digest_set_secure: Added. gnutls_protocol_set_enabled: Added. gnutls_fips140_context_init: New function gnutls_fips140_context_deinit: New function gnutls_fips140_push_context: New function gnutls_fips140_pop_context: New function gnutls_fips140_get_operation_state: New function gnutls_fips140_operation_state_t: New enum gnutls_transport_is_ktls_enabled: New function gnutls_get_library_configuration: New function @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.150 2021/10/26 11:17:06 nia Exp $ d3 3 a5 3 BLAKE2s (gnutls-3.7.3.tar.xz) = b3c209d629dc0d9d8927532511d3337b336328f6fb8a7b855bc110f9796d65bb SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077 Size (gnutls-3.7.3.tar.xz) = 6119292 bytes @ 1.150 log @security: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Unfetchable distfiles (fetched conditionally?): ./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.149 2021/10/07 14:53:50 nia Exp $ d3 3 a5 3 BLAKE2s (gnutls-3.7.2.tar.xz) = 16c4ae925fa13ec1ef7f0009cda4227cfe6a8945d10486da9ab6208099e949b9 SHA512 (gnutls-3.7.2.tar.xz) = 5d01d561a05379da71e4847e30ba13c2abe09f7a5c4359fd539d8bd19abad0ce87120f82ee7b6264e787bd3edbc5ae16beffa892983cbc3d59f11a1811c10329 Size (gnutls-3.7.2.tar.xz) = 6091508 bytes a7 5 SHA1 (patch-src_libopts_autoopts_options.h) = ebeeafc834bce3b6b3f938e360b089e165ee4f9e SHA1 (patch-src_libopts_compat_compat.h) = 6e88b5e73a56c296f356aa5ce7e6048e1bcff450 SHA1 (patch-src_libopts_libopts.c) = 6e2453a886aa4be0a17dfbdb8a23ef9d7a0f62f8 SHA1 (patch-src_libopts_makeshell.c) = 1b08ab63e6e382bd471699530e5d8bff075b3f24 SHA1 (patch-src_libopts_proto.h) = 7601830e5ff45632ae337a387548f9ed5e591c4f @ 1.149 log @security: Remove SHA1 hashes for distfiles @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.148 2021/05/31 11:08:45 wiz Exp $ d3 1 a3 1 RMD160 (gnutls-3.7.2.tar.xz) = a095231e93c7e4e94d78e442e7f816b9748b24b1 @ 1.148 log @gnutls: update to 3.7.2. * Version 3.7.2 (released 2021-05-29) ** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added to disable TLS 1.3 middlebox compatibility mode ** libgnutls: The Linux kernel AF_ALG based acceleration has been added. This can be enabled with --enable-afalg configure option, when libkcapi package is installed (#308). ** libgnutls: Fixed timing of early data exchange. Previously, the client was sending early data after receiving Server Hello, which not only negates the benefit of 0-RTT, but also works under certain assumptions hold (e.g., the same ciphersuite is selected in initial and resumption handshake) (#1146). ** certtool: When signing a CSR, CRL distribution point (CDP) is no longer copied from the signing CA by default (#1126). ** libgnutls: The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to GNUTLS_NO_IMPLICIT_INIT to reflect the purpose (#1178). The former is now deprecated and will be removed in the future releases. ** certtool: When producing certificates and certificate requests, subject DN components that are provided individually will now be ordered by assumed scale (e.g. Country before State, Organization before OrganizationalUnit). This change also affects the order in which certtool prompts interactively. Please rely on the template mechanism for automated use of certtool! (#1243) ** API and ABI modifications: gnutls_early_cipher_get: Added gnutls_early_prf_hash_get: Added @ text @d1 1 a1 1 $NetBSD$ a2 1 SHA1 (gnutls-3.7.2.tar.xz) = 02e12259680b6ad3ec973e0df6bf2cf0c5ef1100 @ 1.147 log @gnutls: update to 3.7.1. * Version 3.7.1 (released 2021-03-10) ** libgnutls: Fixed potential use-after-free in sending "key_share" and "pre_shared_key" extensions. When sending those extensions, the client may dereference a pointer no longer valid after realloc. This happens only when the client sends a large Client Hello message, e.g., when HRR is sent in a resumed session previously negotiated large FFDHE parameters, because the initial allocation of the buffer is large enough without having to call realloc (#1151). [GNUTLS-SA-2021-03-10, CVSS: low] ** libgnutls: Fixed a regression in handling duplicated certs in a chain (#1131). ** libgnutls: Fixed sending of session ID in TLS 1.3 middlebox compatibiltiy mode. In that mode the client shall always send a non-zero session ID to make the handshake resemble the TLS 1.2 resumption; this was not true in the previous versions (#1074). ** libgnutls: W32 performance improvement with a new sendmsg()-like transport implementation (!1377). ** libgnutls: Removed dependency on the external 'fipscheck' package, when compiled with --enable-fips140-mode (#1101). ** libgnutls: Added padlock acceleration for AES-192-CBC (#1004). @ text @d3 4 a6 4 SHA1 (gnutls-3.7.1.tar.xz) = 5de5d25534ee5910ea9ee6aaeeb6af1af4350c1e RMD160 (gnutls-3.7.1.tar.xz) = 134c7cbe291cb640afa834daa91ba087b9d9966f SHA512 (gnutls-3.7.1.tar.xz) = 0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95 Size (gnutls-3.7.1.tar.xz) = 6038388 bytes @ 1.146 log @gnutls: Update to 3.7.0 * Version 3.7.0 (released 2020-12-02) ** libgnutls: Depend on nettle 3.6 (!1322). ** libgnutls: Added a new API that provides a callback function to retrieve missing certificates from incomplete certificate chains (#202, #968, #1100). ** libgnutls: Added a new API that provides a callback function to output the complete path to the trusted root during certificate chain verification (#1012). ** libgnutls: OIDs exposed as gnutls_datum_t no longer account for the terminating null bytes, while the data field is null terminated. The affected API functions are: gnutls_ocsp_req_get_extension, gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension (#805). ** libgnutls: Added a new set of API to enable QUIC implementation (#826, #849, #850). ** libgnutls: The crypto implementation override APIs deprecated in 3.6.9 are now no-op (#790). ** libgnutls: Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161). ** libgnutls: Support for padlock has been fixed to make it work with Zhaoxin CPU (#1079). ** libgnutls: The maximum PIN length for PKCS #11 has been increased from 31 bytes to 255 bytes (#932). ** API and ABI modifications: gnutls_x509_trust_list_set_getissuer_function: Added gnutls_x509_trust_list_get_ptr: Added gnutls_x509_trust_list_set_ptr: Added gnutls_session_set_verify_output_function: Added gnutls_record_encryption_level_t: New enum gnutls_handshake_read_func: New callback type gnutls_handshake_set_read_function: New function gnutls_handshake_write: New function gnutls_handshake_secret_func: New callback type gnutls_handshake_set_secret_function: New function gnutls_alert_read_func: New callback type gnutls_alert_set_read_function: New function gnutls_crypto_register_cipher: Deprecated; no-op gnutls_crypto_register_aead_cipher: Deprecated; no-op gnutls_crypto_register_mac: Deprecated; no-op gnutls_crypto_register_digest: Deprecated; no-op @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.145 2020/09/07 15:47:15 leot Exp $ d3 4 a6 4 SHA1 (gnutls-3.7.0.tar.xz) = d535ebe4ae157fb79dbc34a2cf17b5173906ea0e RMD160 (gnutls-3.7.0.tar.xz) = 764391c259d604a0267bb673649738bc3a495507 SHA512 (gnutls-3.7.0.tar.xz) = 5cf1025f2d0a0cbf5a83dd7f3b22dafd1769f7c3349096c0272d08573bb5ff87f510e0e69b4bbb47dad1b64476aa5479804b2f4ceb2216cd747bbc53bf42d885 Size (gnutls-3.7.0.tar.xz) = 6129176 bytes @ 1.145 log @gnutls: Update to 3.6.15 Changes: 3.6.15 ------ ** libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing. The server sending a "no_renegotiation" alert in an unexpected timing, followed by an invalid second handshake was able to cause a TLS 1.3 client to crash via a null-pointer dereference. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure (#1071). [GNUTLS-SA-2020-09-04, CVSS: medium] ** libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now indicates that with a false return value (!1306). ** libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked accordingly to SP800-56A rev 3 (!1295, !1299). ** libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than the size of the internal base64 blob (#1025). The new behavior aligns to the existing documentation. ** libgnutls: Certificate verification failue due to OCSP must-stapling is not honered is now correctly marked with the GNUTLS_CERT_INVALID flag (!1317). The new behavior aligns to the existing documentation. ** libgnutls: The audit log message for weak hashes is no longer printed twice (!1301). ** libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is disabled in the priority string. Previously, even when TLS 1.2 is explicitly disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is enabled (#1054). ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.144 2020/06/08 19:48:14 leot Exp $ d3 4 a6 4 SHA1 (gnutls-3.6.15.tar.xz) = 00ef7d93347df586c3d1a00f13c326706c0c59ba RMD160 (gnutls-3.6.15.tar.xz) = 870c338ae8c2b6acd7000eb7daa287082ab04609 SHA512 (gnutls-3.6.15.tar.xz) = f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c Size (gnutls-3.6.15.tar.xz) = 6081656 bytes @ 1.144 log @gnutls: Update to 3.6.14 Changes: 3.6.14 ------ * libgnutls: Fixed insecure session ticket key construction, since 3.6.4. The TLS server would not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (#1011). [GNUTLS-SA-2020-06-03, CVSS: high] * libgnutls: Fixed handling of certificate chain with cross-signed intermediate CA certificates (#1008). * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997). * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority Key Identifier (AKI) properly (#989, #991). * certtool: PKCS #7 attributes are now printed with symbolic names (!1246). * libgnutls: Added several improvements on Windows Vista and later releases (!1257, !1254, !1256). Most notably the system random number generator now uses Windows BCrypt* API if available (!1255). * libgnutls: Use accelerated AES-XTS implementation if possible (!1244). Also both accelerated and non-accelerated implementations check key block according to FIPS-140-2 IG A.9 (!1233). * libgnutls: Added support for AES-SIV ciphers (#463). * libgnutls: Added support for 192-bit AES-GCM cipher (!1267). * libgnutls: No longer use internal symbols exported from Nettle (!1235) * API and ABI modifications: GNUTLS_CIPHER_AES_128_SIV: Added GNUTLS_CIPHER_AES_256_SIV: Added GNUTLS_CIPHER_AES_192_GCM: Added gnutls_pkcs7_print_signature_info: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.143 2020/04/01 08:24:07 adam Exp $ d3 4 a6 4 SHA1 (gnutls-3.6.14.tar.xz) = bea1b5abcb691acf014e592f41d0a9580a41216a RMD160 (gnutls-3.6.14.tar.xz) = 89c4f89e4453c2d08ad0918fbf099d9fbcfe9cba SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 Size (gnutls-3.6.14.tar.xz) = 6069088 bytes @ 1.143 log @gnutls: updated to 3.6.13 Version 3.6.13: ** libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3. The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol [GNUTLS-SA-2020-03-31, CVSS: high] ** libgnutls: Added new APIs to access KDF algorithms. ** libgnutls: Added new callback gnutls_keylog_func that enables a custom logging functionality. ** libgnutls: Added support for non-null terminated usernames in PSK negotiation. ** gnutls-cli-debug: Improved support for old servers that only support SSL 3.0. ** API and ABI modifications: gnutls_hkdf_extract: Added gnutls_hkdf_expand: Added gnutls_pbkdf2: Added gnutls_session_get_keylog_function: Added gnutls_session_set_keylog_function: Added gnutls_prf_hash_get: Added gnutls_psk_server_get_username2: Added gnutls_psk_set_client_credentials2: Added gnutls_psk_set_client_credentials_function2: Added gnutls_psk_set_server_credentials_function2: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.142 2020/02/09 13:56:28 wiz Exp $ d3 4 a6 4 SHA1 (gnutls-3.6.13.tar.xz) = 0d3d0d093d6a7cf589612a7c21dbb46cb31c644b RMD160 (gnutls-3.6.13.tar.xz) = fa5e9136c3a620436a65946f5e2a9f9b878b238b SHA512 (gnutls-3.6.13.tar.xz) = 23581952cb72c9a34f378c002bb62413d5a1243b74b48ad8dc49eaea4020d33c550f8dc1dd374cf7fbfa4187b0ca1c5698c8a0430398268a8b8a863f8633305c Size (gnutls-3.6.13.tar.xz) = 5958956 bytes @ 1.142 log @gnutls: update to 3.6.12. * Version 3.6.12 (released 2020-02-01) ** libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) to identify sessions that client request OCSP status request (#829). ** libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 signature algorithm (RFC 8032) under TLS (#86). ** libgnutls: Added the default-priority-string option to system configuration; it allows overriding the compiled-in default-priority-string. ** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by draft-smyshlyaev-tls12-gost-suites-07). By default this ciphersuite is disabled. It can be enabled by adding +GOST to priority string. In the future this priority string may enable other GOST ciphersuites as well. Note, that server will fail to negotiate GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers. ** libgnutls: added priority shortcuts for different GOST categories like CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL. ** libgnutls: Reject certificates with invalid time fields. That is we reject certificates with invalid characters in Time fields, or invalid time formatting To continue accepting the invalid form compile with --disable-strict-der-time (#207, #870). ** libgnutls: Reject certificates which contain duplicate extensions. We were previously printing warnings when printing such a certificate, but that is not always sufficient to flag such certificates as invalid. Instead we now refuse to import them (#887). ** libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877). ** libgnutls: The min-verification-profile from system configuration applies for all certificate verifications, not only under TLS. The configuration can be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. ** libgnutls: The stapled OCSP certificate verification adheres to the convention used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag. ** libgnutls: On client side only send OCSP staples if they have been requested by the server, and on server side always advertise that we support OCSP stapling (#876). ** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible with gnutls_ocsp_req_t but const. ** certtool: Added the --verify-profile option to set a certificate verification profile. Use '--verify-profile low' for certificate verification to apply the 'NORMAL' verification profile. ** certtool: The add_extension template option is considered even when generating a certificate from a certificate request. ** API and ABI modifications: GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Added gnutls_ocsp_req_const_t: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.141 2019/12/06 14:00:08 nia Exp $ d3 5 a7 4 SHA1 (gnutls-3.6.12.tar.xz) = fa498b4d026e3ddfa74aa79adac27bfcd14e8b76 RMD160 (gnutls-3.6.12.tar.xz) = f76e05c4a5f6c15277259b874bca475089c02630 SHA512 (gnutls-3.6.12.tar.xz) = e1031fd1239d8b0f056a6b736e4c72c9268fb635f273527f310771c608b841cad7b6631401382ec3040d9b539180bf421882bf43427ad3549a5787d2864c2fa5 Size (gnutls-3.6.12.tar.xz) = 5942064 bytes @ 1.142.2.1 log @Pullup ticket #6232 - requested by maya security/gnutls: security fix Revisions pulled up: - security/gnutls/Makefile 1.210-1.213 - security/gnutls/PLIST 1.70-1.71 - security/gnutls/PLIST.guile 1.1 - security/gnutls/buildlink3.mk 1.37 - security/gnutls/distinfo 1.143-1.144 - security/gnutls/options.mk 1.3 - security/gnutls/patches/patch-configure 1.5 --- Module Name: pkgsrc Committed By: adam Date: Wed Apr 1 08:24:07 UTC 2020 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Added Files: pkgsrc/security/gnutls/patches: patch-configure Log Message: gnutls: updated to 3.6.13 Version 3.6.13: ** libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3. The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol [GNUTLS-SA-2020-03-31, CVSS: high] ** libgnutls: Added new APIs to access KDF algorithms. ** libgnutls: Added new callback gnutls_keylog_func that enables a custom logging functionality. ** libgnutls: Added support for non-null terminated usernames in PSK negotiation. ** gnutls-cli-debug: Improved support for old servers that only support SSL 3.0. ** API and ABI modifications: gnutls_hkdf_extract: Added gnutls_hkdf_expand: Added gnutls_pbkdf2: Added gnutls_session_get_keylog_function: Added gnutls_session_set_keylog_function: Added gnutls_prf_hash_get: Added gnutls_psk_server_get_username2: Added gnutls_psk_set_client_credentials2: Added gnutls_psk_set_client_credentials_function2: Added gnutls_psk_set_server_credentials_function2: Added --- Module Name: pkgsrc Committed By: nikita Date: Thu May 14 14:30:02 UTC 2020 Modified Files: pkgsrc/security/gnutls: Makefile buildlink3.mk options.mk Added Files: pkgsrc/security/gnutls: PLIST.guile Log Message: security/gnutls: revbump, add support for building guile bindings --- Module Name: pkgsrc Committed By: leot Date: Mon Jun 8 19:48:14 UTC 2020 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Log Message: gnutls: Update to 3.6.14 Changes: 3.6.14 ------ * libgnutls: Fixed insecure session ticket key construction, since 3.6.4. The TLS server would not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (#1011). [GNUTLS-SA-2020-06-03, CVSS: high] * libgnutls: Fixed handling of certificate chain with cross-signed intermediate CA certificates (#1008). * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997). * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority Key Identifier (AKI) properly (#989, #991). * certtool: PKCS #7 attributes are now printed with symbolic names (!1246). * libgnutls: Added several improvements on Windows Vista and later releases (!1257, !1254, !1256). Most notably the system random number generator now uses Windows BCrypt* API if available (!1255). * libgnutls: Use accelerated AES-XTS implementation if possible (!1244). Also both accelerated and non-accelerated implementations check key block according to FIPS-140-2 IG A.9 (!1233). * libgnutls: Added support for AES-SIV ciphers (#463). * libgnutls: Added support for 192-bit AES-GCM cipher (!1267). * libgnutls: No longer use internal symbols exported from Nettle (!1235) * API and ABI modifications: GNUTLS_CIPHER_AES_128_SIV: Added GNUTLS_CIPHER_AES_256_SIV: Added GNUTLS_CIPHER_AES_192_GCM: Added gnutls_pkcs7_print_signature_info: Added @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 5 SHA1 (gnutls-3.6.14.tar.xz) = bea1b5abcb691acf014e592f41d0a9580a41216a RMD160 (gnutls-3.6.14.tar.xz) = 89c4f89e4453c2d08ad0918fbf099d9fbcfe9cba SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604 Size (gnutls-3.6.14.tar.xz) = 6069088 bytes SHA1 (patch-configure) = 3653f74914f874aa369f62c8b267a46fd6b78eaa @ 1.141 log @gnutls: Update to 3.6.11.1 Not sure of 3.6.11.1's specific changes - possibly fixing an incorrectly generated tarball? These changes from apply: * Version 3.6.11 (released 2019-12-01) ** libgnutls: Use KERN_ARND for the system random number generator on NetBSD. This syscall provides an endless stream of random numbers from the kernel's ChaCha20-based random number generator, without blocking or requiring an open file descriptor. ** libgnutls: Corrected issue with TLS 1.2 session ticket handling as client during resumption (#841). ** libgnutls: gnutls_base64_decode2() succeeds decoding the empty string to the empty string. This is a behavioral change of the API but it conforms to the RFC4648 expectations (#834). ** libgnutls: Fixed AES-CFB8 implementation, when input is shorter than the block size. Fix backported from nettle. ** certtool: CRL distribution points will be set in CA certificates even when non self-signed (#765). ** gnutls-cli/serv: added raw public-key handling capabilities (RFC7250). Key material can be set via the --rawpkkeyfile and --rawpkfile flags. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.140 2019/10/04 17:25:53 nia Exp $ d3 4 a6 4 SHA1 (gnutls-3.6.11.1.tar.xz) = 2205863fefa0e070cbf2a6961bfa90c854286287 RMD160 (gnutls-3.6.11.1.tar.xz) = a5182c63cc9e79c929c8cc098f36d55fd70789c8 SHA512 (gnutls-3.6.11.1.tar.xz) = 55fbbf0ebc824fbc91ccd08d1708452c5b1c12af75e332f29414540eb2f81337fa605a693ce9f34319a927e9d71177e6e7ffea5c6747792d341fb740f68c9489 Size (gnutls-3.6.11.1.tar.xz) = 5902328 bytes @ 1.140 log @gnutls: Update to 3.6.10 * Version 3.6.10 (released 2019-09-29) ** libgnutls: Added support for deterministic ECDSA/DSA (RFC6979) Deterministic signing can be enabled by setting GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE when calling gnutls_privkey_sign_*() functions (#94). ** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2 functions that will perform in-place encryption/decryption on data buffers (#718). ** libgnutls: Corrected issue in gnutls_session_get_data2() which could fail under TLS1.3, if a timeout callback was not set using gnutls_transport_set_pull_timeout_function() (#823). ** libgnutls: added interoperability tests with gnutls 2.12.x; addressed issue with large record handling due to random padding (#811). ** libgnutls: the server now selects the highest TLS protocol version, if TLS 1.3 is enabled and the client advertises an older protocol version first (#837). ** libgnutls: fix non-PIC assembly on i386 (#818). ** libgnutls: added support for GOST 28147-89 cipher in CNT (GOST counter) mode and MAC generation based on GOST 28147-89 (IMIT). For description of the modes see RFC 5830. S-Box is id-tc26-gost-28147-param-Z (TC26Z) defined in RFC 7836. ** certtool: when outputting an encrypted private key do not insert the textual description of it. This fixes a regression since 3.6.5 (#840). ** API and ABI modifications: gnutls_aead_cipher_encryptv2: Added gnutls_aead_cipher_decryptv2: Added GNUTLS_CIPHER_GOST28147_TC26Z_CNT: Added GNUTLS_MAC_GOST28147_TC26Z_IMIT: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.139 2019/09/30 09:51:16 maya Exp $ d3 4 a6 5 SHA1 (gnutls-3.6.10.tar.xz) = c073c6b0c57506a592854471576321be80f809d4 RMD160 (gnutls-3.6.10.tar.xz) = fe2df3aead55853711a0dbd80ef5dd648a4e09a7 SHA512 (gnutls-3.6.10.tar.xz) = fe0481f9e4219e983b01b91e69ffd95819a4c0d0c09028509106d561967e9c5d900bc5e3a48140a34fa4467feda2a619085adf3fa8fdade96c8debf125e91ae8 Size (gnutls-3.6.10.tar.xz) = 5795984 bytes SHA1 (patch-lib_Makefile.in) = c9a6bbe6238ccd9de41c708012e36b202d2a86e7 d8 5 a12 5 SHA1 (patch-src_libopts_autoopts_options.h) = 9202c55314fe8764ac82c95bbfabfa1b031e9ba4 SHA1 (patch-src_libopts_compat_compat.h) = 240fbfc0ba20af35e0634ba873fe9e34bfbcc921 SHA1 (patch-src_libopts_libopts.c) = ce5e7681def882e95ed5ab770564d1f999b97039 SHA1 (patch-src_libopts_makeshell.c) = e5b7d66caaec45e12ae5490d515fc9fc75de3d92 SHA1 (patch-src_libopts_proto.h) = 78f845bdcbac8de74953a3cee0b77fa9c5b05386 @ 1.139 log @gnutls: backport upstream commit to avoid text relocations on i386. Regenerate asm files with -fPIC PR pkg/54555: security/gnutls 3.6.9 runs afoul of PAX MPROTECT and text relocations on netbsd-9/i386 Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.138 2019/09/16 17:01:46 nros Exp $ d3 4 a6 7 SHA1 (gnutls-3.6.9.tar.xz) = 4a12757b129562ae92a01ca890ed282050595296 RMD160 (gnutls-3.6.9.tar.xz) = 2771adabb5342b24fbebcb69b324924ee2b56513 SHA512 (gnutls-3.6.9.tar.xz) = a9fd0f4edae4c081d5c539ba2e5574a4d7294bc00c5c73ea25ce26cb7fd126299c2842a282d45ef5cf0544108f27066e587df28776bc7915143d190d7d5b9d07 Size (gnutls-3.6.9.tar.xz) = 5773928 bytes SHA1 (patch-cfg.mk) = c91374a0f9c3031ea90d7f8c455d9e7e42de464b SHA1 (patch-config.h.in) = 9f403bd91ddb90d970ba56f91a56e0339848c026 SHA1 (patch-configure) = 0fcfa9255f15a43aced7262bc2c5084945910aec a7 2 SHA1 (patch-lib_accelerated_x86_elf_aesni-x86.s) = 834fe259954c1806185d95a5029ba0379bd31cce SHA1 (patch-lib_accelerated_x86_x86-common.c) = ccbf4e01f5bcb01b998e80294ecae2f0413680b8 @ 1.138 log @Fix compilation of gnutls with compilers missing __get_cpuid_count Fix compilation of gnutls with compilers missing __get_cpuid_count. Taken from upstream and fixed in version 3.6.10 . Fixes compilation on NetBSD 8 without setting GCC_REQD. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.137 2019/09/16 00:28:48 nia Exp $ d7 1 d11 1 @ 1.137 log @gnutls: Update to 3.6.9 * Version 3.6.9 (released 2019-07-25) ** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy of digest or MAC context. Copying contexts for externally-registered digest and MAC contexts is unupported (#787). ** Marked the crypto implementation override APIs as deprecated. These APIs are rarely used, are for a niche use case, but have significant side effects, such as preventing any internal re-organization and extension of the internal cipher API. The APIs remain functional though a compiler warning will be issued, and a future minor version update may transform them to a no-op while keeping ABI compatibility (#789). ** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781). ** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash(). ** libgnutls: Added support for Generalname registeredID. ** The priority configuration was enhanced to allow more elaborate system-wide configuration of the library (#587). The following changes were included: - The file is read as an ini file with '#' indicating a comment. - The section "[priorities]" or global follows the existing semantics of the configuration file, and allows to specify system-wide priority strings which are accessed with the '@@' prefix. - The section "[overrides]" is added with the parameters "insecure-hash", "insecure-sig", "insecure-sig-for-cert", "disabled-curve", "disabled-version", "min-verification-profile", "tls-disabled-cipher", "tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit specific algorithms or options globally. Existing algorithms in the library can be marked as disabled and insecure, but no hard-coded insecure algorithm can be marked as secure (so that the configuration cannot be abused to make the system vulnerable). - Unknown sections or options are skipped with a debug message, unless the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is set to 1. ** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE - 0x20: Enable SHA_NI instruction set ** API and ABI modifications: gnutls_crypto_register_cipher: Deprecated gnutls_crypto_register_aead_cipher: Deprecated gnutls_crypto_register_digest: Deprecated gnutls_crypto_register_mac: Deprecated gnutls_get_system_config_file: Added gnutls_hash_copy: Added gnutls_hmac_copy: Added GNUTLS_MAC_AES_GMAC_128: Added GNUTLS_MAC_AES_GMAC_192: Added GNUTLS_MAC_AES_CMAC_256: Added GNUTLS_SAN_REGISTERED_ID: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.136 2019/08/15 15:46:15 sevan Exp $ d7 2 d10 1 a10 1 SHA1 (patch-lib_accelerated_x86_x86-common.c) = eaf3c473b1ca83c5b15be26f8c06a82d7961420c @ 1.136 log @Build fix for OS X Tiger via Macports @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (gnutls-3.6.8.tar.xz) = e1243188791af409bca118d31faf3ec3d5f0a5ab RMD160 (gnutls-3.6.8.tar.xz) = a834679524f95a38a8a1ea77394906db637d33fe SHA512 (gnutls-3.6.8.tar.xz) = 71f0899de0ffb2a39b25928042114e2bbfde7fbf2029d9f91f60bf60794916d13f544fc97337e4e3282e7faa17e79a8012b0e08f98805bee543c0ba4e5d5a905 Size (gnutls-3.6.8.tar.xz) = 5712580 bytes @ 1.135 log @Update to v3.6.8 Changes ======= * Version 3.6.8 (released 2019-05-28) ** libgnutls: Added gnutls_prf_early() function to retrieve early keying material (#329) ** libgnutls: Added support for AES-XTS cipher (#354) ** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in 512 bit addition) ** libgnutls: During Diffie-Hellman operations in TLS, verify that the peer's public key is on the right subgroup (y^q=1 mod p), when q is available (under TLS 1.3 and under earlier versions when RFC7919 parameters are used). ** libgnutls: the gnutls_srp_set_server_credentials_function can now be used with the 8192 parameters as well (#995). ** libgnutls: Fixed bug preventing the use of gnutls_pubkey_verify_data2() and gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN flag (#754) ** libgnutls: The priority string option %ALLOW_SMALL_RECORDS was added to allow clients to communicate with the server advertising smaller limits than 512 ** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent hostname/domain crafting via IDNA conversion (#720) ** certtool: allow the digital signature key usage flag in CA certificates. Previously certtool would ignore this flag for CA certificates even if specified (#767) ** gnutls-cli/serv: added the --keymatexport and --keymatexportsize options. These allow testing the RFC5705 using these tools. ** API and ABI modifications: gnutls_prf_early: Added gnutls_record_set_max_recv_size: Added gnutls_dh_params_import_raw3: Added gnutls_ffdhe_2048_group_q: Added gnutls_ffdhe_3072_group_q: Added gnutls_ffdhe_4096_group_q: Added gnutls_ffdhe_6144_group_q: Added gnutls_ffdhe_8192_group_q: Added @ text @d9 1 @ 1.134 log @gnutls: Update to 3.6.7 Bug fix and security release on the stable 3.6.x branch. OK during the freeze by , thanks! Changes: 3.6.7 ----- - libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free(). - libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above. [GNUTLS-SA-2019-03-27, #694] - libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704] - libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690). - libgnutls: the default number of tickets sent under TLS 1.3 was increased to two. This makes it easier for clients which perform multiple connections to the server to use the tickets sent by a default server. - libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code. - libgnutls: fixed issue preventing sending and receiving from different threads when false start was enabled (#713). - libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable session, as non-writeable security officer sessions are undefined in PKCS#11 (#721). - libgnutls: no longer send downgrade sentinel in TLS 1.3. Previously the sentinel value was embedded to early in version negotiation and was sent even on TLS 1.3. It is now sent only when TLS 1.2 or earlier is negotiated (#689). - gnutls-cli: Added option --logfile to redirect informational messages output. - No API and ABI modifications since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.133 2019/03/20 06:27:11 adam Exp $ d3 4 a6 4 SHA1 (gnutls-3.6.7.tar.xz) = 71f73b9829e44c947bb668b25b8b2e594a065345 RMD160 (gnutls-3.6.7.tar.xz) = 0def1ae12df5f6dd30e3b2b853e0426837c6247e SHA512 (gnutls-3.6.7.tar.xz) = ae9b8996eb9b7269d28213f0aca3a4a17890ba8d47e3dc3b8e754ab8e2b4251e9412aaaa161a8bf56167f04cc169b4cada46f55a7bde92b955eb36cd717a99f3 Size (gnutls-3.6.7.tar.xz) = 8153728 bytes @ 1.133 log @gnutls: updated to 3.6.6 Version 3.6.6: * libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits on the public key. * libgnutls: Added support for raw public-key authentication as defined in RFC7250. Raw public-keys can be negotiated by enabling the corresponding certificate types via the priority strings. The raw public-key mechanism must be explicitly enabled via the GNUTLS_ENABLE_RAWPK init flag. * libgnutls: When on server or client side we are sending no extensions we do not set an empty extensions field but we rather remove that field competely. This solves a regression since 3.5.x and improves compatibility of the server side with certain clients. * libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if the CKA_SIGN is not set. * libgnutls: The priority string option %NO_EXTENSIONS was improved to completely disable extensions at all cases, while providing a functional session. This also implies that when specified, TLS1.3 is disabled. * libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous definition was non-functional. * API and ABI modifications: GNUTLS_ENABLE_RAWPK: Added GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK) GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: Deprecated GNUTLS_PCERT_NO_CERT: Deprecated @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.132 2018/12/09 20:12:41 leot Exp $ d3 4 a6 4 SHA1 (gnutls-3.6.6.tar.xz) = d094f3c554b40d76dac2d2d75a8a141c008dc6c4 RMD160 (gnutls-3.6.6.tar.xz) = b83342901fc4d0f597d4d97e1d853431a27cc162 SHA512 (gnutls-3.6.6.tar.xz) = 4ff34f38d7dc543bc5750d8fdfe9be84af60c66e8d41da45f6cffc11d6c6c726784fd2d471b3416604ca1f3f9efb22ff7a290d5c92c96deda38df6ae3e794cc1 Size (gnutls-3.6.6.tar.xz) = 8257612 bytes @ 1.132 log @gnutls: Update security/gnutls to 3.6.5 pkgsrc changes: - Remove comments regarding bash and tests (bash was added unconditionally due REPLACE_BASH usages) Changes: 3.6.5 ----- ** libgnutls: Provide the option of transparent re-handshake/reauthentication when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571). ** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127) ** libgnutls: The priority functions will ignore and not enable TLS1.3 if requested with legacy TLS versions enabled but not TLS1.2. That is because if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled) servers which do not support TLS1.3 will negotiate TLS1.2 which will be rejected by the client as disabled (#621). ** libgnutls: Change RSA decryption to use a new side-channel silent function. This addresses a security issue where memory access patterns as well as timing on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher attacks. Side-channel resistant code is slower due to the need to mask access and timings. When used in TLS the new functions cause RSA based handshakes to be between 13% and 28% slower on average (Numbers are indicative, the tests where performed on a relatively modern Intel CPU, results vary depending on the CPU and architecture used). This change makes nettle 3.4.1 the minimum requirement of gnutls (#630). [CVSS: medium] ** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword in the priority string. It is only accepted as legacy option and is ignored. ** libgnutls: Added support for EdDSA under PKCS#11 (#417) ** libgnutls: Added support for AES-CFB8 cipher (#357) ** libgnutls: Added support for AES-CMAC MAC (#351) ** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB ciphers have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D S-BOXes). They are fixed now. ** libgnutls: Added support for GOST key unmasking and unwrapped GOST private keys parsing, as specified in R 50.1.112-2016. ** gnutls-serv: It applies the default settings when no --priority option is given, using gnutls_set_default_priority(). ** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin option (#561) ** certtool: Add parameter --no-text that prevents certtool from outputting text before PEM-encoded private key, public key, certificate, CRL or CSR. ** API and ABI modifications: GNUTLS_AUTO_REAUTH: Added GNUTLS_CIPHER_AES_128_CFB8: Added GNUTLS_CIPHER_AES_192_CFB8: Added GNUTLS_CIPHER_AES_256_CFB8: Added GNUTLS_MAC_AES_CMAC_128: Added GNUTLS_MAC_AES_CMAC_256: Added gnutls_record_get_max_early_data_size: Added gnutls_record_send_early_data: Added gnutls_record_recv_early_data: Added gnutls_db_check_entry_expire_time: Added gnutls_anti_replay_set_add_function: Added gnutls_anti_replay_init: Added gnutls_anti_replay_deinit: Added gnutls_anti_replay_set_window: Added gnutls_anti_replay_enable: Added gnutls_privkey_decrypt_data2: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.131 2018/11/09 18:03:45 nia Exp $ d3 4 a6 4 SHA1 (gnutls-3.6.5.tar.xz) = 749fcaba23f63b523ec2ad262caeca6f1e62fc6f RMD160 (gnutls-3.6.5.tar.xz) = a7194f821deb3b1cd9efa7be8382bf893e317a8e SHA512 (gnutls-3.6.5.tar.xz) = 127f053ce45c63cd745fa5a654a2d8e4fbc322f5e17dcc3740fb2e7b376dd18dad59318d66e6e93e37d6a179fca4b35cf2ae62d13be5645cd2d06badd79d4dce Size (gnutls-3.6.5.tar.xz) = 8192888 bytes @ 1.131 log @gnutls: update to 3.6.4. * Version 3.6.4 (released 2018-09-24) ** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol. ** libgnutls: Corrected regression since 3.6.3 in the callbacks set with gnutls_certificate_set_retrieve_function() which could not handle the case where no certificates were returned, or the callbacks were set to NULL (see #528). ** libgnutls: gnutls_handshake() on server returns early on handshake when no certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START is specified. ** libgnutls: Added session ticket key rotation on server side with TOTP. The key set with gnutls_session_ticket_enable_server() is used as a master key to generate time-based keys for tickets. The rotation relates to the gnutls_db_set_cache_expiration() period. ** libgnutls: The 'record size limit' extension is added and preferred to the 'max record size' extension when possible. ** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates. This addresses the problem where the CA certificate doesn't have a subject key identifier whereas the end certificates have an authority key identifier (#569) ** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(), gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import and export GOST parameters in the "native" little endian format used for these curves. This is an intentional incompatible change with 3.6.3. ** libgnutls: Added support for seperately negotiating client and server certificate types as defined in RFC7250. This mechanism must be explicitly enabled via the GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init(). ** gnutls-cli: enable CRL validation on startup (#564) ** API and ABI modifications: GNUTLS_ENABLE_EARLY_START: Added GNUTLS_ENABLE_CERT_TYPE_NEG: Added GNUTLS_TL_FAIL_ON_INVALID_CRL: Added GNUTLS_CERTIFICATE_VERIFY_CRLS: Added gnutls_ctype_target_t: New enumeration gnutls_record_set_max_early_data_size: Added gnutls_certificate_type_get2: Added gnutls_priority_certificate_type_list2: Added gnutls_ffdhe_6144_group_prime: Added gnutls_ffdhe_6144_group_generator: Added gnutls_ffdhe_6144_key_bits: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.130 2018/08/16 11:05:47 wiz Exp $ d3 4 a6 4 SHA1 (gnutls-3.6.4.tar.xz) = cb3e25d477a8821b05ba8e0596093ddb64c3f702 RMD160 (gnutls-3.6.4.tar.xz) = fee56aaf3ecb6e7e7e18c804592dadac555ec517 SHA512 (gnutls-3.6.4.tar.xz) = f39ac09b48ebf230653cbf82b29ded39a1403313067135495b23f428b35783f9ef073993157d1f284678abedd19e2cf1fd01af843001b88320ca17b346b219ab Size (gnutls-3.6.4.tar.xz) = 8076364 bytes @ 1.130 log @gnutls: update to 3.6.3. * Version 3.6.3 (released 2018-07-16) ** libgnutls: Introduced support for draft-ietf-tls-tls13-28. It includes version negotiation, post handshake authentication, length hiding, multiple OCSP support, consistent ciphersuite support across protocols, hello retry requests, ability to adjust key shares via gnutls_init() flags, certificate authorities extension, and key usage limits. TLS1.3 draft-28 support can be enabled by default if the option --enable-tls13-support is given to configure script. ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or earlier and TLS 1.3. When SRP or NULL ciphersuites are specified in priority strings TLS 1.3 is will be disabled. When Anonymous ciphersuites are specified in priority strings, then TLS 1.3 negotiation will be disabled if the session is associated only with an anonymous credentials structure. ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836. This adds support for using GOST keys for digital signatures and under PKCS#7, PKCS#12, and PKCS#8 standards. In particular added elliptic curves GOST R 34.10-2001 CryptoProA 256-bit curve (RFC 4357), GOST R 34.10-2001 CryptoProXchA 256-bit curve (RFC 4357), and GOST R 34.10-2012 TC26-512-A 512-bit curve (RFC 7836). ** Provide a uniform cipher list across supported TLS protocols; the CAMELLIA ciphers as well as ciphers utilizing HMAC-SHA384 and SHA256 have been removed from the default priority strings, as they are undefined under TLS1.3 and they provide not advantage over other options in earlier protocols. ** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled by specifying --enable-ssl3-support on configure script. ** libgnutls: Introduced function to switch the current FIPS140-2 operational mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2 operations. ** libgnutls: Introduced low-level function to assist applications attempting client hello extension parsing, prior to GnuTLS' parsing of the message. ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no modifications to the certificate. That prevents DER re-encoding issues with incorrectly encoded certificates, or other DER incompatibilities to affect a TLS session. Relates with #403 ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups which are preferred by the server. That unfortunately has complicated semantics as TLS1.2 requires specific ordering of the groups based on the ciphersuite ordering, which could make group order unpredictable if TLS1.3 is negotiated. ** Improved counter-measures for TLS CBC record padding. Kenny Paterson, Eyal Ronen and Adi Shamir reported that the existing counter-measures had certain issues and were insufficient when the attacker has additional access to the CPU cache and performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium] ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation of legacy CBC ciphersuites unless encrypt-then-mac is negotiated. ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag. ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2, gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API change for these functions which make them err towards safety. ** libgnutls: improved aarch64 cpu features detection by using getauxval(). ** certtool: It is now possible to specify certificate and serial CRL numbers greater than 2**63-2 as a hex-encoded string both when prompted and in a template file. Default certificate serial numbers are now fully random. Default CRL numbers include more random bits and are larger than in previous GnuTLS versions. Since CRL numbers are required to be monotonic, specify suitable CRL numbers manually if you intend to later downgrade to previous versions as it was not possible to specify large CRL numbers in previous versions of certtool. @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 5 SHA1 (gnutls-3.6.3.tar.xz) = ac96787a7fbd550a2b201e64c0e752821e90fed7 RMD160 (gnutls-3.6.3.tar.xz) = 108848d1b51e0d81ac1b2fdce596222d486fc737 SHA512 (gnutls-3.6.3.tar.xz) = 6238502464d229a9777e3076f4c745d16deaada83c9da756ecdcd370947576e0446bda3a7f85d5a099b745bbf8c0134ebdf6632e4b26d61daf170792fb4f5abe Size (gnutls-3.6.3.tar.xz) = 8010284 bytes SHA1 (patch-doc_examples_tlsproxy_tlsproxy.c) = 42f2cfbf77cb6169d733a1f56c6f141f66e055cd @ 1.130.2.1 log @Pullup ticket #5880 - requested by nia security/gnutls: security update Revisions pulled up: - security/gnutls/Makefile 1.191 - security/gnutls/PLIST 1.61 - security/gnutls/distinfo 1.131 - security/gnutls/patches/patch-doc_examples_tlsproxy_tlsproxy.c deleted ------------------------------------------------------------------- Module Name: pkgsrc Committed By: nia Date: Fri Nov 9 18:03:45 UTC 2018 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Removed Files: pkgsrc/security/gnutls/patches: patch-doc_examples_tlsproxy_tlsproxy.c Log Message: gnutls: update to 3.6.4. * Version 3.6.4 (released 2018-09-24) ** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol. ** libgnutls: Corrected regression since 3.6.3 in the callbacks set with gnutls_certificate_set_retrieve_function() which could not handle the case where no certificates were returned, or the callbacks were set to NULL (see #528). ** libgnutls: gnutls_handshake() on server returns early on handshake when no certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START is specified. ** libgnutls: Added session ticket key rotation on server side with TOTP. The key set with gnutls_session_ticket_enable_server() is used as a master key to generate time-based keys for tickets. The rotation relates to the gnutls_db_set_cache_expiration() period. ** libgnutls: The 'record size limit' extension is added and preferred to the 'max record size' extension when possible. ** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates. This addresses the problem where the CA certificate doesn't have a subject key identifier whereas the end certificates have an authority key identifier (#569) ** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(), gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import and export GOST parameters in the "native" little endian format used for these curves. This is an intentional incompatible change with 3.6.3. ** libgnutls: Added support for seperately negotiating client and server certificate types as defined in RFC7250. This mechanism must be explicitly enabled via the GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init(). ** gnutls-cli: enable CRL validation on startup (#564) ** API and ABI modifications: GNUTLS_ENABLE_EARLY_START: Added GNUTLS_ENABLE_CERT_TYPE_NEG: Added GNUTLS_TL_FAIL_ON_INVALID_CRL: Added GNUTLS_CERTIFICATE_VERIFY_CRLS: Added gnutls_ctype_target_t: New enumeration gnutls_record_set_max_early_data_size: Added gnutls_certificate_type_get2: Added gnutls_priority_certificate_type_list2: Added gnutls_ffdhe_6144_group_prime: Added gnutls_ffdhe_6144_group_generator: Added gnutls_ffdhe_6144_key_bits: Added To generate a diff of this commit: cvs rdiff -u -r1.190 -r1.191 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.60 -r1.61 pkgsrc/security/gnutls/PLIST cvs rdiff -u -r1.130 -r1.131 pkgsrc/security/gnutls/distinfo cvs rdiff -u -r1.1 -r0 \ pkgsrc/security/gnutls/patches/patch-doc_examples_tlsproxy_tlsproxy.c @ text @d3 5 a7 4 SHA1 (gnutls-3.6.4.tar.xz) = cb3e25d477a8821b05ba8e0596093ddb64c3f702 RMD160 (gnutls-3.6.4.tar.xz) = fee56aaf3ecb6e7e7e18c804592dadac555ec517 SHA512 (gnutls-3.6.4.tar.xz) = f39ac09b48ebf230653cbf82b29ded39a1403313067135495b23f428b35783f9ef073993157d1f284678abedd19e2cf1fd01af843001b88320ca17b346b219ab Size (gnutls-3.6.4.tar.xz) = 8076364 bytes @ 1.129 log @Update gnutls to 3.6.2 * Version 3.6.2 (released 2018-02-16) ** libgnutls: When verifying against a self signed certificate ignore issuer. That is, ignore issuer when checking the issuer's parameters strength, resolving issue #347 which caused self signed certificates to be additionally marked as of insufficient security level. ** libgnutls: Corrected MTU calculation for the CBC ciphersuites. The data MTU calculation now, it correctly accounts for the fixed overhead due to padding (as 1 byte), while at the same time considers the rest of the padding as part of data MTU. ** libgnutls: Address issue of loading of all PKCS#11 modules on startup on systems with a PKCS#11 trust store (as opposed to a file trust store). Introduced a multi-stage initialization which loads the trust modules, and other modules are deferred for the first pure PKCS#11 request. ** libgnutls: The SRP authentication will reject any parameters outside RFC5054. This protects any client from potential MitM due to insecure parameters. That also brings SRP in par with the RFC7919 changes to Diffie-Hellman. ** libgnutls: Added the 8192-bit parameters of SRP to the accepted parameters for SRP authentication. ** libgnutls: Addressed issue in the accelerated code affecting interoperability with versions of nettle >= 3.4. ** libgnutls: Addressed issue in the AES-GCM acceleration under aarch64. ** libgnutls: Addressed issue in the AES-CBC acceleration under ssse3 (patch by Vitezslav Cizek). ** srptool: the --create-conf option no longer includes 1024-bit parameters. ** p11tool: Fixed the deletion of objects in batch mode. ** API and ABI modifications: gnutls_srp_8192_group_generator: Added gnutls_srp_8192_group_prime: Added * Version 3.6.1 (released 2017-10-21) ** libgnutls: Fixed interoperability issue with openssl when safe renegotiation was used. Resolves gitlab issue #259. ** libgnutls: gnutls_x509_crl_sign, gnutls_x509_crt_sign, gnutls_x509_crq_sign, were modified to sign with a better algorithm than SHA1. They will now sign with an algorithm that corresponds to the security level of the signer's key. ** libgnutls: gnutls_x509_*_sign2() functions and gnutls_x509_*_privkey_sign() accept GNUTLS_DIG_UNKNOWN (0) as a hash function option. That will signal the function to auto-detect an appropriate hash algorithm to use. ** libgnutls: Removed support for signature algorithms using SHA2-224 in TLS. TLS 1.3 no longer uses SHA2-224 and it was never a widespread algorithm in TLS 1.2. As such, no reason to keep supporting it. ** libgnutls: Refuse to use client certificates containing disallowed algorithms for a session. That reverts a change on 3.5.5, which allowed a client to use DSA-SHA1 due to his old DSA certificate, without requiring him to enable DSA-SHA1 (and thus make it acceptable for the server's certificate). The previous approach was to allow a smooth move for client infrastructure after the DSA algorithm became disabled by default, and is no longer necessary as DSA is now being universally deprecated. ** libgnutls: Refuse to resume a session which had a different SNI advertised. That improves RFC6066 support in server side. Reported by Thomas Klute. ** p11tool: Mark all generated objects as sensitive by default. ** p11tool: added options --sign-params and --hash. This allows testing signature with multiple algorithms, including RSA-PSS. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.128 2017/09/06 13:41:26 wiz Exp $ d3 5 a7 4 SHA1 (gnutls-3.6.2.tar.xz) = 24e5a416ce320945a2515619f3c2f0f6f2290ddc RMD160 (gnutls-3.6.2.tar.xz) = 8f08c2f8e4957338b5efcb40d3584870a53741e1 SHA512 (gnutls-3.6.2.tar.xz) = 6a574d355226bdff6198ab3f70633ff2a3cff4b5d06793bdaf19d007063bd4dd515d1bd3f331a9eb1a9ad01f83007801cfa55e5fd16c1cd3461ac33d1813fb06 Size (gnutls-3.6.2.tar.xz) = 8093304 bytes @ 1.128 log @Updated gnutls to 3.6.0. * Version 3.6.0 (released 2017-08-21) ** libgnutls: tlsfuzzer is part of the CI testsuite. This is a TLS testing and fuzzying toolkit, allowing for corner case testing, and ensuring that the behavior of the library will not change across releases. https://github.com/tomato42/tlsfuzzer ** libgnutls: Introduced a lock-free random generator which operates per-thread and eliminates random-generator related bottlenecks in multi-threaded operation. Resolves gitlab issue #141. http://nmav.gnutls.org/2017/03/improving-by-simplifying-gnutls-prng.html ** libgnutls: Replaced the Salsa20 random generator with one based on CHACHA. The goal is to reduce code needed in cache (CHACHA is also used for TLS), and the number of primitives used by the library. That does not affect the AES-DRBG random generator used in FIPS140-2 mode. ** libgnutls: Added support for RSA-PSS key type as well as signatures in certificates, and TLS key exchange. Contributed by Daiki Ueno. RSA-PSS signatures can be generated by RSA-PSS keys and normal RSA keys, but not vice-versa. The feature includes: * RSA-PSS key generation and key handling (in PKCS#8 form) * RSA-PSS key generation and key handling from PKCS#11 (with CKM_RSA_PKCS_PSS mech) * Handling of RSA-PSS subjectPublicKeyInfo parameters, when present in either the private key or certificate. * RSA-PSS signing and verification of PKIX certificates * RSA-PSS signing and verification of TLS 1.2 handshake * RSA-PSS signing and verification of PKCS#7 structures * RSA-PSS and RSA key combinations for TLS credentials. That is, when multiple keys are supplied, RSA-PSS keys are preferred over RSA for RSA-PSS TLS signatures, to contain risks of cross-protocol attacks between the algorithms. * RSA-PSS key conversion to RSA PKCS#1 form (certtool --to-rsa) Note that RSA-PSS signatures with SHA1 are (intentionally) not supported. ** libgnutls: Added support for Ed25519 signing in certificates and TLS key exchange following draft-ietf-tls-rfc4492bis-17. The feature includes: * Ed25519 key generation and key handling (in PKCS#8 form) * Ed25519 signing and verification of PKIX certificates * Ed25519 signing and verification of TLS 1.2 handshake * Ed25519 signing and verification of PKCS#7 structures ** libgnutls: Enabled X25519 key exchange by default, following draft-ietf-tls-rfc4492bis-17. ** libgnutls: Added support for Diffie-Hellman group negotiation following RFC7919. That makes the DH parameters negotiation more robust and less prone to errors due to insecure parameters. Servers are no longer required to specific explicit DH parameters, though if they do these parameters will be used. Group selection can be done via priority strings. The introduced strings are GROUP-ALL, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096 and GROUP-FFDHE8192, as well as the corresponding to curves groups. Note that the 6144 group from RFC7919 is not supported. ** libgnutls: Introduced various sanity checks on certificate import. Refuse to import certificates which have fractional seconds in Time fields, X.509v1 certificates which have the unique identifiers set, and certificates with illegal version numbers. All of these are prohibited by RFC5280. ** libgnutls: Introduced gnutls_x509_crt_set_flags(). This function can set flags in the crt structure. The only flag supported at the moment is GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the certificate sanity checks on import. ** libgnutls: PKIX certificates with unknown critical extensions are rejected on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS. This behavior can be overriden by providing the flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS to verification functions. Resolves gitlab issue #177. ** libgnutls: Refuse to generate a certificate with an illegal version, or an illegal serial number. That is, gnutls_x509_crt_set_version() and gnutls_x509_crt_set_serial(), will fail on input considered to be invalid in RFC5280. ** libgnutls: Calls to gnutls_record_send() and gnutls_record_recv() prior to handshake being complete are now refused. Addresses gitlab issue #158. ** libgnutls: Added support for PKCS#12 files with no salt (zero length) in their password encoding, and PKCS#12 files using SHA384 and SHA512 as MAC. ** libgnutls: Exported functions to encode and decode DSA and ECDSA r,s values. ** libgnutls: Added new callback setting function to gnutls_privkey_t for external keys. The new function (gnutls_privkey_import_ext4), allows signing in addition to previous algorithms (RSA PKCS#1 1.5, DSA, ECDSA), with RSA-PSS and Ed25519 keys. ** libgnutls: Introduced the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string options. These allows enabling all broken and SHA1-based signature algorithms in certificate verification, respectively. ** libgnutls: 3DES-CBC is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+3DES-CBC". ** libgnutls: SHA1 was marked as insecure for signing certificates. Verification of certificates signed with SHA1 is now considered insecure and will fail, unless flags intended to enable broken algorithms are set. Other uses of SHA1 are still allowed. This can be reverted on compile time with the configure flag --enable-sha1-support. ** libgnutls: RIPEMD160 was marked as insecure for certificate signatures. Verification of certificates signed with RIPEMD160 hash algorithm is now considered insecure and will fail, unless flags intended to enable broken algorithms are set. ** libgnutls: No longer enable SECP192R1 and SECP224R1 by default on TLS handshakes. These curves were rarely used for that purpose, provide no advantage over x25519 and were deprecated by TLS 1.3. ** libgnutls: Removed support for DEFLATE, or any other compression method. ** libgnutls: OpenPGP authentication was removed; the resulting library is ABI compatible, with the openpgp related functions being stubs that fail on invocation. ** libgnutls: Removed support for libidn (i.e., IDNA2003); gnutls can now be compiled only with libidn2 which provides IDNA2008. ** certtool: The option '--load-ca-certificate' can now accept PKCS#11 URLs in addition to files. ** certtool: The option '--load-crl' can now be used when generating PKCS#12 files (i.e., in conjunction with '--to-p12' option). ** certtool: Keys with provable RSA and DSA parameters are now only read and exported from PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt. This removes support for the previous a non-standard key format. ** certtool: Added support for generating, printing and handling RSA-PSS and Ed25519 keys and certificates. ** certtool: the parameters --rsa, --dsa and --ecdsa to --generate-privkey are now deprecated, replaced by the --key-type option. ** p11tool: The --generate-rsa, --generate-ecc and --generate-dsa options were replaced by the --generate-privkey option. ** psktool: Generate 256-bit keys by default. ** gnutls-server: Increase request buffer size to 16kb, and added the --alpn and --alpn-fatal options, allowing testing of ALPN negotiation. ** API and ABI modifications: gnutls_encode_rs_value: Added gnutls_decode_rs_value: Added gnutls_base64_encode2: Added gnutls_base64_decode2: Added gnutls_x509_crt_set_flags: Added gnutls_x509_crt_check_ip: Added gnutls_x509_ext_import_inhibit_anypolicy: Added gnutls_x509_ext_export_inhibit_anypolicy: Added gnutls_x509_crt_get_inhibit_anypolicy: Added gnutls_x509_crt_set_inhibit_anypolicy: Added gnutls_pubkey_export_rsa_raw2: Added gnutls_pubkey_export_dsa_raw2: Added gnutls_pubkey_export_ecc_raw2: Added gnutls_privkey_export_rsa_raw2: Added gnutls_privkey_export_dsa_raw2: Added gnutls_privkey_export_ecc_raw2: Added gnutls_x509_spki_init: Added gnutls_x509_spki_deinit: Added gnutls_x509_spki_get_pk_algorithm: Added gnutls_x509_spki_set_pk_algorithm: Added gnutls_x509_spki_get_digest_algorithm: Added gnutls_x509_spki_set_digest_algorithm: Added gnutls_x509_spki_get_salt_size: Added gnutls_x509_spki_set_salt_size: Added gnutls_x509_crt_set_spki: Added gnutls_x509_crt_get_spki: Added gnutls_x509_privkey_get_spki: Added gnutls_x509_privkey_set_spki: Added gnutls_x509_crq_get_spki: Added gnutls_x509_crq_set_spki: Added gnutls_pubkey_set_spki: Added gnutls_pubkey_get_spki: Added gnutls_privkey_set_spki: Added gnutls_privkey_get_spki: Added gnutls_privkey_import_ext4: Added GNUTLS_EXPORT_FLAG_NO_LZ: Added GNUTLS_DT_IP_ADDRESS: Added GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Added GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: Added GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Added GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES: Added GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: Added GNUTLS_SFLAGS_RFC7919: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.127 2017/08/31 10:18:12 wiz Exp $ d3 6 a8 8 SHA1 (gnutls-3.6.0.tar.xz) = 7526804877a555b0bd136dfaa8a2ade738018301 RMD160 (gnutls-3.6.0.tar.xz) = e2346506096e63a5a622a18c72c4269302ec4003 SHA512 (gnutls-3.6.0.tar.xz) = e5f36d7e8d64e8432098e30549c321745d3605eeb85aba2a04bfa92146ca771961f0e2f3682bcae36be5b6095acd25996104a4213ce7b3466d61332a5188dc03 Size (gnutls-3.6.0.tar.xz) = 8024972 bytes SHA1 (patch-fuzz_Makefile.in) = 8123ed5ac06c338a7ce0fb6da9533defaf93169f SHA1 (patch-lib_Makefile.in) = 3320a7ffa6252d116037974b6de8f5d9cd3bc610 SHA1 (patch-lib_accelerated_x86_x86-common.c) = 7a46ef6892b3a06ff4c949a965073c720a2491a4 SHA1 (patch-lib_atomic.h) = c59748108d6379fe09d2b5f7c2e31b2616ff40cb a13 1 SHA1 (patch-tests_suite_Makefile.in) = 69aac0ebae7fa8b755497d3ebe6145be118c6a52 @ 1.127 log @Updated gnutls to 3.5.15. * Version 3.5.15 (released 2017-08-21) ** libgnutls: Disable hardware acceleration on aarch64/ilp32 mode. There is no assembler code included for this CPU mode. ** certtool: Keys with provable RSA and DSA parameters are now only exported in PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt. This removes the need for a non-standard key format. ** API and ABI modifications: No changes since last version. * Version 3.5.14 (released 2017-07-04) ** libgnutls: Handle specially HSMs which request explicit authentication. There are HSMs which return CKR_USER_NOT_LOGGED_IN on the first private key operation. Detect that state and try to login. ** libgnutls: the GNUTLS_PKCS11_OBJ_FLAG_LOGIN will force a login on HSMs. That is, even in tokens which do not have a CKF_LOGIN_REQUIRED flag a login will be forced. This improves operation on certain Safenet HSMs. ** libgnutls: do not set leading zeros when copying integers on HSMs. PKCS#11 defines integers as unsigned having most significant byte first, e.g., 32768 = 0x80 0x00. This is interpreted literraly by some HSMs which do not accept an integer with a leading zero. This improves operation with certain Atos HSMs. ** libgnutls: Fixed issue discovering certain OCSP signers, and improved the discovery of OCSP signer in the case where the Subject Public Key identifier field matches. Resolves gitlab issue #223. ** gnutls-cli: ensure OCSP responses are saved with --save-ocsp even if certificate verification fails. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.126 2017/06/30 06:15:44 wiz Exp $ d3 6 a8 6 SHA1 (gnutls-3.5.15.tar.xz) = 9b7466434332b92dc3ca704b9211370370814fac RMD160 (gnutls-3.5.15.tar.xz) = 29c45e4710b27d2f0c6e8d02692fb400b333b7ea SHA512 (gnutls-3.5.15.tar.xz) = 046cf3adf6cc3d38fd431f2ff28ddabb65f3c13379516d105316a04c7128be89c5f7ed3df6a034fc06e9ab2e154c2cde2f5cbe8530a1e58cc4b4fb72e158134b Size (gnutls-3.5.15.tar.xz) = 7238928 bytes SHA1 (patch-ae) = 5e020483ac14ef6ccc45a53e351242ab16c860f1 SHA1 (patch-lib_Makefile.in) = d0e292e632a91a9f19e39bd2c2d205a086ba5588 d10 1 d16 1 @ 1.126 log @Updated gnutls to 3.5.13. While here, remove empty line from PLIST. * Version 3.5.13 (released 2017-06-07) ** libgnutls: fixed issue with AES-GCM in-place encryption and decryption in aarch64. Resolves gitlab issue #204. ** libgnutls: no longer parse the ResponseID field of the status response TLS extension. The field is not used by GnuTLS nor is made available to calling applications. That addresses a null pointer dereference on server side caused by packets containing the ResponseID field. Reported by Hubert Kario. [GNUTLS-SA-2017-4] ** libgnutls: tolerate certificates which do not have strict DER time encoding. It is possible using 3rd party tools to generate certificates with time fields that do not conform to DER requirements. Since 3.4.x these certificates were rejected and cannot be used with GnuTLS, however that caused problems with existing private certificate infrastructures, which were relying on such certificates (see gitlab issue #196). Tolerate reading and using these certificates. ** minitasn1: updated to libtasn1 4.11. ** certtool: allow multiple certificates to be used in --p7-sign with the --load-certificate option. Patch by Karl Tarbe. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.125 2017/05/18 07:54:26 he Exp $ d3 4 a6 4 SHA1 (gnutls-3.5.13.tar.xz) = 0cf738a968faf0461e9709b3ee0f64157ce040b3 RMD160 (gnutls-3.5.13.tar.xz) = 8d425288302672ae9617e6e827f7d2721a361b95 SHA512 (gnutls-3.5.13.tar.xz) = e98f23a589042f879936c3f8b474535e695fb7dd68a9e81323668c013241f765c2d3af6c6a072ecf867acc1e551ec46e15bb842144d3a06bdd5d2f4fc3d828a7 Size (gnutls-3.5.13.tar.xz) = 7226468 bytes @ 1.125 log @Update to GnuTLS 3.5.12. Pkgsrc changes: Adapt PLIST. Upstream changes: * Version 3.5.12 (released 2017-05-11) ** libgnutls: enabled TCP Fast open for MacOSX. Patch by Tim Ruehsen. ** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses against DNS fields of certificate (CN or DNSname). The previous behavior was to tolerate some misconfigured servers, but that was non-standard and skipped any IP constraints present in higher level certificates. ** libgnutls: when converting to IDNA2008, fallback to IDNA2003 (i.e., transitional encoding) if the domain cannot be converted. That provides maximum compatibility with browsers like firefox that perform the same conversion. ** libgnutls: fix issue in RSA-PSK client callback which resulted in no username being sent to the peer. Patch by Nicolas Dufresne. ** libgnutls: fix regression causing stapled extensions in trust modules not to be considered. ** certtool: introduced the email_protection_key option. This option was introduced in documentation for certtool without an implementation of it. It is a shortcut for option 'key_purpose_oid = 1.3.6.1.5.5.7.3.4'. ** certtool: made printing of key ID and key PIN consistent between certificates, public keys, and private keys. That is the private key printing now uses the same format as the rest. ** gnutls-cli: introduced the --sni-hostname option. This allows overriding the hostname advertised to the peer. ** API and ABI modifications: No changes since last version. * Version 3.5.11 (released 2017-04-07) ** gnutls.pc: do not include libtool options into Libs.private. ** libgnutls: Fixed issue when rehandshaking without a client certificate in a session which initially used one. Reported by Frantisek Sumsal. ** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP certificate parsing. Issues found using oss-fuzz project and were fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824 ** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access. That allows PKCS#11 operations such as signing to be performed with the same object from multiple threads. ** libgnutls: Added support for MacOSX key chain for obtaining trust store's root CA certificates. That is, gnutls_x509_trust_list_add_system_trust() and gnutls_certificate_set_x509_system_trust() will load the certificates from the key chain. That also means that we no longer check for a default trust store file in configure when building on MacOSX (unless explicitly asked to). Patch by David Caldwell. ** libgnutls: when disabling OpenPGP authentication, the resulting library is ABI compatible (with openpgp related functions being stubs that fail on invocation). ** API and ABI modifications: No changes since last version. * Version 3.5.10 (released 2017-03-06) ** gnutls.pc: do not include libidn2 in Requires.private. The libidn2 versions available do not include libidn2.pc, thus the inclusion was causing pkg-config issues. Instead we include -lidn2 in Libs.private when compile against libidn2. ** libgnutls: optimized access to subject alternative names (SANs) in parsed certificates. The previous implementation assumed a small number of SANs in a certificate, with repeated calls to ASN.1 decoding of the extension without any intermediate caching. That caused delays in certificates with a long list of names in functions such as gnutls_x509_crt_check_hostname(). With the current code, the SANs are parsed once on certificate import. Resolves gitlab issue #165. ** libgnutls: Addressed integer overflow resulting to invalid memory write in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A] ** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 ** libgnutls: Addressed crashes in OpenPGP certificate parsing, related to private key parser. No longer allow OpenPGP certificates (public keys) to contain private key sub-packets. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B] ** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that could lead in out-of-memory condition. Issue found using oss-fuzz project, and was fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C] ** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469 when printing certificate information. ** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify() flags can be set from the gnutls_certificate_verify_flags enumeration. This allows the functions to pass the same flags available for certificates to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or GNUTLS_VERIFY_ALLOW_BROKEN). ** libgnutls: gnutls_store_commitment() can accept flag GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate in applications which use SHA1 for example, after SHA1 is deprecated. ** certtool: No longer ignore the 'add_critical_extension' template option if the 'add_extension' option is not present. ** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the starttls-proto command. Patch by Robert Scheck. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.124 2017/04/10 10:43:49 jperkin Exp $ d3 4 a6 4 SHA1 (gnutls-3.5.12.tar.xz) = 9f453686bc6b1e6ebc04197158a2bc123c0272df RMD160 (gnutls-3.5.12.tar.xz) = ffdd1b7af9376cee94e81fefd929ee6a41cd8fcb SHA512 (gnutls-3.5.12.tar.xz) = 8fec23e7e494a2e15e0f938115cae1ba3fee952d634db387f983b01096f68ca4313b23bc4c439d3c7fdd07c861eac4913a7c2343c8704961588ae195886ec90c Size (gnutls-3.5.12.tar.xz) = 7212652 bytes @ 1.124 log @Avoid unsupported xgetbv instruction on older Darwin assemblers. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.123 2017/02/26 09:19:56 adam Exp $ d3 4 a6 4 SHA1 (gnutls-3.5.9.tar.xz) = f3f184a92f128af1c2fb29b29a4d325af65694a5 RMD160 (gnutls-3.5.9.tar.xz) = a200b078cf9204f70dfaae7c045fc2f762a22809 SHA512 (gnutls-3.5.9.tar.xz) = 17a05143eaa70ee61b149a5f09ae7a688cb3f314ad1e67ce41a778e5960717e276cc780f3db9b6923c14c4d998e17563c134cab5297502181cd2dabb47da3515 Size (gnutls-3.5.9.tar.xz) = 7166932 bytes @ 1.123 log @* Version 3.5.9 (released 2017-02-12) ** libgnutls: Removed any references to OpenPGP functionality in documentation, and marked all functions in openpgp.h as deprecated. That functionality is considered deprecated and should not be used for other reason than backwards compatibility. ** libgnutls: Improve detection of AVX support. In certain cases when when the instruction was available on the host, but not on a VM running gnutls, detection could fail causing illegal instruction usage. ** libgnutls: Added support for IDNA2008 for internationalized DNS names. If gnutls is compiled using libidn2 (the latest version is recommended), it will support IDNA2008 instead of the now obsolete IDNA2003 standard. Resolves gitlab issue 150. Based on patch by Tim Ruehsen. ** p11tool: re-use ID from corresponding objects when writing certificates. That is, when writing a certificate which has a corresponding public key, or private key in the token, ensure that we use the same ID for the certificate. ** API and ABI modifications: gnutls_idna_map: Added gnutls_idna_reverse_map: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.122 2017/01/10 16:23:49 wiz Exp $ d9 1 @ 1.123.2.1 log @Pullup ticket #5263 - requested by sevan security/gnutls: build fix Revisions pulled up: - security/gnutls/distinfo 1.124 - security/gnutls/patches/patch-lib_accelerated_x86_x86-common.c 1.1 --- Module Name: pkgsrc Committed By: jperkin Date: Mon Apr 10 10:43:49 UTC 2017 Modified Files: pkgsrc/security/gnutls: distinfo Added Files: pkgsrc/security/gnutls/patches: patch-lib_accelerated_x86_x86-common.c Log Message: Avoid unsupported xgetbv instruction on older Darwin assemblers. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.123 2017/02/26 09:19:56 adam Exp $ a8 1 SHA1 (patch-lib_accelerated_x86_x86-common.c) = 7a46ef6892b3a06ff4c949a965073c720a2491a4 @ 1.122 log @Updated gnutls to 3.5.8. * Version 3.5.8 (released 2016-01-09) ** libgnutls: Ensure that multiple calls to the gnutls_set_priority_* functions will not leave the verification profiles field to an undefined state. The last call will take precedence. ** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned by PKCS#8 decryption functions when an invalid key is provided. This addresses regression on decrypting certain PKCS#8 keys. ** libgnutls: Introduced option to override the default priority string used by the library. The intention is to allow support of system-wide priority strings (as set with --with-system-priority-file). The configure option is --with-default-priority-string. ** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption. This prevents crashes when decrypting malformed PKCS#8 keys. ** libgnutls: Fix crash on the loading of malformed private keys with certain parameters set to zero. ** libgnutls: Fix double free in certificate information printing. If the PKIX extension proxy was set with a policy language set but no policy specified, that could lead to a double free. ** libgnutls: Addressed memory leaks in client and server side error paths (issues found using oss-fuzz project) ** libgnutls: Addressed memory leaks in X.509 certificate printing error paths (issues found using oss-fuzz project) ** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) ** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing. (issues found using oss-fuzz project) ** API and ABI modifications: No changes since last version. * Version 3.5.7 (released 2016-12-8) ** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128 and SECURE256 priority strings. ** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly operate with OIDs which have elements that exceed 2^32. ** libgnutls: The DN decoding functions output the traditional DN format rather than the strict RFC4514 compliant textual DN. This reverts the 3.5.6 introduced change, and allows applications which depended on the previous format to continue to function. Introduced new functions which output the strict format by default, and can revert to the old one using a flag. ** libgnutls: Improved TPM key handling. Check authorization requirements prior to using a key and fix issue on loop for PIN input. Patches by James Bottomley. ** libgnutls: In all functions accepting UTF-8 passwords, ensure that passwords are normalized according to RFC7613. When invalid UTF-8 passwords are detected, they are only tolerated for decryption. This introduces a libunistring dependency on GnuTLS. A version of libunistring is included in the library for the platforms that do not ship it; it can be used with the '--with-included-unistring' option to configure script. ** libgnutls: When setting a subject alternative name in a certificate which is in UTF-8 format, it will transparently be converted to IDNA form prior to storing. ** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print() will print the SHA256 key-ID instead of a certificate fingerprint. ** libgnutls: enhance the PKCS#7 verification capabilities. In the case signers that are not discoverable using the trust list or input, use the stored list as pool to generate a trusted chain to the signer. ** libgnutls: Improved MTU calculation precision for the CBC ciphersuites under DTLS. ** libgnutls: [added missing news entry since 3.5.0] No longer tolerate certificate key usage violations for TLS signature verification, and decryption. That is GnuTLS will fail to connect to servers which incorrectly use a restricted to signing certificate for decryption, or vice-versa. This reverts the lax behavior introduced in 3.1.0, due to several such broken servers being available. The %COMPAT priority keyword can be used to work-around connecting on these servers. ** certtool: When exporting a CRQ in DER format ensure no text data are intermixed. Patch by Dmitry Eremin-Solenikov. ** certtool: Include the SHA-256 variant of key ID in --certificate-info options. ** p11tool: Introduced the --initialize-pin and --initialize-so-pin options. ** API and ABI modifications: gnutls_utf8_password_normalize: Added gnutls_ocsp_resp_get_responder2: Added gnutls_x509_crt_get_issuer_dn3: Added gnutls_x509_crt_get_dn3: Added gnutls_x509_rdn_get2: Added gnutls_x509_dn_get_str2: Added gnutls_x509_crl_get_issuer_dn3: Added gnutls_x509_crq_get_dn3: Added * Version 3.5.6 (released 2016-11-04) ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old (pre-rfc5652) structures with arbitrary encapsulated content. ** libgnutls: Introduced a function group to set known DH parameters using groups from RFC7919. ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding. Now the generated textual DN is in reverse order according to RFC4514, and functions which generate a DN from strings such gnutls_x509_crt_set_*dn() set the expected DN (reverse of the provided string). ** libgnutls: Introduced time and constraints checks in the end certificate in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct() functions. ** libgnutls: Set limits on the maximum number of alerts handled. That is, applications using gnutls could be tricked into an busy loop if the peer sends continuously alert messages. Applications which set a maximum handshake time (via gnutls_handshake_set_timeout) will eventually recover but others may remain in a busy loops indefinitely. This is related but not identical to CVE-2016-8610, due to the difference in alert handling of the libraries (gnutls delegates that handling to applications). ** libgnutls: Reverted the change which made the gnutls_certificate_set_*key* functions return an index (introduced in 3.5.5), to avoid affecting programs which explicitly check success of the function as equality to zero. In order for these functions to return an index an explicit call to gnutls_certificate_set_flags with the GNUTLS_CERTIFICATE_API_V2 flag is now required. ** libgnutls: Reverted the behavior of sending a status request extension even without a response (introduced in 3.5.5). That is, we no longer reply to a client's hello with a status request, with a status request extension. Although that behavior is legal, it creates incompatibility issues with releases in the gnutls 3.3.x branch. ** libgnutls: Delayed the initialization of the random generator at the first call of gnutls_rnd(). This allows applications to load on systems which getrandom() would block, without blocking until real random data are needed. ** certtool: --get-dh-params will output parameters from the RFC7919 groups. ** p11tool: improvements in --initialize option. ** API and ABI modifications: GNUTLS_CERTIFICATE_API_V2: Added GNUTLS_NO_TICKETS: Added gnutls_pkcs7_get_embedded_data_oid: Added gnutls_anon_set_server_known_dh_params: Added gnutls_certificate_set_known_dh_params: Added gnutls_psk_set_server_known_dh_params: Added gnutls_x509_crt_check_key_purpose: Added * Version 3.5.5 (released 2016-10-09) ** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file() to allow importing multiple OCSP request files, one for each chain provided. ** libgnutls: The gnutls_certificate_set_key* functions return an index of the added chain. That index can be used either with gnutls_certificate_set_ocsp_status_request_file(), or with gnutls_certificate_get_crt_raw() and friends. ** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations for the aarch64 architecture. Uses Andy Polyakov's assembly code. ** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key() failures due to key mismatch. This prevents leaks or double freeing on such failures. ** libgnutls: Increased the maximum size of the handshake message hash. This will allow the library to cope better with larger packets, as the ones offered by current TLS 1.3 drafts. ** libgnutls: Allow to use client certificates despite them containing disallowed algorithms for a session. That allows for example a client to use DSA-SHA1 due to his old DSA certificate, without requiring him to enable DSA-SHA1 (and thus make it acceptable for the server's certificate). ** libgnutls: Reverted AESNI code on x86 to earlier version as the latest version was creating position depending code. Added checks in the CI to detect position depending code early. ** guile: Update code to the I/O port API of Guile >= 2.1.4 This makes sure the GnuTLS bindings will work with the forthcoming 2.2 stable series of Guile, of which 2.1 is a preview. ** API and ABI modifications: gnutls_certificate_set_ocsp_status_request_function2: Added gnutls_session_ext_register: Added gnutls_session_supplemental_register: Added GNUTLS_E_PK_INVALID_PUBKEY: Added GNUTLS_E_PK_INVALID_PRIVKEY: Added @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (gnutls-3.5.8.tar.xz) = 238d5e62f9bb078101131dd2f4c7f2c1ac13e813 RMD160 (gnutls-3.5.8.tar.xz) = 77cd2f4a6da7cf1eece05422bc86b29833b08772 SHA512 (gnutls-3.5.8.tar.xz) = e6cdc4f9f2e41bd10e61b90b6b5ea3882c80a7130de8a0e9c23e373985cdc332128529dad49d6854fe93ee934e1bbde8b34dfd19e354b3a8e11b22d61424292e Size (gnutls-3.5.8.tar.xz) = 7264448 bytes @ 1.121 log @Add upstream patch so one test passes. Replace bash binary path in more shell scripts so more tests work. Result: no failing tests. Yay! @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.120 2016/09/19 13:01:09 wiz Exp $ d3 4 a6 4 SHA1 (gnutls-3.5.4.tar.xz) = d2b9d5f7ad158c5b2a636660fc445765ffd92c75 RMD160 (gnutls-3.5.4.tar.xz) = d4bb8babd43455bcec24f1298710b576ae996f44 SHA512 (gnutls-3.5.4.tar.xz) = 175aab43b6349a62530938333910feb26ea5d923e151a9942fd5a6989f87193b18862e69bbbdb6308f889585d428d689d8fd3a6e8149f9fd1ac2882802ea6a9f Size (gnutls-3.5.4.tar.xz) = 6930620 bytes a13 1 SHA1 (patch-tests_mini-server-name.c) = 5cf02775d81d01f133475e86940a222d18da5848 @ 1.121.4.1 log @Pullup ticket #5185 - requested by wiz security/gnutls: security fix Revisions pulled up: - security/gnutls/Makefile 1.168-1.169 - security/gnutls/PLIST 1.54 - security/gnutls/distinfo 1.122 - security/gnutls/patches/patch-tests_mini-server-name.c deleted --- Module Name: pkgsrc Committed By: maya Date: Sat Jan 7 18:49:16 UTC 2017 Modified Files: pkgsrc/security/gnutls: Makefile Log Message: gnutls: don't redefine max_align_t on FreeBSD. It incorrectly fails the configure test because the type in stddef.h is guarded by a c11 macro (most likely). Force the configure test to pass. From David Shao in PR pkg/51793 (originally from FreeBSD ports). --- Module Name: pkgsrc Committed By: wiz Date: Tue Jan 10 16:23:50 UTC 2017 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Removed Files: pkgsrc/security/gnutls/patches: patch-tests_mini-server-name.c Log Message: Updated gnutls to 3.5.8. * Version 3.5.8 (released 2016-01-09) ** libgnutls: Ensure that multiple calls to the gnutls_set_priority_* functions will not leave the verification profiles field to an undefined state. The last call will take precedence. ** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned by PKCS#8 decryption functions when an invalid key is provided. This addresses regression on decrypting certain PKCS#8 keys. ** libgnutls: Introduced option to override the default priority string used by the library. The intention is to allow support of system-wide priority strings (as set with --with-system-priority-file). The configure option is --with-default-priority-string. ** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption. This prevents crashes when decrypting malformed PKCS#8 keys. ** libgnutls: Fix crash on the loading of malformed private keys with certain parameters set to zero. ** libgnutls: Fix double free in certificate information printing. If the PKIX extension proxy was set with a policy language set but no policy specified, that could lead to a double free. ** libgnutls: Addressed memory leaks in client and server side error paths (issues found using oss-fuzz project) ** libgnutls: Addressed memory leaks in X.509 certificate printing error paths (issues found using oss-fuzz project) ** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) ** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing. (issues found using oss-fuzz project) ** API and ABI modifications: No changes since last version. * Version 3.5.7 (released 2016-12-8) ** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128 and SECURE256 priority strings. ** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly operate with OIDs which have elements that exceed 2^32. ** libgnutls: The DN decoding functions output the traditional DN format rather than the strict RFC4514 compliant textual DN. This reverts the 3.5.6 introduced change, and allows applications which depended on the previous format to continue to function. Introduced new functions which output the strict format by default, and can revert to the old one using a flag. ** libgnutls: Improved TPM key handling. Check authorization requirements prior to using a key and fix issue on loop for PIN input. Patches by James Bottomley. ** libgnutls: In all functions accepting UTF-8 passwords, ensure that passwords are normalized according to RFC7613. When invalid UTF-8 passwords are detected, they are only tolerated for decryption. This introduces a libunistring dependency on GnuTLS. A version of libunistring is included in the library for the platforms that do not ship it; it can be used with the '--with-included-unistring' option to configure script. ** libgnutls: When setting a subject alternative name in a certificate which is in UTF-8 format, it will transparently be converted to IDNA form prior to storing. ** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print() will print the SHA256 key-ID instead of a certificate fingerprint. ** libgnutls: enhance the PKCS#7 verification capabilities. In the case signers that are not discoverable using the trust list or input, use the stored list as pool to generate a trusted chain to the signer. ** libgnutls: Improved MTU calculation precision for the CBC ciphersuites under DTLS. ** libgnutls: [added missing news entry since 3.5.0] No longer tolerate certificate key usage violations for TLS signature verification, and decryption. That is GnuTLS will fail to connect to servers which incorrectly use a restricted to signing certificate for decryption, or vice-versa. This reverts the lax behavior introduced in 3.1.0, due to several such broken servers being available. The %COMPAT priority keyword can be used to work-around connecting on these servers. ** certtool: When exporting a CRQ in DER format ensure no text data are intermixed. Patch by Dmitry Eremin-Solenikov. ** certtool: Include the SHA-256 variant of key ID in --certificate-info options. ** p11tool: Introduced the --initialize-pin and --initialize-so-pin options. ** API and ABI modifications: gnutls_utf8_password_normalize: Added gnutls_ocsp_resp_get_responder2: Added gnutls_x509_crt_get_issuer_dn3: Added gnutls_x509_crt_get_dn3: Added gnutls_x509_rdn_get2: Added gnutls_x509_dn_get_str2: Added gnutls_x509_crl_get_issuer_dn3: Added gnutls_x509_crq_get_dn3: Added * Version 3.5.6 (released 2016-11-04) ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old (pre-rfc5652) structures with arbitrary encapsulated content. ** libgnutls: Introduced a function group to set known DH parameters using groups from RFC7919. ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding. Now the generated textual DN is in reverse order according to RFC4514, and functions which generate a DN from strings such gnutls_x509_crt_set_*dn() set the expected DN (reverse of the provided string). ** libgnutls: Introduced time and constraints checks in the end certificate in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct() functions. ** libgnutls: Set limits on the maximum number of alerts handled. That is, applications using gnutls could be tricked into an busy loop if the peer sends continuously alert messages. Applications which set a maximum handshake time (via gnutls_handshake_set_timeout) will eventually recover but others may remain in a busy loops indefinitely. This is related but not identical to CVE-2016-8610, due to the difference in alert handling of the libraries (gnutls delegates that handling to applications). ** libgnutls: Reverted the change which made the gnutls_certificate_set_*key* functions return an index (introduced in 3.5.5), to avoid affecting programs which explicitly check success of the function as equality to zero. In order for these functions to return an index an explicit call to gnutls_certificate_set_flags with the GNUTLS_CERTIFICATE_API_V2 flag is now required. ** libgnutls: Reverted the behavior of sending a status request extension even without a response (introduced in 3.5.5). That is, we no longer reply to a client's hello with a status request, with a status request extension. Although that behavior is legal, it creates incompatibility issues with releases in the gnutls 3.3.x branch. ** libgnutls: Delayed the initialization of the random generator at the first call of gnutls_rnd(). This allows applications to load on systems which getrandom() would block, without blocking until real random data are needed. ** certtool: --get-dh-params will output parameters from the RFC7919 groups. ** p11tool: improvements in --initialize option. ** API and ABI modifications: GNUTLS_CERTIFICATE_API_V2: Added GNUTLS_NO_TICKETS: Added gnutls_pkcs7_get_embedded_data_oid: Added gnutls_anon_set_server_known_dh_params: Added gnutls_certificate_set_known_dh_params: Added gnutls_psk_set_server_known_dh_params: Added gnutls_x509_crt_check_key_purpose: Added * Version 3.5.5 (released 2016-10-09) ** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file() to allow importing multiple OCSP request files, one for each chain provided. ** libgnutls: The gnutls_certificate_set_key* functions return an index of the added chain. That index can be used either with gnutls_certificate_set_ocsp_status_request_file(), or with gnutls_certificate_get_crt_raw() and friends. ** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations for the aarch64 architecture. Uses Andy Polyakov's assembly code. ** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key() failures due to key mismatch. This prevents leaks or double freeing on such failures. ** libgnutls: Increased the maximum size of the handshake message hash. This will allow the library to cope better with larger packets, as the ones offered by current TLS 1.3 drafts. ** libgnutls: Allow to use client certificates despite them containing disallowed algorithms for a session. That allows for example a client to use DSA-SHA1 due to his old DSA certificate, without requiring him to enable DSA-SHA1 (and thus make it acceptable for the server's certificate). ** libgnutls: Reverted AESNI code on x86 to earlier version as the latest version was creating position depending code. Added checks in the CI to detect position depending code early. ** guile: Update code to the I/O port API of Guile >= 2.1.4 This makes sure the GnuTLS bindings will work with the forthcoming 2.2 stable series of Guile, of which 2.1 is a preview. ** API and ABI modifications: gnutls_certificate_set_ocsp_status_request_function2: Added gnutls_session_ext_register: Added gnutls_session_supplemental_register: Added GNUTLS_E_PK_INVALID_PUBKEY: Added GNUTLS_E_PK_INVALID_PRIVKEY: Added @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (gnutls-3.5.8.tar.xz) = 238d5e62f9bb078101131dd2f4c7f2c1ac13e813 RMD160 (gnutls-3.5.8.tar.xz) = 77cd2f4a6da7cf1eece05422bc86b29833b08772 SHA512 (gnutls-3.5.8.tar.xz) = e6cdc4f9f2e41bd10e61b90b6b5ea3882c80a7130de8a0e9c23e373985cdc332128529dad49d6854fe93ee934e1bbde8b34dfd19e354b3a8e11b22d61424292e Size (gnutls-3.5.8.tar.xz) = 7264448 bytes d14 1 @ 1.120 log @Remove two obsolete patches. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.119 2016/09/19 12:33:10 wiz Exp $ d14 1 @ 1.119 log @Updated gnutls to 3.5.4. * Version 3.5.4 (released 2016-09-08) ** libgnutls: Corrected the comparison of the serial size in OCSP response. Previously the OCSP certificate check wouldn't verify the serial length and could succeed in cases it shouldn't (GNUTLS-SA-2016-3). Reported by Stefan Buehler. ** libgnutls: Added support for IP name constraints. Patch by Martin Ukrop. ** libgnutls: Added support of PKCS#8 file decryption using DES-CBC-MD5. This is added to allow decryption of PKCS #8 private keys from openssl prior to 1.1.0. ** libgnutls: Added support for decrypting PKCS#8 files which use HMAC-SHA256 as PRF. This allow decrypting PKCS #8 private keys generated with openssl 1.1.0. ** libgnutls: Added support for internationalized passwords in PKCS#12 files. Previous versions would only encrypt or decrypt using passwords from the ASCII set. ** libgnutls: Addressed issue with PKCS#11 signature generation on ECDSA keys. The signature is now written as unsigned integers into the DSASignatureValue structure. Previously signed integers could be written depending on what the underlying module would produce. Addresses #122. ** gnutls-cli: Fixed starttls regression from 3.5.3. ** API and ABI modifications: GNUTLS_E_MALFORMED_CIDR: Added gnutls_x509_cidr_to_rfc5280: Added gnutls_oid_to_mac: Added * Version 3.5.3 (released 2016-08-09) ** libgnutls: Added support for TCP fast open (RFC7413), allowing to reduce by one round-trip the handshake process. Based on proposal and patch by Tim Ruehsen. ** libgnutls: Adopted a simpler with less memory requirements DTLS sliding window implementation. Based on Fridolin Pokorny's implementation for AF_KTLS. ** libgnutls: Use getrandom where available via the syscall interface. This works around an issue of not-using getrandom even if it exists since glibc doesn't declare such function. ** libgnutls: Fixed DNS name constraints checking in the case of empty intersection of domain names in the chain. Report and fix by Martin Ukrop. ** libgnutls: Fixed name constraints checking in the case of chains where the higher level certificates contained different types of constraints than the ones present in the lower intermediate CAs. Report and fix by Martin Ukrop. ** libgnutls: Dropped support for the EGD random generator. ** libgnutls: Allow the decoding of raw elements (starting with #) in RFC4514 DN string decoding. ** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was ignoring flags if all certificates in the list fit within the initially allocated memory. Patch by Tim Kosse. ** libgnutls: Corrected issue which made gnutls_certificate_get_x509_crt() to return invalid pointers when returned more than a single certificate. Report and fix by Stefan Sørensen. ** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the complete chain, even when the extra_certs was non-null. Report and fix by Stefan Sørensen. ** certtool: Added the "add_extension" and "add_critical_extension" template options. This allows specifying arbitrary extensions into certificates and certificate requests. ** gnutls-cli: Added the --fastopen option. ** API and ABI modifications: GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE: Added gnutls_x509_crq_set_extension_by_oid: Added gnutls_x509_dn_set_str: Added gnutls_transport_set_fastopen: Added * Version 3.5.2 (released 2016-07-06) ** libgnutls: Address issue when utilizing the p11-kit trust store for certificate verification (GNUTLS-SA-2016-2). ** libgnutls: Fixed DTLS handshake packet reconstruction. Reported by Guillaume Roguez. ** libgnutls: Fixed issues with PKCS#11 reading of sensitive objects from SafeNet Network HSM. Reported by Anthony Alba in #108. ** libgnutls: Corrected the writing of PKCS#11 CKA_SERIAL_NUMBER. Report and fix by Stanislav Židek. ** libgnutls: Added AES-GCM optimizations using the AVX and MOVBE instructions. Uses Andy Polyakov's assembly code. ** API and ABI modifications: No changes since last version. * Version 3.5.1 (released 2016-06-14) ** libgnutls: The SSL 3.0 protocol support can completely be removed using a compile time option. The configure option is --disable-ssl3-support. ** libgnutls: The SSL 2.0 client hello support can completely be removed using a compile time option. The configure option is --disable-ssl2-support. ** libgnutls: Added support for OCSP Must staple PKIX extension. That is, implemented the RFC7633 TLSFeature for OCSP status request extension. Feature implemented by Tim Kosse. ** libgnutls: More strict OCSP staple verification. That is, no longer ignore invalid or too old OCSP staples. The previous behavior was to rely on application use gnutls_ocsp_status_request_is_checked(), while the new behavior is to include OCSP verification by default and set the GNUTLS_CERT_INVALID_OCSP_STATUS verification flag on error. ** libgnutls: Treat CA certificates with the "Server Gated Cryptography" key purpose OIDs equivalent to having the GNUTLS_KP_TLS_WWW_SERVER OID. This improves interoperability with several old intermediate CA certificates carrying these legacy OIDs. ** libgnutls: Re-read the system wide priority file when needed. Patch by Daniel P. Berrange. ** libgnutls: Allow for fallback in system-specific initial keywords (prefixed with '@@'). That allows to specify a keyword such as "@@KEYWORD1,KEYWORD2" which will use the first available of these two keywords. Patch by Daniel P. Berrange. ** libgnutls: The SSLKEYLOGFILE environment variable can be used to log session keys. These session keys are compatible with the NSS Key Log Format and can be used to decrypt the session for debugging using wireshark. ** API and ABI modifications: GNUTLS_CERT_INVALID_OCSP_STATUS: Added gnutls_x509_crt_set_crq_extension_by_oid: Added gnutls_x509_ext_import_tlsfeatures: Added gnutls_x509_ext_export_tlsfeatures: Added gnutls_x509_tlsfeatures_add: Added gnutls_x509_tlsfeatures_init: Added gnutls_x509_tlsfeatures_deinit: Added gnutls_x509_tlsfeatures_get: Added gnutls_x509_crt_get_tlsfeatures: Added gnutls_x509_crt_set_tlsfeatures: Added gnutls_x509_crq_get_tlsfeatures: Added gnutls_x509_crq_set_tlsfeatures: Added gnutls_ext_get_name: Added * Version 3.5.0 (released 2016-05-09) ** libgnutls: Added SHA3 based signing algorithms for DSA, RSA and ECDSA, based on http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html ** libgnutls: Added support for curve X25519 (RFC 7748, draft-ietf-tls-rfc4492bis-07). This curve is disabled by default as it is still on specification status. It can be enabled using the priority string modifier +CURVE-X25519. ** libgnutls: Added support for TLS false start (draft-ietf-tls-falsestart-01) by introducing gnutls_init() flag GNUTLS_ENABLE_FALSE_START (#73). ** libgnutls: Added new APIs to access the FIPS186-4 (Shawe-Taylor based) provable RSA and DSA parameter generation from a seed. ** libgnutls: The CHACHA20-POLY1305 ciphersuite is enabled by default. This cipher is prioritized after AES-GCM. ** libgnutls: On a rehandshake ensure that the certificate of the peer or its username remains the same as in previous handshakes. That is to protect applications which do not check user credentials on rehandshakes. The threat to address depends on the application protocol. Primarily it protects against applications which authenticate the peer initially and perform accounting using the session's information, from being misled by a rehandshake which switches the peer's identity. Applications can disable this protection by using the %GNUTLS_ALLOW_ID_CHANGE flag in gnutls_init(). ** libgnutls: Be strict in TLS extension decoding. That is, do not tolerate parsing errors in the extensions field and treat it as a typical Hello message structure. Reported by Hubert Kario (#40). ** libgnutls: Old and unsupported version numbers in client hellos are rejected with a "protocol_version" alert message. Reported by Hubert Kario (#42). ** libgnutls: Lifted the limitation of calling the gnutls_session_get_data*() functions, only on non-resumed sessions. This brings the API in par with its usage (#79). ** libgnutls: Follow RFC5280 strictly in name constraints computation. The permitted subtrees is intersected with any previous values. Report and patch by Daiki Ueno. ** libgnutls: Enforce the RFC 7627 (extended master secret) requirements on session resumption. Reported by Hubert Kario (#69). ** libgnutls: Consider the max-record TLS extension even when under DTLS. Reported by Peter Dettman (#61). ** libgnutls: Replaced writev() system call with sendmsg(). ** libgnutls: Replaced select() system call with poll() on POSIX systems. ** libgnutls: Preload the system priority file on library load. This allows applications that chroot() to also use the system priorities. ** libgnutls: Applications are allowed to override the built-in key and certificate URLs. ** libgnutls: The gnutls.h header marks constant and pure functions explictly. ** certtool: Added the ability to sign certificates using SHA3. ** certtool: Added the --provable and --verify-allow-broken options. ** gnutls-cli: The --dane option will cause verification failure if gnutls is not compiled with DANE support. ** crywrap: The tool was unbundled from gnutls' distribution. It can be found at https://github.com/nmav/crywrap ** guile: .go files are now built and installed ** guile: Fix compatibility issue of the test suite with Guile 2.1 ** guile: When --with-guile-site-dir is passed, modules are installed in a versioned directory, typically $(datadir)/guile/site/2.0 ** guile: Tests no longer leave zombie processes behind ** API and ABI modifications: GNUTLS_FORCE_CLIENT_CERT: Added GNUTLS_ENABLE_FALSE_START: Added GNUTLS_INDEFINITE_TIMEOUT: Added GNUTLS_ALPN_SERVER_PRECEDENCE: Added GNUTLS_E_ASN1_EMBEDDED_NULL_IN_STRING: Added GNUTLS_E_HANDSHAKE_DURING_FALSE_START: Added gnutls_check_version_numeric: Added gnutls_x509_crt_equals: Added gnutls_x509_crt_equals2: Added gnutls_x509_crt_set_subject_alt_othername: Added gnutls_x509_crt_set_issuer_alt_othername: Added gnutls_x509_crt_get_signature_oid: Added gnutls_x509_crt_get_pk_oid: Added gnutls_x509_crq_set_subject_alt_othername: Added gnutls_x509_crq_get_pk_oid: Added gnutls_x509_crq_get_signature_oid: Added gnutls_x509_crl_get_signature_oid: Added gnutls_x509_privkey_generate2: Added gnutls_x509_privkey_get_seed: Added gnutls_x509_privkey_verify_seed: Added gnutls_privkey_generate2: Added gnutls_privkey_get_seed: Added gnutls_privkey_verify_seed: Added gnutls_decode_ber_digest_info: Added gnutls_encode_ber_digest_info: Added gnutls_dh_params_import_dsa: Added gnutls_session_get_master_secret: Added * Version 3.4.3 (released 2015-07-12) ** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for dates prior to 2050. ** libgnutls: Force 16-byte alignment to all input to ciphers (previously it was done only when cryptodev was enabled). ** libgnutls: Removed support for pthread_atfork() as it has undefined semantics when used with dlopen(), and may lead to a crash. ** libgnutls: corrected failure when importing plain files with gnutls_x509_privkey_import2(), and a password was provided. ** libgnutls: Don't reject certificates if a CA has the URI or IP address name constraints, and the end certificate doesn't have an IP address name or a URI set. ** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites. ** p11tool: Added --list-token-urls option, and print the token module name in list-tokens. ** API and ABI modifications: gnutls_ecc_curve_get_oid: Added gnutls_digest_get_oid: Added gnutls_pk_get_oid: Added gnutls_sign_get_oid: Added gnutls_ecc_curve_get_id: Added gnutls_oid_to_digest: Added gnutls_oid_to_pk: Added gnutls_oid_to_sign: Added gnutls_oid_to_ecc_curve: Added gnutls_pkcs7_get_signature_count: Added * Version 3.4.2 (released 2015-06-16) ** libgnutls: DTLS blocking API is more robust against infinite blocking, and will notify of more possible timeouts. ** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported by Manuel Pegourie-Gonnard. ** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That allows to disable SIGPIPE for writes done within gnutls. ** libgnutls: Enhanced the PKCS #7 API to allow signing and verification of structures. API moved to gnutls/pkcs7.h header. ** certtool: Added options to generate PKCS #7 bundles and signed structures. ** API and ABI modifications: gnutls_x509_dn_get_str: Added gnutls_pkcs11_get_raw_issuer_by_subject_key_id: Added gnutls_x509_trust_list_get_issuer_by_subject_key_id: Added gnutls_x509_crt_verify_data2: Added gnutls_pkcs7_get_crt_raw2: Added gnutls_pkcs7_signature_info_deinit: Added gnutls_pkcs7_get_signature_info: Added gnutls_pkcs7_verify_direct: Added gnutls_pkcs7_verify: Added gnutls_pkcs7_get_crl_raw2: Added gnutls_pkcs7_sign: Added gnutls_pkcs7_attrs_deinit: Added gnutls_pkcs7_add_attr: Added gnutls_pkcs7_get_attr: Added gnutls_pkcs7_print: Added * Version 3.4.1 (released 2015-05-03) ** libgnutls: gnutls_certificate_get_ours: will return the certificate even if a callback was used to send it. ** libgnutls: Check for invalid length in the X.509 version field. Without the check certificates with invalid length would be detected as having an arbitrary version. Reported by Hanno Böck. ** libgnutls: Handle DNS name constraints with a leading dot. Patch by Fotis Loukos. ** libgnutls: Updated system-keys support for windows to compile in more versions of mingw. Patch by Tim Kosse. ** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by Karthikeyan Bhargavan [GNUTLS-SA-2015-2]. ** libgnutls: Reverted: The gnutls_handshake() process will enforce a timeout by default. That caused issues with non-blocking programs. ** certtool: It can generate SHA256 key IDs. ** gnutls-cli: fixed crash in --benchmark-ciphers. Reported by James Cloos. ** configure: re-enabled the --enable-local-libopts flag ** API and ABI modifications: gnutls_x509_crt_get_pk_ecc_raw: Added * Version 3.4.0 (released 2015-04-08) ** libgnutls: Added support for AES-CCM and AES-CCM-8 (RFC6655 and RFC7251) ciphersuites. The former are enabled by default, the latter need to be explicitly enabled, since they reduce the overall security level. ** libgnutls: Added support for Chacha20-Poly1305 ciphersuites following draft-mavrogiannopoulos-chacha-tls-05 and draft-irtf-cfrg-chacha20-poly1305-10. That is currently provided as technology preview and is not enabled by default, since there are no assigned ciphersuite points by IETF and there is no guarrantee of compatibility between draft versions. The ciphersuite priority string to enable it is "+CHACHA20-POLY1305". ** libgnutls: Added support for encrypt-then-authenticate in CBC ciphersuites (RFC7366 -taking into account its errata text). This is enabled by default and can be disabled using the %NO_ETM priority string. ** libgnutls: Added support for the extended master secret (triple-handshake fix) following draft-ietf-tls-session-hash-02. ** libgnutls: Added a new simple and hard to misuse AEAD API (crypto.h). ** libgnutls: SSL 3.0 is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+VERS-SSL3.0". ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+ARCFOUR-128". ** libgnutls: DSA signatures and DHE-DSS are no longer included in the default priorities list. They have to be explicitly enabled, e.g., with a string like "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1". The DSA ciphersuites were dropped because they had no deployment at all on the internet, to justify their inclusion. ** libgnutls: The priority string EXPORT was completely removed. The string was already defunc as support for the EXPORT ciphersuites was removed in GnuTLS 3.2.0. ** libgnutls: Added API to utilize system specific private keys in "gnutls/system-keys.h". It is currently provided as technology preview and is restricted to windows CNG keys. ** libgnutls: gnutls_x509_crt_check_hostname() and friends will use RFC6125 comparison of hostnames. That introduces a dependency on libidn. ** libgnutls: Depend on p11-kit 0.23.1 to comply with the final PKCS #11 URLs draft (draft-pechanec-pkcs11uri-21). ** libgnutls: Depend on nettle 3.1. ** libgnutls: Use getrandom() or getentropy() when available. That avoids the complexity of file descriptor handling and issues with applications closing all open file descriptors on startup. ** libgnutls: Use pthread_atfork() to detect fork when available. ** libgnutls: If a key purpose (extended key usage) is specified for verification, it is applied into intermediate certificates. The verification result GNUTLS_CERT_PURPOSE_MISMATCH is also introduced. ** libgnutls: When gnutls_certificate_set_x509_key_file2() is used in combination with PKCS #11, or TPM URLs, it will utilize the provided password as PIN if required. That removes the requirement for the application to set a callback for PINs in that case. ** libgnutls: priority strings VERS-TLS-ALL and VERS-DTLS-ALL are restricted to the corresponding protocols only, and the VERS-ALL string is introduced to catch all possible protocols. ** libgnutls: Added helper functions to obtain information on PKCS #8 structures. ** libgnutls: Certificate chains which are provided to gnutls_certificate_credentials_t will automatically be sorted instead of failing with GNUTLS_E_CERTIFICATE_LIST_UNSORTED. ** libgnutls: Added functions to export and set the record state. That allows for gnutls_record_send() and recv() to be offloaded (to kernel, hardware or any other subsystem). ** libgnutls: Added the ability to register application specific URL types, which express certificates and keys using gnutls_register_custom_url(). ** libgnutls: Added API to override existing ciphers, digests and MACs, e.g., to override AES-GCM using a system-specific accelerator. That is, (crypto.h) gnutls_crypto_register_cipher(), gnutls_crypto_register_aead_cipher(), gnutls_crypto_register_mac(), and gnutls_crypto_register_digest(). ** libgnutls: Added gnutls_ext_register() to register custom extensions. Contributed by Thierry Quemerais. ** libgnutls: Added gnutls_supplemental_register() to register custom supplemental data handshake messages. Contributed by Thierry Quemerais. ** libgnutls-openssl: it is no longer built by default. ** certtool: Added --p8-info option, which will print PKCS #8 information even if the password is not available. ** certtool: --key-info option will print PKCS #8 encryption information when available. ** certtool: Added the --key-id and --fingerprint options. ** certtool: Added the --verify-hostname, --verify-email and --verify-purpose options to be used in certificate chain verification, to simulate verification for specific hostname and key purpose (extended key usage). ** certtool: --p12-info option will print PKCS #12 MAC and cipher information when available. ** certtool: it will print the A-label (ACE) names in addition to UTF-8. ** p11tool: added options --set-id and --set-label. ** gnutls-cli: added options --priority-list and --save-cert. ** guile: Deprecated priority API has been removed. The old priority API, which had been deprecated for some time, is now gone; use 'set-session-priorities!' instead. ** guile: Remove RSA parameters and related procedures. This API had been deprecated. ** guile: Fix compilation on MinGW. Previously only the static version of the 'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile. ** API and ABI modifications: gnutls_record_get_state: Added gnutls_record_set_state: Added gnutls_aead_cipher_init: Added gnutls_aead_cipher_decrypt: Added gnutls_aead_cipher_encrypt: Added gnutls_aead_cipher_deinit: Added gnutls_pkcs12_generate_mac2: Added gnutls_pkcs12_mac_info: Added gnutls_pkcs12_bag_enc_info: Added gnutls_pkcs8_info: Added gnutls_pkcs_schema_get_name: Added gnutls_pkcs_schema_get_oid: Added gnutls_pcert_export_x509: Added gnutls_pcert_export_openpgp: Added gnutls_pcert_import_x509_list: Added gnutls_pkcs11_privkey_cpy: Added gnutls_x509_crq_get_signature_algorithm: Added gnutls_x509_trust_list_iter_get_ca: Added gnutls_x509_trust_list_iter_deinit: Added gnutls_x509_trust_list_get_issuer_by_dn: Added gnutls_pkcs11_get_raw_issuer_by_dn: Added gnutls_certificate_get_trust_list: Added gnutls_privkey_export_x509: Added gnutls_privkey_export_pkcs11: Added gnutls_privkey_export_openpgp: Added gnutls_privkey_import_ext3: Added gnutls_certificate_get_x509_key: Added gnutls_certificate_get_x509_crt: Added gnutls_certificate_get_openpgp_key: Added gnutls_certificate_get_openpgp_crt: Added gnutls_record_discard_queued: Added gnutls_session_ext_master_secret_status: Added gnutls_priority_string_list: Added gnutls_dh_params_import_raw2: Added gnutls_memset: Added gnutls_memcmp: Added gnutls_pkcs12_bag_set_privkey: Added gnutls_ocsp_resp_get_responder_raw_id: Added gnutls_system_key_iter_deinit: Added gnutls_system_key_iter_get_info: Added gnutls_system_key_delete: Added gnutls_system_key_add_x509: Added gnutls_system_recv_timeout: Added gnutls_register_custom_url: Added gnutls_pkcs11_obj_list_import_url3: Added gnutls_pkcs11_obj_list_import_url4: Added gnutls_pkcs11_obj_set_info: Added gnutls_crypto_register_cipher: Added gnutls_crypto_register_aead_cipher: Added gnutls_crypto_register_mac: Added gnutls_crypto_register_digest: Added gnutls_ext_register: Added gnutls_supplemental_register: Added gnutls_supplemental_recv: Added gnutls_supplemental_send: Added gnutls_openpgp_crt_check_email: Added gnutls_x509_crt_check_email: Added gnutls_handshake_set_hook_function: Modified gnutls_pkcs11_privkey_generate3: Added gnutls_pkcs11_copy_x509_crt2: Added gnutls_pkcs11_copy_x509_privkey2: Added gnutls_pkcs11_obj_list_import_url: Removed gnutls_pkcs11_obj_list_import_url2: Removed gnutls_certificate_client_set_retrieve_function: Removed gnutls_certificate_server_set_retrieve_function: Removed gnutls_certificate_set_rsa_export_params: Removed gnutls_certificate_type_set_priority: Removed gnutls_cipher_set_priority: Removed gnutls_compression_set_priority: Removed gnutls_kx_set_priority: Removed gnutls_mac_set_priority: Removed gnutls_protocol_set_priority: Removed gnutls_rsa_export_get_modulus_bits: Removed gnutls_rsa_export_get_pubkey: Removed gnutls_rsa_params_cpy: Removed gnutls_rsa_params_deinit: Removed gnutls_rsa_params_export_pkcs1: Removed gnutls_rsa_params_export_raw: Removed gnutls_rsa_params_generate2: Removed gnutls_rsa_params_import_pkcs1: Removed gnutls_rsa_params_import_raw: Removed gnutls_rsa_params_init: Removed gnutls_sign_callback_get: Removed gnutls_sign_callback_set: Removed gnutls_x509_crt_verify_data: Removed gnutls_x509_crt_verify_hash: Removed gnutls_pubkey_get_verify_algorithm: Removed gnutls_x509_crt_get_verify_algorithm: Removed gnutls_pubkey_verify_hash: Removed gnutls_pubkey_verify_data: Removed gnutls_record_set_max_empty_records: Removed guile: set-session-cipher-priority!: Removed set-session-mac-priority!: Removed set-session-compression-method-priority!: Removed set-session-kx-priority!: Removed set-session-protocol-priority!: Removed set-session-certificate-type-priority!: Removed set-session-default-priority!: Removed set-session-default-export-priority!: Removed make-rsa-parameters: Removed rsa-parameters?: Removed set-certificate-credentials-rsa-export-parameters!: Removed pkcs1-import-rsa-parameters: Removed pkcs1-export-rsa-parameters: Removed @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.118 2015/11/04 01:17:45 agc Exp $ a7 1 SHA1 (patch-gl_stdio.in.h) = a2359986aac788652a03b5a43860706a9d103e36 a8 1 SHA1 (patch-src_gl_stdio.in.h) = ceacb1fdc7b71c7ca184bfc2b993c71bbd12d58c @ 1.118 log @Add SHA512 digests for distfiles for security category Problems found locating distfiles: Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz Package libidea: missing distfile libidea-0.8.2b.tar.gz Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2 Package uvscan: missing distfile vlp4510e.tar.Z Otherwise, existing SHA1 digests verified and found to be the same on the machine holding the existing distfiles (morden). All existing SHA1 digests retained for now as an audit trail. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.117 2015/09/14 00:29:45 mef Exp $ d3 4 a6 4 SHA1 (gnutls-3.3.18.tar.xz) = c47b43e5b7c60133cac8de18ce7a6494e21b539a RMD160 (gnutls-3.3.18.tar.xz) = 76ccb9fb302284ac1ad4966bf76a8c6d9249c2ab SHA512 (gnutls-3.3.18.tar.xz) = e7c972458ad0af401121c705ebe86aafa46c02743d963b1b67ca09192c746a9193c73d28501b6c046435259b40ac0f8d201860cd6cf6240a7783b6c01b64286c Size (gnutls-3.3.18.tar.xz) = 6275948 bytes d8 1 a8 1 SHA1 (patch-gl_stdio.in.h) = 298cc0e27087f086e9d47c67f81c8d10f6a7a8f1 d10 1 a10 2 SHA1 (patch-lib_nettle_rnd-common.c) = e0feb509e0c37791560280d9eb36785edea51a25 SHA1 (patch-src_gl_stdio.in.h) = fbea411c3a7b71dd2daa3a5963324a2f8daad212 a15 2 SHA1 (patch-tests_Makefile.in) = a6505d834ac660ef6343c0ecdbff9f4aca324954 SHA1 (patch-tests_openpgp-certs_Makefile.in) = 2e7074312e67d747bd0ecfa839187f8bf33f4f09 @ 1.117 log @Update to 3.3.18 ---------------- * Version 3.3.18 (released 2015-09-12) ** libgnutls: When re-importing CRLs to a trust list ensure that there no duplicate entries. ** certtool: Removed any arbitrary limits imposed on input file sizes and maximum number of certificates imported. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.116 2015/08/14 11:48:55 wiz Exp $ d5 1 @ 1.116 log @Update to 3.17.1: * Version 3.3.17 (released 2015-08-10) ** libgnutls: Fix issue with server side sending the status request extension even when not requested. Reported by Jeremy Harris. ** libgnutls: gnutls_pkcs11_privkey_generate2() will store the generated public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY flag is specified. ** libgnutls: fixed double free in DN decoding [GNUTLS-SA-2015-3]. ** API and ABI modifications: No changes since last version. * Version 3.3.16 (released 2015-07-12) ** libgnutls: Allow compilation with nettle 3.0 or later ** libgnutls: corrected failure when importing plain files with gnutls_x509_privkey_import2(), and a password was provided. ** libgnutls: Don't reject certificates if a CA has the URI or IP address name constraints, and the end certificate doesn't have an IP address name or a URI set. ** libgnutls: set and read the hint in DHE-PSK and ECDHE-PSK ciphersuites. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (gnutls-3.3.17.1.tar.xz) = da876bee8a6ae65b8f4884a397cd91004706f692 RMD160 (gnutls-3.3.17.1.tar.xz) = 923cf31bae49816e4357dfeb99d30c75f3100ce7 Size (gnutls-3.3.17.1.tar.xz) = 6339588 bytes @ 1.115 log @Workaround gettext context function definition mess to unbreak NetBSD/current. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.114 2015/06/04 09:43:53 jperkin Exp $ d3 3 a5 3 SHA1 (gnutls-3.3.15.tar.xz) = d7f66b0aeaf48ff8621cc1913230635ef672f0a4 RMD160 (gnutls-3.3.15.tar.xz) = 0c812034b3b8356c31d69074ec92382545eb808b Size (gnutls-3.3.15.tar.xz) = 6286288 bytes d16 1 a16 1 SHA1 (patch-tests_Makefile.in) = b76dfb38f057b9094a5f46eef33b27492a79301e @ 1.114 log @Fix more gnulib gets() vs std::gets() conflict. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.113 2015/06/01 21:50:22 spz Exp $ d13 1 @ 1.113 log @update to gnutls 3.3.15 patch refresh grace of mkpatches upstream notable changes list since the 3.2 to 3.3 branch point (excerpt of the NEWS file): * Version 3.3.15 (released 2015-05-03) ** libgnutls: gnutls_certificate_get_ours: will return the certificate even if a callback was used to send it. ** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by Karthikeyan Bhargavan [GNUTLS-SA-2015-2]. ** libgnutls: Check for invalid length in the X.509 version field. Without the check certificates with invalid length would be detected as having an arbitrary version. Reported by Hanno Böck. ** API and ABI modifications: No changes since last version. * Version 3.3.14 (released 2015-03-30) ** libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo structures use BER to decode them (requires libtasn1 4.3). That allows to decode some more complex structures. ** libgnutls: When an end-certificate with no name is present and there are CA name constraints, don't reject the certificate. This follows RFC5280 advice closely. Reported by Fotis Loukos. ** libgnutls: Fixed handling of supplemental data with types > 255. Patch by Thierry Quemerais. ** libgnutls: Fixed double free in the parsing of CRL distribution points certificate extension. Reported by Robert Święcki. ** libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That protocol is not enabled by default (used by openconnect VPN). ** libgnutls: The maximum user data send size is set to be the same for block and non-block ciphersuites. This addresses a regression with wine: https://bugs.winehq.org/show_bug.cgi?id=37500 ** libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN, and CKA_DECRYPT when needed. ** libgnutls: Allow names with zero size to be set using gnutls_server_name_set(). That will disable the Server Name Indication. Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2 ** API and ABI modifications: No changes since last version. * Version 3.3.13 (released 2015-02-25) ** libgnutls: Enable AESNI in GCM on x86 ** libgnutls: Fixes in DTLS message handling ** libgnutls: Check certificate algorithm consistency, i.e., check whether the signatureAlgorithm field matches the signature field inside TBSCertificate. ** gnutls-cli: Fixes in OCSP verification. ** API and ABI modifications: No changes since last version. * Version 3.3.12 (released 2015-01-17) ** libgnutls: When negotiating TLS use the lowest enabled version in the client hello, rather than the lowest supported. In addition, do not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0 is the only protocol supported. That addresses issues with servers that immediately drop the connection when the encounter SSL 3.0 as the record version number. See: http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html ** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters. ** libgnutls: Handle zero length plaintext for VIA PadLock functions. This solves a potential crash on AES encryption for small size plaintext. Patch by Matthias-Christian Ott. ** libgnutls: In DTLS don't combine multiple packets which exceed MTU. Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715 ** libgnutls: In DTLS decode all handshake packets present in a record packet, in a single pass. Reported by Andreas Schultz. https://savannah.gnu.org/support/?108712 ** libgnutls: When importing a CA file with a PKCS #11 URL, simply import the certificates, if the URL specifies objects, rather than treating it as trust module. ** libgnutls: When importing a PKCS #11 URL and we know the type of object we are importing, don't require the object type in the URL. ** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2 was used by the server. ** guile: Fix compilation on MinGW. Previously only the static version of the 'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile. ** guile: Fix harmless warning during compilation of gnutls.scm Initially reported at . ** certtool: --pubkey-info will also attempt to load a public key from stdin. ** gnutls-cli: Added --starttls-proto option. That allows to specify a protocol for starttls negotiation. ** API and ABI modifications: No changes since last version. * Version 3.3.11 (released 2014-12-11) ** libgnutls: Corrected regression introduced in 3.3.9 related to session renegotiation. Reported by Dan Winship. ** libgnutls: Corrected parsing issue with OCSP responses. ** API and ABI modifications: No changes since last version. * Version 3.3.10 (released 2014-11-10) ** libgnutls: Refuse to import v1 or v2 certificates that contain extensions. ** libgnutls: Fixes in usage of PKCS #11 token callback ** libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag. Reported by David Woodhouse. ** libgnutls: Removed superfluous random generator refresh on every call of gnutls_deinit(). That reduces load and usage of /dev/urandom. ** libgnutls: Corrected issue in export of ECC parameters to X9.63 format. Reported by Sean Burford [GNUTLS-SA-2014-5]. ** libgnutls: When gnutls_global_init() is called for a second time, it will check whether the /dev/urandom fd kept is still open and matches the original one. That behavior works around issues with servers that close all file descriptors. ** libgnutls: Corrected behavior with PKCS #11 objects that are marked as CKA_ALWAYS_AUTHENTICATE. ** certtool: The default cipher for PKCS #12 structures is 3des-pkcs12. That option is more compatible than AES or RC4. ** API and ABI modifications: No changes since last version. * Version 3.3.9 (released 2014-10-13) ** libgnutls: Fixes in the transparent import of PKCS #11 certificates. Reported by Joseph Peruski. ** libgnutls: Fixed issue with unexpected non-fatal errors resetting the handshake's hash buffer, in applications using the heartbeat extension or DTLS. Reported by Joeri de Ruiter. ** libgnutls: When both a trust module and additional CAs are present account the latter as well; reported by David Woodhouse. ** libgnutls: added GNUTLS_TL_GET_COPY flag for gnutls_x509_trust_list_get_issuer(). That allows the function to be used in a thread safe way when PKCS #11 trust modules are in use. ** libgnutls: fix issue in DTLS retransmission when session tickets were in use; reported by Manuel Pégourié-Gonnard. ** libgnutls-dane: Do not require the CA on a ca match to be direct CA. ** libgnutls: Prevent abort() in library if getrusage() fails. Try to detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. ** guile: new 'set-session-server-name!' procedure; see the manual for details. ** certtool: The authority key identifier will be set in a certificate only if the CA's subject key identifier is set. ** API and ABI modifications: No changes since last version. * Version 3.3.8 (released 2014-09-18) ** libgnutls: Updates in the name constraints checks. No name constraints will be checked for intermediate certificates. As our support for name constraints is limited to e-mail addresses in DNS names, it is pointless to check them on intermediate certificates. ** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple object listing would fail completely if a single object could not be exported. ** libgnutls: Improved the performance of PKCS #11 object listing/retrieving, by retrieving them in large batches. Report and suggestion by David Woodhouse. ** libgnutls: Fixed issue with certificates being sanitized by gnutls prior to signature verification. That resulted to certain non-DER compliant modifications of valid certificates, being corrected by libtasn1's parser and restructured as the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from Codenomicon. ** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle strings with embedded spaces and escaped commas. ** libgnutls: when comparing a CA certificate with the trusted list compare the name and key only instead of the whole certificate. That is to handle cases where a CA certificate was superceded by a different one with the same name and the same key. ** libgnutls: when verifying a certificate against a p11-kit trusted module, use the attached extensions in the module to override the CA's extensions (that requires p11-kit 0.20.7). ** libgnutls: In DTLS prevent sending zero-size fragments in certain cases of MTU split. Reported by Manuel Pégourié-Gonnard. ** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows verifying using a hostname and a purpose (extended key usage). That enhances PKCS #11 trust module verification, as it can now check the purpose when this function is used. ** libgnutls: Corrected gnutls_x509_crl_verify() which would always report a CRL signature as invalid. Reported by Armin Burgmeier. ** libgnutls: added option --disable-padlock to allow disabling the padlock CPU acceleration. ** p11tool: when listing tokens, list their type as well. ** p11tool: when listing objects from a trust module print any attached extensions on certificates. ** API and ABI modifications: gnutls_x509_crq_get_extension_by_oid2: Added gnutls_x509_crt_get_extension_by_oid2: Added gnutls_x509_trust_list_verify_crt2: Added gnutls_x509_ext_print: Added gnutls_x509_ext_deinit: Added gnutls_x509_othername_to_virtual: Added gnutls_pkcs11_obj_get_exts: Added * Version 3.3.7 (released 2014-08-24) ** libgnutls: Added function to export the public key of a PKCS #11 private key. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: Explicitly set the exponent in PKCS #11 key generation. That improves compatibility with certain PKCS #11 modules. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: When generating a PKCS #11 private key allow setting the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session to the key. ** libgnutls: bundle replacements of inet_pton and inet_aton if not available. ** libgnutls: initialize parameters variable on PKCS #8 decryption. ** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1 algorithms. ** libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125 requirement of checking the Common Name (CN) part of DN only if there is a single CN present in the certificate. ** libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used to force the FIPS mode, when set to 1. ** libgnutls: In DTLS ignore only errors that relate to unexpected packets and decryption failures. ** p11tool: Added --info parameter. ** certtool: Added --mark-wrap parameter. ** danetool: --check will attempt to retrieve the server's certificate chain and verify against it. ** danetool/gnutls-cli-debug: Added --app-proto parameters which can be used to enforce starttls (currently only SMTP and IMAP) on the connection. ** danetool: Added openssl linking exception, to allow linking with libunbound. ** API and ABI modifications: GNUTLS_PKCS11_OBJ_ATTR_MATCH: Added gnutls_pkcs11_privkey_export_pubkey: Added gnutls_pkcs11_obj_flags_get_str: Added gnutls_pkcs11_obj_get_flags: Added * Version 3.3.6 (released 2014-07-23) ** libgnutls: Use inet_ntop to print IP addresses when available ** libgnutls: gnutls_x509_crt_check_hostname and friends will also check IP addresses, and match documented behavior. Reported by David Woodhouse. ** libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024 bit parameters. ** libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens being usable after a reinitialization. ** libgnutls: fixed PKCS #11 private key operations after a fork. ** libgnutls: fixed PKCS #11 ECDSA key generation. ** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to explicitly enable/disable the use of certain CPU capabilities. Note that CPU detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel CPU. The currently available options are: 0x1: Disable all run-time detected optimizations 0x2: Enable AES-NI 0x4: Enable SSSE3 0x8: Enable PCLMUL 0x100000: Enable VIA padlock 0x200000: Enable VIA PHE 0x400000: Enable VIA PHE SHA512 ** libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott. ** p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set. ** p11tool: ask for label when one isn't provided. ** p11tool: added --batch parameter to disable any interactivity. ** p11tool: will not implicitly enable so-login for certain types of objects. That avoids issues with tokens that require different login types. ** certtool/p11tool: Added the --curve parameter which allows to explicitly specify the curve to use. ** API and ABI modifications: gnutls_certificate_set_x509_trust_dir: Added gnutls_x509_trust_list_add_trust_dir: Added * Version 3.3.5 (released 2014-06-26) ** libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit(). These functions provide a variant of gnutls_record_recv() that avoids the final memcpy of data. ** libgnutls: gnutls_x509_crl_iter_crt_serial() was added as a faster variant of gnutls_x509_crl_get_crt_serial() when coping with very large structures. ** libgnutls: When the decoding of a printable DN element fails, then treat it as unknown and print its hex value rather than failing. That works around an issue in a TURKTRST root certificate which improperly encodes the X520countryName element. ** libgnutls: gnutls_x509_trust_list_add_trust_file() will return the number of certificates present in a PKCS #11 token when loading it. ** libgnutls: Allow the post client hello callback to put the handshake on hold, by returning GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED. ** certtool: option --to-p12 will now consider --load-ca-certificate ** certtol: Added option to specify the PKCS #12 friendly name on command line. ** p11tool: Allow marking a certificate copied to a token as a CA. ** API and ABI modifications: GNUTLS_PKCS11_OBJ_FLAG_MARK_CA: Added gnutls_x509_crl_iter_deinit: Added gnutls_x509_crl_iter_crt_serial: Added gnutls_record_recv_packet: Added gnutls_packet_deinit: Added gnutls_packet_get: Added * Version 3.3.4 (released 2014-05-31) ** libgnutls: Updated Andy Polyakov's assembly code. That prevents a crash on certain CPUs. ** API and ABI modifications: No changes since last version. * Version 3.3.3 (released 2014-05-30) ** libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon. ** libgnutls: gnutls_global_set_mutex() was modified to operate with the new initialization process. ** libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem. ** libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni. ** libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552 ** gnutls-cli: --dane will only check the end certificate if PKIX validation has been disabled. ** gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot be emulated with the implicit initialization of gnutls. ** certtool: Allow multiple organizations and organizational unit names to be specified in a template. ** certtool: Warn when invalid configuration options are set to a template. ** ocsptool: Include path in ocsp request. This resolves #108582 (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen. ** API and ABI modifications: gnutls_credentials_get: Added * Version 3.3.2 (released 2014-05-06) ** libgnutls: Added the 'very weak' certificate verification profile that corresponds to 64-bit security level. ** libgnutls: Corrected file descriptor leak on random generator initialization. ** libgnutls: Corrected file descriptor leak on PSK password file reading. Issue identified using the Codenomicon TLS test suite. ** libgnutls: Avoid deinitialization if initialization has failed. ** libgnutls: null-terminate othername alternative names. ** libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly on a PKCS #11 trust list. ** libgnutls: Several small bug fixes identified using valgrind and the Codenomicon TLS test suite. ** libgnutls-dane: Accept a certificate using DANE if there is at least one entry that matches the certificate. Patch by simon [at] arlott.org. ** libgnutls-guile: Fixed compilation issue. ** certtool: Allow exporting a CRL on DER format. ** certtool: The ECDSA keys generated by default use the SECP256R1 curve which is supported more widely than the previously used SECP224R1. ** API and ABI modifications: GNUTLS_PROFILE_VERY_WEAK: Added * Version 3.3.1 (released 2014-04-19) ** libgnutls: Enforce more strict checks to heartbeat messages concerning padding and payload. Suggested by Peter Dettman. ** libgnutls: Allow decoding PKCS #8 files with ECC parameters from openssl. ** libgnutls: Several small bug fixes found by coverity. ** libgnutls: The conditionally available self-test functions were moved to self-test.h. ** libgnutls: Fixed issue with the check of incoming data when two different recv and send pointers have been specified. Reported and investigated by JMRecio. ** libgnutls: Fixed issue in the RSA-PSK key exchange, which would result to illegal memory access if a server hint was provided. Reported by André Klitzing. ** libgnutls: Fixed client memory leak in the PSK key exchange, if a server hint was provided. ** libgnutls: Corrected the *get_*_othername_oid() functions. ** API and ABI modifications: No changes since last version. * Version 3.3.0 (released 2014-04-10) ** libgnutls: The initialization of the library was moved to a constructor. That is, gnutls_global_init() is no longer required unless linking with a static library or a system that does not support library constructors. ** libgnutls: static libraries are not built by default. ** libgnutls: PKCS #11 initialization is delayed to first usage. That avoids long delays in gnutls initialization due to broken PKCS #11 modules. ** libgnutls: The PKCS #11 subsystem is re-initialized "automatically" on the first PKCS #11 API call after a fork. ** libgnutls: certificate verification profiles were introduced that can be specified as flags to verification functions. They are enumerations in gnutls_certificate_verification_profiles_t and can be converted to flags for use in a verification function using GNUTLS_PROFILE_TO_VFLAGS(). ** libgnutls: Added the ability to read system-specific initial keywords, if they are prefixed with '@@'. That allows a compile-time specified configuration file to be used to read pre-configured priority strings from. That can be used to impose system specific policies. ** libgnutls: Increased the default security level of priority strings (NORMAL and PFS strings require at minimum a 1008 DH prime), and set a verification profile by default. The LEGACY keyword is introduced to set the old defaults. ** libgnutls: Added support for the name constraints PKIX extension. Currently only DNS names and e-mails are supported (no URIs, IPs or DNs). ** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL. ** libgnutls: Added new API in x509-ext.h to handle X.509 extensions. This API handles the X.509 extensions in isolation, allowing to parse similarly formatted extensions stored in other structures. ** libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS can be used to specify a particular subgroup as the number of bits in gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256). ** libgnutls: DH parameter generation is now delegated to nettle. That unfortunately has the side-effect that DH parameters longer than 3072 bits, cannot be generated (not without a nettle update). ** libgnutls: Separated nonce RNG from the main RNG. The nonce random number generator is based on salsa20/12. ** libgnutls: The buffer alignment provided to crypto backend is enforced to be 16-byte aligned, when compiled with cryptodev support. That allows certain cryptodev drivers to operate more efficiently. ** libgnutls: Return error when a public/private key pair that doesn't match is set into a credentials structure. ** libgnutls: Depend on p11-kit 0.20.0 or later. ** libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has been removed. It was not approved by IETF. ** libgnutls: The experimental xssl library is removed from the gnutls distribution. ** libgnutls: Reduced the number of gnulib modules used in the main library. ** libgnutls: Added priority string %DISABLE_WILDCARDS. ** libgnutls: Added the more extensible verification function gnutls_certificate_verify_peers(), that allows checking, in addition to a peer's DNS hostname, for the key purpose of the end certificate (via PKIX extended key usage). ** certtool: Timestamps for serial numbers were increased to 8 bytes, and in batch mode to 12 (appended with 4 random bytes). ** certtool: When no CRL number is provided (or value set to -1), then a time-based number will be used, similarly to the serial generation number in certificates. ** certtool: Print the SHA256 fingerprint of a certificate in addition to SHA1. ** libgnutls: Added --enable-fips140-mode configuration option (unsupported). That option enables (when running on FIPS140-enabled system): o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes) o The DRBG-CTR-AES256 deterministic random generator from SP800-90A. o Self-tests on initialization on ciphers/MACs, public key algorithms and the random generator. o HMAC-SHA256 verification of the library on load. o MD5 is included for TLS purposes but cannot be used by the high level hashing functions. o All ciphers except AES are disabled. o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5). o All keys (temporal and long term) are zeroized after use. o Security levels are adjusted to the FIPS140-2 recommendations (rather than ECRYPT). ** API and ABI modifications: GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS: Added gnutls_certificate_verify_peers: Added gnutls_privkey_generate: Added gnutls_pkcs11_crt_is_known: Added gnutls_fips140_mode_enabled: Added gnutls_sec_param_to_symmetric_bits: Added gnutls_pubkey_export_ecc_x962: Added (replaces gnutls_pubkey_get_pk_ecc_x962) gnutls_pubkey_export_ecc_raw: Added (replaces gnutls_pubkey_get_pk_ecc_raw) gnutls_pubkey_export_dsa_raw: Added (replaces gnutls_pubkey_get_pk_dsa_raw) gnutls_pubkey_export_rsa_raw: Added (replaces gnutls_pubkey_get_pk_rsa_raw) gnutls_pubkey_verify_params: Added gnutls_privkey_export_ecc_raw: Added gnutls_privkey_export_dsa_raw: Added gnutls_privkey_export_rsa_raw: Added gnutls_privkey_import_ecc_raw: Added gnutls_privkey_import_dsa_raw: Added gnutls_privkey_import_rsa_raw: Added gnutls_privkey_verify_params: Added gnutls_x509_crt_check_hostname2: Added gnutls_openpgp_crt_check_hostname2: Added gnutls_x509_name_constraints_init: Added gnutls_x509_name_constraints_deinit: Added gnutls_x509_crt_get_name_constraints: Added gnutls_x509_name_constraints_add_permitted: Added gnutls_x509_name_constraints_add_excluded: Added gnutls_x509_crt_set_name_constraints: Added gnutls_x509_name_constraints_get_permitted: Added gnutls_x509_name_constraints_get_excluded: Added gnutls_x509_name_constraints_check: Added gnutls_x509_name_constraints_check_crt: Added gnutls_x509_crl_get_extension_data2: Added gnutls_x509_crt_get_extension_data2: Added gnutls_x509_crq_get_extension_data2: Added gnutls_subject_alt_names_init: Added gnutls_subject_alt_names_deinit: Added gnutls_subject_alt_names_get: Added gnutls_subject_alt_names_set: Added gnutls_x509_ext_import_subject_alt_names: Added gnutls_x509_ext_export_subject_alt_names: Added gnutls_x509_crl_dist_points_init: Added gnutls_x509_crl_dist_points_deinit: Added gnutls_x509_crl_dist_points_get: Added gnutls_x509_crl_dist_points_set: Added gnutls_x509_ext_import_crl_dist_points: Added gnutls_x509_ext_export_crl_dist_points: Added gnutls_x509_ext_import_name_constraints: Added gnutls_x509_ext_export_name_constraints: Added gnutls_x509_aia_init: Added gnutls_x509_aia_deinit: Added gnutls_x509_aia_get: Added gnutls_x509_aia_set: Added gnutls_x509_ext_import_aia: Added gnutls_x509_ext_export_aia: Added gnutls_x509_ext_import_subject_key_id: Added gnutls_x509_ext_export_subject_key_id: Added gnutls_x509_ext_export_authority_key_id: Added gnutls_x509_ext_import_authority_key_id: Added gnutls_x509_aki_init: Added gnutls_x509_aki_get_id: Added gnutls_x509_aki_get_cert_issuer: Added gnutls_x509_aki_set_id: Added gnutls_x509_aki_set_cert_issuer: Added gnutls_x509_aki_deinit: Added gnutls_x509_ext_import_private_key_usage_period: Added gnutls_x509_ext_export_private_key_usage_period: Added gnutls_x509_ext_import_basic_constraints: Added gnutls_x509_ext_export_basic_constraints: Added gnutls_x509_ext_import_key_usage: Added gnutls_x509_ext_export_key_usage: Added gnutls_x509_ext_import_proxy: Added gnutls_x509_ext_export_proxy: Added gnutls_x509_policies_init: Added gnutls_x509_policies_deinit: Added gnutls_x509_policies_get: Added gnutls_x509_policies_set: Added gnutls_x509_ext_import_policies: Added gnutls_x509_ext_export_policies: Added gnutls_x509_key_purpose_init: Added gnutls_x509_key_purpose_deinit: Added gnutls_x509_key_purpose_set: Added gnutls_x509_key_purpose_get: Added gnutls_x509_ext_import_key_purposes: Added gnutls_x509_ext_export_key_purposes: Added gnutls_digest_self_test: Added (conditionally) gnutls_mac_self_test: Added (conditionally) gnutls_pk_self_test: Added (conditionally) gnutls_cipher_self_test: Added (conditionally) gnutls_global_set_mem_functions: Deprecated @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.112 2015/02/11 11:25:57 adam Exp $ d10 1 d15 1 a15 1 SHA1 (patch-tests_Makefile.in) = 5a52b56d247f999f8c16a068291c5dfb2ec80f6c @ 1.112 log @Changes 3.2.21: ** libgnutls: Corrected regression introduced in 3.2.19 related to session renegotiation. Reported by Dan Winship. ** libgnutls: Corrected parsing issue with OCSP responses. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.111 2014/12/31 16:05:07 rumko Exp $ d3 13 a15 14 SHA1 (gnutls-3.2.21.tar.xz) = fa12e643ad21bcaf450d534f262c813d75843966 RMD160 (gnutls-3.2.21.tar.xz) = 8d3b7817dcd28d3c4f1e3ad0d014ab7891daa7f9 Size (gnutls-3.2.21.tar.xz) = 5162040 bytes SHA1 (patch-ae) = b6402cc4a03f1b32792191518ed0c5596eb91c07 SHA1 (patch-gl_stdio.in.h) = cad0685b77a1abb74ac578695ceb5c1c74479a87 SHA1 (patch-lib_Makefile.in) = a75aa7bf9d493fae93b02d0ffdc82f538cc85737 SHA1 (patch-lib_nettle_rnd.c) = bbce9bbb61d2be625585f6c8ed5bda95f3a80344 SHA1 (patch-lib_system.h) = fb67be62f1e889a665a65ab151ced24fa1ab3e2e SHA1 (patch-src_libopts_autoopts_options.h) = 60be5b43f23ba5978759c1e245781da7f9125071 SHA1 (patch-src_libopts_compat_compat.h) = 2e0a1be460917b2d7a8f6bdac698dad405143013 SHA1 (patch-src_libopts_makeshell.c) = c94e717027d078a081acd10eaec51a44dc4d42e1 SHA1 (patch-src_libopts_proto.h) = 9749cc4bd080e1a8d800bde181143acb9c340ec8 SHA1 (patch-tests_Makefile.in) = 0c2e37c632686301855cf6d0ed09583e797ae4e3 SHA1 (patch-tests_openpgp-certs_Makefile.in) = 8d3a7e7e4fb063465e0fbdfae22a7bf579529b0c @ 1.112.2.1 log @Pullup ticket #4741 - requested by tron security/gnutls: build fix Revisions pulled up: - security/gnutls/distinfo 1.115 - security/gnutls/patches/patch-src_libopts_libopts.c 1.1 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: joerg Date: Mon Jun 8 13:44:57 UTC 2015 Modified Files: pkgsrc/security/gnutls: distinfo Added Files: pkgsrc/security/gnutls/patches: patch-src_libopts_libopts.c Log Message: Workaround gettext context function definition mess to unbreak NetBSD/current. To generate a diff of this commit: cvs rdiff -u -r1.114 -r1.115 pkgsrc/security/gnutls/distinfo cvs rdiff -u -r0 -r1.1 \ pkgsrc/security/gnutls/patches/patch-src_libopts_libopts.c @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.112 2015/02/11 11:25:57 adam Exp $ a12 1 SHA1 (patch-src_libopts_libopts.c) = ce5e7681def882e95ed5ab770564d1f999b97039 @ 1.111 log @security/gnutls: Fix struct in6_addr being an incomplete type In lib/x509/rfc2818_hostname.c, ipv6 related structs are used, but at least on FreeBSD, arpa/inet.h does not contains the necessary structs. If netinet/in.h is present, we use it instead of arpa/inet.h. Reviewed by wiz @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.110 2014/12/05 12:43:24 khorben Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.20.tar.xz) = 6b104f737330ff2f6833b8c5d80e1cd2c3fcfb66 RMD160 (gnutls-3.2.20.tar.xz) = 02617d710a4dc9a81664176da22cd2e5062e6527 Size (gnutls-3.2.20.tar.xz) = 5160184 bytes @ 1.110 log @Packaged gnutls 3.2.20 * Version 3.2.20 (released 2014-11-10) ** libgnutls: Removed superfluous random generator refresh on every call of gnutls_deinit(). That reduces load and usage of /dev/urandom. ** libgnutls: Corrected issue in export of ECC parameters to X9.63 format. Reported by Sean Burford [GNUTLS-SA-2014-5]. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD$ d10 1 @ 1.109 log @Packaged gnutls 3.2.19 * Version 3.2.19 (released 2014-10-13) ** libgnutls: Fixes in the transparent import of PKCS #11 certificates. Reported by Joseph Peruski. ** libgnutls: Fixed issue with unexpected non-fatal errors resetting the handshake's hash buffer, in applications using the heartbeat extension or DTLS. Reported by Joeri de Ruiter. ** libgnutls: fix issue in DTLS retransmission when session tickets were in use; reported by Manuel Pégourié-Gonnard. ** libgnutls: Prevent abort() in library if getrusage() fails. Try to detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. ** guile: new 'set-session-server-name!' procedure; see the manual for details. ** API and ABI modifications: No changes since last version. @ text @d3 3 a5 3 SHA1 (gnutls-3.2.19.tar.xz) = 1dfbbfa2bcf0a62a1dbbc63825b6fc2cc8e13c80 RMD160 (gnutls-3.2.19.tar.xz) = 9b6010acd2f9c9ec58d09a76b2895dc64c6974ea Size (gnutls-3.2.19.tar.xz) = 5160012 bytes d9 1 a9 1 SHA1 (patch-lib_nettle_rnd.c) = 8e27ae5b7aacc791b71fa767edac9ba9ef67c7e3 @ 1.108 log @Changes 3.2.18: ** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle strings with embedded spaces and escaped commas. ** libgnutls: Corrected gnutls_x509_crl_verify() which would always report a CRL signature as invalid. ** libgnutls: Fixed issue with certificates being sanitized by gnutls prior to signature verification. That resulted to certain non-DER compliant modifications of valid certificates, being corrected by libtasn1's parser and restructured as the original. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.107 2014/08/30 12:45:11 adam Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.18.tar.xz) = 3351c72658c974ad5e61ffde98caef0ae7e184e3 RMD160 (gnutls-3.2.18.tar.xz) = 6d005a71443261b39cd862f3cf0e54afb80ce6ed Size (gnutls-3.2.18.tar.xz) = 5154476 bytes d7 3 a9 3 SHA1 (patch-gl_stdio.in.h) = b5802da2cccddd6fab73bd39c49f7d62bef58464 SHA1 (patch-lib_Makefile.in) = d395121b1b640aed76aff8033106c978e7ec4ce7 SHA1 (patch-lib_nettle_rnd.c) = e3a35d2b492cbb719c178c90fa87861dfa828ce7 d14 2 a15 2 SHA1 (patch-tests_Makefile.in) = 43e3f23665f2ccc71413e830e7f6f1c8850a518a SHA1 (patch-tests_openpgp-certs_Makefile.in) = 6eda841bb9a33215865d751707c67f253b4e04cf @ 1.107 log @Changes 3.2.17: ** libgnutls: initialize parameters variable on PKCS 8 decryption. ** libgnutls: Explicitly set the exponent in PKCS 11 key generation. That improves compatibility with certain PKCS 11 modules. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1 algorithms. ** libgnutls: when checking the hostname of a certificate with multiple CNs ensure that the "most specific" CN is being used. ** libgnutls: In DTLS ignore only errors that relate to unexpected packets and decryption failures. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.106 2014/05/30 13:20:23 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.17.tar.xz) = c48b02912c5dc77b627f1f17dcc05c2be1d59b0f RMD160 (gnutls-3.2.17.tar.xz) = d783071d9a1c23d76dce854e8e732c04b144483f Size (gnutls-3.2.17.tar.xz) = 5151932 bytes a9 1 SHA1 (patch-src_libopts_autoopts.h) = bddca27fd49c8ea0c62f339bd2754ec7a278fb5b @ 1.106 log @Update to 3.2.15: * Version 3.2.15 (released 2014-05-30) ** libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon. ** libgnutls: Several memory leaks caused by error conditions were fixed. The leaks were identified using valgrind and the Codenomicon TLS test suite. ** libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem. ** libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni. ** gnutls-cli: if dane is requested but not PKIX verification, then only do verify the end certificate. ** ocsptool: Include path in ocsp request. This resolves #108582 (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen. ** API and ABI modifications: No changes since last version. * Version 3.2.14 (released 2014-05-06) ** libgnutls: Fixed issue with the check of incoming data when two different recv and send pointers have been specified. Reported and investigated by JMRecio. ** libgnutls: Fixed issue in the RSA-PSK key exchange, which would result to illegal memory access if a server hint was provided. ** libgnutls: Fixed client memory leak in the PSK key exchange, if a server hint was provided. ** libgnutls: Several small bug fixes identified using valgrind and the Codenomicon TLS test suite. ** libgnutls: Several small bug fixes found by coverity. ** libgnutls-dane: Accept a certificate using DANE if there is at least one entry that matches the certificate. Patch by simon [at] arlott.org. ** configure: Added --with-nettle-mini option, which allows linking with a libnettle that contains gmp. ** certtool: The ECDSA keys generated by default use the SECP256R1 curve which is supported more widely than the previously used SECP224R1. ** API and ABI modifications: No changes since last version. * Version 3.2.13 (released 2014-04-07) ** libgnutls: gnutls_openpgp_keyring_import will no longer fail silently if there are no base64 data. Report and patch by Ramkumar Chinchani. ** libgnutls: gnutls_record_send is now safe to be called under DTLS when in corked mode. ** libgnutls: Ciphersuites that use the SHA256 or SHA384 MACs are only available in TLS 1.0 as SSL 3.0 doesn't specify parameters for these algorithms. ** libgnutls: Changed the behaviour in wildcard acceptance in certificates. Wildcards are only accepted when there are more than two domain components after the wildcard. This drops support for the permissive RFC2818 wildcards and adds more conservative support based on the suggestions in RFC6125. Suggested by Jeffrey Walton. ** certtool: When no password is provided to export a PKCS #8 keys, do not encrypt by default. This reverts to the certtool behavior of gnutls 3.0. The previous behavior of encrypting using an empty password can be replicating using the new parameter --empty-password. ** p11tool: Avoid dual initialization of the PKCS #11 subsystem when the --provider option is given. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.105 2014/03/04 09:34:19 adam Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.15.tar.xz) = 31f289b48b0bf054f5f8c16d3b878615d0ae06fc RMD160 (gnutls-3.2.15.tar.xz) = fb4b7b18f88b0a077d2fb898a72dd4b866428bf1 Size (gnutls-3.2.15.tar.xz) = 5140200 bytes d10 1 d13 2 @ 1.105 log @Changes 3.2.12: ** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2) ** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw when provided with invalid data. Reported by Dmitriy Anisimkov. ** libgnutls: Corrected timeout issue in subsequent to the first DTLS handshakes. ** libgnutls: Removed unconditional not-trusted message in gnutls_certificate_verification_status_print() when used with OpenPGP certificates. Reported by Michel Briand. ** libgnutls: All ciphersuites that were available in TLS1.0 or later are now made available in SSL3.0 or later to prevent any incompatibilities with servers that negotiate them in SSL 3.0. ** ocsptool: When verifying a response and a signer isn't provided assume that the signer is the issuer. ** ocsptool: When sending a nonce, verify that the nonce exists in the OCSP response. ** gnutls-cli: Added --strict-tofu option; contributed by Jens Lechtenboerger. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.104 2014/02/14 17:24:27 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.12.tar.xz) = bf14fdd897d572091b51a71070ed91332a0376a4 RMD160 (gnutls-3.2.12.tar.xz) = c64e96f40fd36d6edac83484fe90c4ede562b1ea Size (gnutls-3.2.12.tar.xz) = 5136220 bytes @ 1.105.2.1 log @Pullup ticket #4430 - requested by tron security/gnutls: security update Revisions pulled up: - security/gnutls/Makefile 1.146 - security/gnutls/distinfo 1.106 --- Module Name: pkgsrc Committed By: wiz Date: Fri May 30 13:20:23 UTC 2014 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: Update to 3.2.15: * Version 3.2.15 (released 2014-05-30) ** libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon. ** libgnutls: Several memory leaks caused by error conditions were fixed. The leaks were identified using valgrind and the Codenomicon TLS test suite. ** libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem. ** libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni. ** gnutls-cli: if dane is requested but not PKIX verification, then only do verify the end certificate. ** ocsptool: Include path in ocsp request. This resolves #108582 (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen. ** API and ABI modifications: No changes since last version. * Version 3.2.14 (released 2014-05-06) ** libgnutls: Fixed issue with the check of incoming data when two different recv and send pointers have been specified. Reported and investigated by JMRecio. ** libgnutls: Fixed issue in the RSA-PSK key exchange, which would result to illegal memory access if a server hint was provided. ** libgnutls: Fixed client memory leak in the PSK key exchange, if a server hint was provided. ** libgnutls: Several small bug fixes identified using valgrind and the Codenomicon TLS test suite. ** libgnutls: Several small bug fixes found by coverity. ** libgnutls-dane: Accept a certificate using DANE if there is at least one entry that matches the certificate. Patch by simon [at] arlott.org. ** configure: Added --with-nettle-mini option, which allows linking with a libnettle that contains gmp. ** certtool: The ECDSA keys generated by default use the SECP256R1 curve which is supported more widely than the previously used SECP224R1. ** API and ABI modifications: No changes since last version. * Version 3.2.13 (released 2014-04-07) ** libgnutls: gnutls_openpgp_keyring_import will no longer fail silently if there are no base64 data. Report and patch by Ramkumar Chinchani. ** libgnutls: gnutls_record_send is now safe to be called under DTLS when in corked mode. ** libgnutls: Ciphersuites that use the SHA256 or SHA384 MACs are only available in TLS 1.0 as SSL 3.0 doesn't specify parameters for these algorithms. ** libgnutls: Changed the behaviour in wildcard acceptance in certificates. Wildcards are only accepted when there are more than two domain components after the wildcard. This drops support for the permissive RFC2818 wildcards and adds more conservative support based on the suggestions in RFC6125. Suggested by Jeffrey Walton. ** certtool: When no password is provided to export a PKCS #8 keys, do not encrypt by default. This reverts to the certtool behavior of gnutls 3.0. The previous behavior of encrypting using an empty password can be replicating using the new parameter --empty-password. ** p11tool: Avoid dual initialization of the PKCS #11 subsystem when the --provider option is given. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (gnutls-3.2.15.tar.xz) = 31f289b48b0bf054f5f8c16d3b878615d0ae06fc RMD160 (gnutls-3.2.15.tar.xz) = fb4b7b18f88b0a077d2fb898a72dd4b866428bf1 Size (gnutls-3.2.15.tar.xz) = 5140200 bytes @ 1.104 log @update to 3.2.11 changes: Fix bug that prevented the rejection of v1 intermediate CA certificates (CVE-2014-1959) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.103 2014/02/10 12:01:19 tron Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.11.tar.xz) = 7204edeffc06ff4d60b181b65ea6ada5f4d31b24 RMD160 (gnutls-3.2.11.tar.xz) = 4e992da1ec9da3f6ee1e9b0e4210648530070e02 Size (gnutls-3.2.11.tar.xz) = 5135168 bytes @ 1.103 log @Add patch from GnuTLS repository to fix build of assembler routines under Mac OS X. Crucial hint provided by Nikos Mavrogiannopoulos. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.102 2014/01/25 10:59:22 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.9.tar.xz) = 6644d1034c3880c3a52d4e1da344f2423a02dd6c RMD160 (gnutls-3.2.9.tar.xz) = fa434a751735a9c4a6af65d512c0bbab9245344b Size (gnutls-3.2.9.tar.xz) = 5134196 bytes d9 1 a9 4 SHA1 (patch-lib_accelerated_x86_aes-cbc-x86-aesni.c) = ec5e51a623f31025a864d15dc6386de9fc85807a SHA1 (patch-lib_accelerated_x86_aes-cbc-x86-ssse3.c) = 45f4c04e008fb40aea4a04e0bd81c669c2d9f793 SHA1 (patch-lib_accelerated_x86_x86.h) = d56fc79389d561bbd76da32f8f1ed778adb7768c SHA1 (patch-lib_nettle_rnd.c) = c0b0bd744e2370abd111f5418668bbf4dc0ea35d @ 1.102 log @Update to 3.2.9 based on patch from Richard Palo. Assembler issues still seem to be there at least on SunOS. * Version 3.2.9 (released 2014-01-24) ** libgnutls: The %DUMBFW option in priority string only appends data to client hello if the expected size is in the "black hole" range. ** libgnutls: %COMPAT implies %DUMBFW. ** libgnutls: gnutls_session_get_desc() returns a more compact ciphersuite description. * libgnutls: In PKCS #11 allow deleting multiple non-certificate data. ** libgnutls: When a PKCS #11 trust store is specified (e.g. using the configure option --with-default-trust-store-pkcs11), then the PKCS #11 token is used on demand to obtain the trusted anchors, rather than preloading all trusted certificates. That delegates CA certificate management and blacklist checking to the PKCS #11 module. ** libgnutls: When a PKCS #11 trust store is specified in configure option or in gnutls_x509_trust_list_add_trust_file(), then the module is used to obtain the verification anchors and any required blacklists as in http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html ** libgnutls: Fix in OCSP certificate status extension handling in non-blocking servers. Patch by Nils Maier. ** p11tool: Added --so-login option to force login as security officer (admin). ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.101 2014/01/16 10:14:09 wiz Exp $ d6 1 a6 1 SHA1 (patch-ae) = 71fbbeb43ac1689fca6fec7f8348d8534c1dc38a d8 4 a11 1 SHA1 (patch-lib_Makefile.in) = 00cbff0bfaf8f5b8ec6db8dbe12d14a1cb3ffb9b @ 1.101 log @Update to 3.2.8.1. Changes in 3.2.8.1: Note, that I've realized that this release has issues with the assembly files in win32 and macosx systems. In these systems use gnutls 3.2.8.1. 3.2.8: * Version 3.2.8 (released 2013-12-20) ** libgnutls: Updated code for AES-NI. That prevents an uninitialized variable complaint from valgrind. ** libgnutls: Enforce a maximum size for DH primes. ** libgnutls: Added SSSE3 optimized SHA1, and SHA256, using Andy Polyakov's code. ** libgnutls: Added SSSE3 optimized AES using Mike Hamburg's code. ** libgnutls: It only links to librt if the required functions are not present in libc. This also prevents an indirect linking to libpthread. ** libgnutls: Fixed issue with gnulib strerror replacement by adding the strerror gnulib module. ** libgnutls: The time provided in the TLS random values is only precise on its first 3 bytes. That prevents leakage of the precise system time (at least on the client side when only few connections are done on a single server). ** certtool: The --verify option will use the system CAs if the load-ca-certificate option is not provided. ** configure: Added option --with-default-blacklist-file to allow specifying a certificate blacklist file. ** configure: Added --disable-non-suiteb-curves option. This option restricts the supported curves to SuiteB curves. ** API and ABI modifications: gnutls_record_check_corked: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.100 2013/11/29 22:55:29 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.8.1.tar.xz) = 0003d68285949cb4af7f2a1707c41d9860af650e RMD160 (gnutls-3.2.8.1.tar.xz) = b8bfd6e36e9a15e2eedb226dd3867df197c0d414 Size (gnutls-3.2.8.1.tar.xz) = 5135260 bytes @ 1.100 log @Update to 3.2.7: * Version 3.2.7 (released 2013-11-23) ** libgnutls: gnutls_cipher_get_iv_size() now returns the correct IV size in GCM ciphers (previously it returned the implicit IV used in TLS). ** libgnutls: gnutls_certificate_set_x509_key_file() et al when provided with a PKCS #11 URL pointing to a certificate, will attempt to load the whole chain. ** libgnutls: When traversing PKCS #11 tokens looking for an object, avoid looking in unrelated to the object tokens. ** libgnutls: Added an experimental %DUMBFW option in priority strings. This avoids a black hole behavior in some firewalls by sending a large client hello. See http://www.ietf.org/mail-archive/web/tls/current/msg10423.html ** libgnutls: The GNUTLS_DEBUG_LEVEL variable if set to a log level number will force output of debug messages to stderr. ** libgnutls: Fixed the setting of the ciphersuite when gnutls_premaster_set() is used with another protocol than the GNUTLS_DTLS0_9 protocol. ** libgnutls: gnutls_x509_crt_set_expiration_time() will set the no well defined expiration date when (time_t)-1 is specified as date. ** libgnutls: Session tickets are encrypted using AES-GCM. ** libgnutls: Corrected issue in record decompression. Issue pinpointed by Frank Zschockel. ** libgnutls: Forbid all compression methods in DTLS. ** gnutls-serv: Fixed issue with IPv6 address in UDP mode. ** certtool: When exporting an encrypted PEM private key do not output the key parameters. ** certtool: Expiration days template option allows for a -1 value which will set to the no well defined expiration date (RFC5280), and no longer chokes on integer overflows. Suggested by Stefan Buehler. ** certtool: Added new template options: 'activation_date', and 'expiration_date'. ** tools: The environment variable GNUTLS_PIN can be used to read any PIN requested from tokens. ** tools: The installed version of libopts is used if the autogen tool is present. ** API and ABI modifications: gnutls_pkcs11_obj_export3: Added gnutls_pkcs11_get_raw_issuer: Added gnutls_est_record_overhead_size: Exported @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.99 2013/10/31 14:41:48 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.7.tar.xz) = 8c86048e7c01abb25f9285188d629f1f0f2bc6be RMD160 (gnutls-3.2.7.tar.xz) = 3a3135441555b1c67a06696d973895b68a11c68a Size (gnutls-3.2.7.tar.xz) = 5098572 bytes a6 1 SHA1 (patch-configure) = 66927d81a0d22624d70181e73e6a2b856483118e a8 1 SHA1 (patch-lib_nettle_egd.c) = 7c04ce0e731ad55b3baae3d1d53dda29c50972c1 d12 2 @ 1.100.2.1 log @Pullup ticket #4331 - requested by drochner security/gnutls: security patch Apply patch to fix security vulnerability reported in CVE-2014-1959. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.100 2013/11/29 22:55:29 wiz Exp $ a5 1 SHA1 (patch-CVE-2014-1959) = 8a2f985990e054b69f578cb5eb9faf7868342685 @ 1.99 log @Update to 3.2.6: * Version 3.2.6 (released 2013-10-31) ** libgnutls: Support for TPM via trousers is now enabled by default. ** libgnutls: Camellia in GCM mode has been added in default priorities, and GCM mode is prioritized over CBC in all of the default priority strings. ** libgnutls: Added ciphersuite GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384. ** libgnutls: Fixed ciphersuites GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384, GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 and GNUTLS_PSK_CAMELLIA_128_GCM_SHA256. Reported by Stefan Buehler. ** libgnutls: Added support for ISO OID for RSA-SHA1 signatures. ** libgnutls: Minimum acceptable DH group parameters were increased to 767 bits from 727. ** libgnutls: Added function to obtain random data from PKCS #11 tokens. Contributed by Wolfgang Meyer zu Bergsten. ** gnulib: updated. ** libdane: Fixed a one-off bug in dane_query_tlsa() introduced by the previous fix. Reported by Tomas Mraz. ** p11tool: Added option generate-random. ** API and ABI modifications: gnutls_pkcs11_token_get_random: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.98 2013/10/27 23:13:09 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.6.tar.xz) = eb5a404d297e8ee2f344bcd9cdeea86fe8977287 RMD160 (gnutls-3.2.6.tar.xz) = df4105b28241eac7ac18206e24ea3dc9723dc697 Size (gnutls-3.2.6.tar.xz) = 4992204 bytes d7 1 d9 3 a11 2 SHA1 (patch-lib_Makefile.in) = 949df8644a1f6085d8ad63984188cee0518a837a SHA1 (patch-lib_nettle_egd.c) = b7e9769e8c620519c43ca7b7481a558e9d389c68 @ 1.98 log @Update to 3.2.5: * Version 3.2.5 (released 2013-10-23) ** libgnutls: Documentation and build-time fixes. ** libgnutls: Allow the generation of DH groups of less than 700 bits. ** libgnutls: Added several combinations of ciphersuites with SHA256 and SHA384 as MAC, as well as Camellia with GCM. ** libdane: Added interfaces to allow initialization of dane_query_t from external DNS resolutions, and to allow direct verification of a certificate chain against a dane_query_t. Contributed by Christian Grothoff. ** libdane: Fixed a buffer overflow in dane_query_tlsa(). This could be triggered by a DNS server supplying more than 4 DANE records. Report and fix by Christian Grothoff. ** srptool: Fixed index command line option. Patch by Attila Molnar. ** gnutls-cli: Added support for inline commands, using the --inline-commands-prefix and --inline-commands options. Patch by Raj Raman. ** certtool: pathlen constraint is now read correctly. Reported by Christoph Seitz. ** API and ABI modifications: gnutls_certificate_get_crt_raw: Added dane_verify_crt_raw: Added dane_raw_tlsa: Added * Version 3.2.4 (released 2013-08-31) ** libgnutls: Fixes when session tickets and session DB are used. Report and initial patch by Stefan Buehler. ** libgnutls: Added the RSA-PSK key exchange. Patch by by Frank Morgner, based on previous patch by Bardenheuer GmbH and Bundesdruckerei GmbH. ** libgnutls: Added ciphersuites that use ARCFOUR with ECDHE. Patch by Stefan Buehler. ** libgnutls: Added the PFS priority string option. ** libgnutls: Gnulib included files are strictly LGPLv2. ** libgnutls: Corrected gnutls_certificate_server_set_request(). Reported by Petr Pisar. ** API and ABI modifications: gnutls_record_set_timeout: Exported @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.97 2013/10/25 09:03:12 jperkin Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.5.tar.xz) = 088eee3297d036754414f40ae49ef9ea9e83c679 RMD160 (gnutls-3.2.5.tar.xz) = aeb4e709bbe2987d7363266bb86e9bfc98d7fb1c Size (gnutls-3.2.5.tar.xz) = 4987156 bytes @ 1.97 log @Add stdbool.h workaround for older OSX. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.96 2013/08/01 20:00:59 adam Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.3.tar.xz) = 18f5fffd1a0384944cb76cbedc0720c4726470f4 RMD160 (gnutls-3.2.3.tar.xz) = bde21d617cbef1051b019a99915ebf51246819d2 Size (gnutls-3.2.3.tar.xz) = 5119264 bytes @ 1.96 log @Changes 3.2.3: ** libgnutls: Fixes in parsing of priority strings. Patch by Stefan Buehler. ** libgnutls: Solve issue with received TLS packets that exceed 2^14. (this fixes a bug that was accidentally introduced in 3.2.2) ** libgnutls: Removed gnulib modules under LGPLv3 that could possibly be used by the library. ** libgnutls: Fixes in gnutls_record_send_range(). ** API and ABI modifications: gnutls_priority_kx_list: Added gnutls_priority_mac_list: Added gnutls_priority_cipher_list: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.95 2013/07/15 08:19:15 wiz Exp $ d10 2 @ 1.95 log @Update to 3.2.2, with SunOS updates from Jörn Clausen. * Version 3.2.2 (released 2013-07-14) ** libgnutls: Several optimizations in the related to packet processing subsystems. ** libgnutls: DTLS replay detection can now be disabled (to be used in certain transport layers like SCTP). ** libgnutls: Fixes in SRTP extension generation when MKI is being used. ** libgnutls: Added ability to set hooks before or after sending or receiving any handshake message with gnutls_handshake_set_hook_function(). ** API and ABI modifications: GNUTLS_NO_REPLAY_PROTECTION: Added gnutls_certificate_set_trust_list: Added gnutls_cipher_get_tag_size: Added gnutls_record_overhead_size: Added gnutls_est_record_overhead_size: Added gnutls_handshake_set_hook_function: Added gnutls_handshake_description_get_name: Added gnutls_digest_list: Added gnutls_digest_get_id: Added gnutls_digest_get_name: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.94 2013/07/08 08:30:01 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.2.tar.xz) = ff3e1c25fade8e928700fa63f006265c7d9d1c08 RMD160 (gnutls-3.2.2.tar.xz) = f91c1729982bea8f42444d5f381fa9045bdd24bf Size (gnutls-3.2.2.tar.xz) = 5164372 bytes d8 1 a8 1 SHA1 (patch-lib_Makefile.in) = 2121ed1e974cd71fe49c286f7e91135be12d915f @ 1.94 log @Update to 3.2.1. * Version 3.2.1 (released 2013-06-01) ** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain openssl versions. ** libgnutls: Fixes in interrupted function resumption. Report and patch by Tim Kosse. ** libgnutls: Corrected issue when receiving client hello verify requests in DTLS. ** libgnutls: Fixes in DTLS record overhead size calculations. ** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported by Mann Ern Kang. ** API and ABI modifications: gnutls_session_set_id: Added * Version 3.2.0 (released 2013-05-10) ** libgnutls: Use nettle's elliptic curve implementation. ** libgnutls: Added Salsa20 cipher ** libgnutls: Added UMAC-96 and UMAC-128 ** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96. As they are not standardized they are defined using private ciphersuite numbers. ** libgnutls: Added support for DTLS 1.2. ** libgnutls: Added support for the Application Layer Protocol Negotiation (ALPN) extension. ** libgnutls: Removed support for the RSA-EXPORT ciphersuites. ** libgnutls: Avoid linking to librt (that also avoids unnecessary linking to pthreads if p11-kit isn't used). ** API and ABI modifications: gnutls_cipher_get_iv_size: Added gnutls_hmac_set_nonce: Added gnutls_mac_get_nonce_size: Added * Version 3.1.10 (released 2013-03-22) ** certtool: When generating PKCS #12 files use by default the ARCFOUR (RC4) cipher to be compatible with devices that don't support AES with PKCS #12. ** libgnutls: Load CA certificates in android 4.x systems. ** libgnutls: Optimized CA certificate loading. ** libgnutls: Private keys are overwritten on deinitialization. ** libgnutls: PKCS #11 slots are scanned only when needed, not on initialization. This speeds up gnutls initialization when smart cards are present. ** libgnutls: Corrected issue in the (deprecated) external key signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen. ** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by Joke de Buhr. ** libgnutls-dane: Updated DANE verification options. ** configure: Trust store file must be explicitly set or unset when cross compiling. ** API and ABI modifications: gnutls_x509_crt_get_issuer_dn2: Added gnutls_x509_crt_get_dn2: Added gnutls_x509_crl_get_issuer_dn2: Added gnutls_x509_crq_get_dn2: Added gnutls_x509_trust_list_remove_trust_mem: Added gnutls_x509_trust_list_remove_trust_file: Added gnutls_x509_trust_list_remove_cas: Added gnutls_session_get_desc: Added gnutls_privkey_sign_raw_data: Added gnutls_privkey_status: Added * Version 3.1.9 (released 2013-02-27) ** certtool: Option --to-p12 will now ask for a password to generate a PKCS #12 file from an encrypted key file. Reported by Yan Fiz. ** libgnutls: Corrected issue in gnutls_pubkey_verify_data(). ** libgnutls: Corrected parsing issue in XMPP within a subject alternative name. Reported by James Cloos. ** libgnutls: gnutls_pkcs11_reinit() will reinitialize all PKCS #11 modules, and not only the ones loaded via p11-kit. ** libgnutls: Added function to check whether the private key is still available (inserted). ** libgnutls: Try to detect fork even during nonce generation. ** API and ABI modifications: gnutls_handshake_set_random: Added gnutls_transport_set_int2: Added gnutls_transport_get_int2: Added gnutls_transport_get_int: Added gnutls_record_cork: Exported gnutls_record_uncork: Exported gnutls_pkcs11_privkey_status: Added * Version 3.1.8 (released 2013-02-10) ** libgnutls: Fixed issue in gnutls_x509_privkey_import2() which didn't return GNUTLS_E_DECRYPTION_FAILED in all cases, and affect certtool operation with encrypted keys. Reported by Yan Fiz. ** libgnutls: The minimum DH bits accepted by priorities NORMAL and PERFORMANCE was set to previous defaults 727 bits. Reported by Diego Elio Petteno. ** libgnutls: Corrected issue which prevented gnutls_pubkey_verify_hash() to operate with long keys. Reported by Erik A Jensen. ** API and ABI modifications: No changes since last version. * Version 3.1.7 (released 2013-02-04) ** certtool: Added option "dn" which allows to directly set the DN in a template from an RFC4514 string. ** danetool: Added options: --dlv and --insecure. Suggested by Paul Wouters. ** libgnutls-xssl: Added a new library to simplify GnuTLS usage. ** libgnutls-dane: Added function to specify a DLV file. ** libgnutls: Heartbeat code was made optional. ** libgnutls: Fixes in server side of DTLS-0.9. ** libgnutls: DN variable 'T' was expanded to 'title'. ** libgnutls: Fixes in record padding parsing to prevent a timing attack. Issue reported by Kenny Paterson and Nadhem Alfardan. ** libgnutls: Added functions to directly set the DN in a certificate or request from an RFC4514 string. ** libgnutls: Optimizations in the random generator. The re-seeding of it is now explicitly done on every session deinit. ** libgnutls: Simplified the DTLS sliding window implementation. ** libgnutls: The minimum DH bits accepted by a client are now set by the specified priority string. The current values correspond to the previous defaults (727 bits), except for the SECURE128 and SECURE192 strings which increase the minimum to 1248 and 1776 respectively. ** libgnutls: Added the gnutls_record_cork() and uncork API to enable buffering in sending application data. ** libgnutls: Removed default random padding, and added a length-hiding interface instead. Both the server and the client must support this extension. Whether length-hiding can be used on a given session can be checked using gnutls_record_can_use_length_hiding(). Contributed by Alfredo Pironti. ** libgnutls: Added the experimental %NEW_PADDING priority string. It enables a new padding mechanism in TLS allowing arbitrary padding in TLS records in all ciphersuites, which makes length-hiding more efficient and solves the issues with timing attacks on CBC ciphersuites. ** libgnutls: Corrected gnutls_cipher_decrypt2() when used with AEAD ciphers (i.e., AES-GCM). Reported by William McGovern. ** API and ABI modifications: gnutls_db_check_entry_time: Added gnutls_record_set_timeout: Added gnutls_record_get_random_padding_status: Added gnutls_x509_crt_set_dn: Added gnutls_x509_crt_set_issuer_dn: Added gnutls_x509_crq_set_dn: Added gnutls_range_split: Added gnutls_record_send_range: Added gnutls_record_set_max_empty_records: Added gnutls_record_can_use_length_hiding: Added gnutls_rnd_refresh: Added xssl_deinit: Added xssl_flush: Added xssl_read: Added xssl_getdelim: Added xssl_write: Added xssl_printf: Added xssl_sinit: Added xssl_client_init: Added xssl_server_init: Added xssl_get_session: Added xssl_get_verify_status: Added xssl_cred_init: Added xssl_cred_deinit: Added dane_state_set_dlv_file: Added GNUTLS_SEC_PARAM_EXPORT: Added GNUTLS_SEC_PARAM_VERY_WEAK: Added * Version 3.1.6 (released 2013-01-02) ** libgnutls: Fixed record padding parsing issue. Reported by Kenny Patterson and Nadhem Alfardan. ** libgnutls: Several updates in the ASN.1 string handling subsystem. ** libgnutls: gnutls_x509_crt_get_policy() allows for a list of zero policy qualifiers. ** libgnutls: Ignore heartbeat messages when received out-of-order, instead of issuing an error. ** libgnutls: Stricter RSA PKCS #1 1.5 encoding and decoding. Reported by Kikuchi Masashi. ** libgnutls: TPM support is disabled by default because GPL programs cannot link with it. Use --with-tpm to enable it. ** libgnutls-guile: Fixed parallel compilation issue. ** gnutls-cli: It will try to connect to all possible returned addresses before failing. ** API and ABI modifications: No changes since last version. * Version 3.1.5 (released 2012-11-24) ** libgnutls: Added functions to parse the certificates policies extension. ** libgnutls: Handle BMPString (UCS-2) encoding in the Distinguished Name by translating it to UTF-8 (works on windows or systems with iconv). ** libgnutls: Added PKCS #11 key generation function that returns the public key on generation. ** libgnutls: Corrected bug in priority string parsing, that mostly affected combined levels. Patch by Tim Kosse. ** certtool: The --pubkey-info option can be combined with the --load-privkey or --load-request to print the corresponding public keys. ** certtool: It is able to set certificate policies via a template. ** certtool: Added --hex-numbers option which prints big numbers in an easier to parse format. ** p11tool: After key generation, outputs the public key (useful in tokens that do not store the public key). ** danetool: It is being built even without libgnutls-dane (the --check functionality is disabled though). ** API and ABI modifications: gnutls_pkcs11_privkey_generate2: Added gnutls_x509_crt_get_policy: Added gnutls_x509_crt_set_policy: Added gnutls_x509_policy_release: Added gnutls_pubkey_import_x509_crq: Added gnutls_pubkey_print: Added GNUTLS_CRT_PRINT_FULL_NUMBERS: Added * Version 3.1.4 (released 2012-11-10) ** libgnutls: gnutls_certificate_verify_peers2() will set flags depending on the available revocation data validity. ** libgnutls: Added gnutls_certificate_verification_status_print(), a function to print the verification status code in human readable text. ** libgnutls: Added priority string %VERIFY_DISABLE_CRL_CHECKS. ** libgnutls: Simplified certificate verification by adding gnutls_certificate_verify_peers3(). ** libgnutls: Added support for extension to establish keys for SRTP. Contributed by Martin Storsjo. ** libgnutls: The X.509 verification functions check the key usage bits and pathlen constraints and on failure output GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE. ** libgnutls: gnutls_x509_crl_verify() includes the time checks. ** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default. ** libgnutls: Always tolerate key usage violation errors from the side of the peer, but also notify via an audit message. ** gnutls-cli: Added --local-dns option. ** danetool: Corrected bug that prevented loading PEM files. ** danetool: Added --check option to allow querying and verifying a site's DANE data. ** libgnutls-dane: Added pkg-config file for the library. ** API and ABI modifications: gnutls_session_get_id2: Added gnutls_sign_is_secure: Added gnutls_certificate_verify_peers3: Added gnutls_ocsp_status_request_is_checked: Added gnutls_certificate_verification_status_print: Added gnutls_srtp_set_profile: Added gnutls_srtp_set_profile_direct: Added gnutls_srtp_get_selected_profile: Added gnutls_srtp_get_profile_name: Added gnutls_srtp_get_profile_id: Added gnutls_srtp_get_keys: Added gnutls_srtp_get_mki: Added gnutls_srtp_set_mki: Added gnutls_srtp_profile_t: Added dane_cert_type_name: Added dane_match_type_name: Added dane_cert_usage_name: Added dane_verification_status_print: Added GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED: Added GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE: Added GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE: Added GNUTLS_CERT_UNEXPECTED_OWNER: Added GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN: Added * Version 3.1.3 (released 2012-10-12) ** libgnutls: Added support for the OCSP Certificate Status extension. ** libgnutls: gnutls_certificate_verify_peers2() will use the OCSP certificate status extension in verification. ** libgnutls: Bug fixes in gnutls_x509_privkey_import_openssl(). ** libgnutls: Increased maximum password length in the PKCS #12 functions. ** libgnutls: Fixed the receipt of session tickets during session resumption. Reported by danblack at http://savannah.gnu.org/support/?108146 ** libgnutls: Added functions to export structures in an allocated buffer. ** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP response corresponds to the given certificate. ** libgnutls: In client side gnutls_init() enables the session ticket and OCSP certificate status request extensions by default. The flag GNUTLS_NO_EXTENSIONS can be used to prevent that. ** libgnutls: Several updates in the OpenPGP code. The generating code is fully RFC6091 compliant and RFC5081 support is only supported in client mode. ** libgnutls-dane: Added. It is a library to provide DANE with DNSSEC certificate verification. ** gnutls-cli: Added --dane option to enable DANE certificate verification. ** danetool: Added tool to generate DANE TLSA Resource Records (RR). ** API and ABI modifications: gnutls_certificate_get_peers_subkey_id: Added gnutls_certificate_set_ocsp_status_request_function: Added gnutls_certificate_set_ocsp_status_request_file: Added gnutls_ocsp_status_request_enable_client: Added gnutls_ocsp_status_request_get: Added gnutls_ocsp_resp_check_crt: Added gnutls_dh_params_export2_pkcs3: Added gnutls_pubkey_export2: Added gnutls_x509_crt_export2: Added gnutls_x509_dn_export2: Added gnutls_x509_crl_export2: Added gnutls_pkcs7_export2: Added gnutls_x509_privkey_export2: Added gnutls_x509_privkey_export2_pkcs8: Added gnutls_x509_crq_export2: Added gnutls_openpgp_crt_export2: Added gnutls_openpgp_privkey_export2: Added gnutls_pkcs11_obj_export2: Added gnutls_pkcs12_export2: Added gnutls_pubkey_import_openpgp_raw: Added gnutls_pubkey_import_x509_raw: Added dane_state_init: Added dane_state_deinit: Added dane_query_tlsa: Added dane_query_status: Added dane_query_entries: Added dane_query_data: Added dane_query_deinit: Added dane_verify_session_crt: Added dane_verify_crt: Added dane_strerror: Added * Version 3.1.2 (released 2012-09-26) ** libgnutls: Fixed bug in gnutls_x509_trust_list_add_system_trust() and gnutls_x509_trust_list_add_trust_mem() that prevented the loading of certificates in the windows platform. ** libgnutls: Corrected bug in OpenPGP subpacket encoding. ** libgnutls: Added support for DTLS/TLS heartbeats by Olga Smolenchuk. (the work was done during Google Summer of Code). ** libgnutls: Added X.509 certificate verification flag GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN. This flag allows the verification of unsorted certificate chains and is enabled by default for TLS certificate verification (if gnutls_certificate_set_verify_flags() does not override it). ** libgnutls: Prints warning on certificates that contain keys of an insecure level. If the %COMPAT priority flag is not specified the TLS connection fails. ** libgnutls: Correctly restore gnutls_record_recv() in DTLS mode if interrupted during the retrasmition of handshake data. ** libgnutls: Better mingw32 support (patch by LRN). ** libgnutls: The %COMPAT keyword, if specified, will tolerate key usage violation errors (they are far too common to ignore). ** libgnutls: Added GNUTLS_STATELESS_COMPRESSION flag to gnutls_init(), which provides a tool to counter compression-related attacks where parts of the data are controlled by the attacker _and_ are placed in separate records (use with care - do not use compression if not sure). ** libgnutls: Depends on libtasn1 2.14 or later. ** certtool: Prints the number of bits of the public key algorithm parameter in a private key. ** API and ABI modifications: gnutls_x509_privkey_get_pk_algorithm2: Added gnutls_heartbeat_ping: Added gnutls_heartbeat_pong: Added gnutls_heartbeat_allowed: Added gnutls_heartbeat_enable: Added gnutls_heartbeat_set_timeouts: Added gnutls_heartbeat_get_timeout: Added GNUTLS_SEC_PARAM_WEAK: Added GNUTLS_SEC_PARAM_INSECURE: Added * Version 3.1.1 (released 2012-09-02) ** gnutls-serv: Listens on IPv6. Patch by Bernhard R. Link. ** certtool: Changes in password handling of certtool. Ask password when required and only if the '--password' option is not given. If the '--password' option is given during key generation then assume the PKCS #8 file format, instead of ignoring the password. ** tpmtool: No longer asks for key password in registered keys. ** libgnutls: Elliptic curve code was optimized by Ilya Tumaykin. wmNAF is now used for point multiplication and other optimizations. (the major part of the work was done during Google Summer of Code). ** libgnutls: The default pull_timeout_function only uses select instead of a combination of select() and recv() to prevent issues when used in stream sockets in some systems. ** libgnutls: Be tolerant in ECDSA signature violations (e.g. using SHA256 with a SECP384 curve instead of SHA-384), to interoperate with openssl. ** libgnutls: Fixed DSA and ECDSA signature generation in smart cards. Thanks to Andreas Schwier from cardcontact.de for providing me with ECDSA capable smart cards. ** API and ABI modifications: gnutls_sign_algorithm_get: Added gnutls_sign_get_hash_algorithm: Added gnutls_sign_get_pk_algorithm: Added * Version 3.1.0 (released 2012-08-15) ** libgnutls: Added direct support for TPM as a cryptographic module in gnutls/tpm.h. TPM keys can be used in functions accepting files using URLs of the following types: tpmkey:file=/path/to/file tpmkey:uuid=7f468c16-cb7f-11e1-824d-b3a4f4b20343;storage=user ** libgnutls: Priority string level keywords can be combined. For example the string "SECURE256:+SUITEB128" is now allowed. ** libgnutls: requires libnettle 2.5. ** libgnutls: Use the PKCS #1 1.5 encoding provided by nettle (2.5) for encryption and signatures. ** libgnutls: Added GNUTLS_CERT_SIGNATURE_FAILURE to differentiate between generic errors and signature verification errors in the verification functions. ** libgnutls: Added gnutls_pkcs12_simple_parse() as a helper function to simplify parsing in most PKCS #12 use cases. ** libgnutls: gnutls_certificate_set_x509_simple_pkcs12_file() adds the whole certificate chain (if any) to the credentials structure, instead of only the end-user certificate. ** libgnutls: Key import functions such as gnutls_pkcs12_simple_parse() and gnutls_x509_privkey_import_pkcs8(), return consistently GNUTLS_E_DECRYPTION_FAILED if the input structure is encrypted but no password was provided. ** libgnutls: Added gnutls_handshake_set_timeout() a function that allows to set the maximum time spent in a handshake. ** libgnutlsxx: Added session::set_transport_vec_push_function. Patch by Alexandre Bique. ** tpmtool: Added. It is a tool to generate private keys in the TPM. ** gnutls-cli: --benchmark-tls was split to --benchmark-tls-kx and --benchmark-tls-ciphers ** certtool: generated PKCS #12 structures may hold more than one private key. Patch by Lucas Fisher. ** certtool: Added option --null-password to generate/decrypt keys that use a NULL password (in schemas that distinguish between NULL an empty passwords). ** minitasn1: Upgraded to libtasn1 version 2.13. ** API and ABI modifications: GNUTLS_CERT_SIGNATURE_FAILURE: Added GNUTLS_CAMELLIA_192_CBC: Added GNUTLS_PKCS_NULL_PASSWORD: Added gnutls_url_is_supported: Added gnutls_pkcs11_obj_list_import_url2: Added gnutls_pkcs11_obj_set_pin_function: Added gnutls_pkcs11_privkey_set_pin_function: Added gnutls_pkcs11_get_pin_function: Added gnutls_privkey_import_tpm_raw: Added gnutls_privkey_import_tpm_url: Added gnutls_privkey_import_pkcs11_url: Added gnutls_privkey_import_openpgp_raw: Added gnutls_privkey_import_x509_raw: Added gnutls_privkey_import_ext2: Added gnutls_privkey_import_url: Added gnutls_privkey_set_pin_function: Added gnutls_tpm_privkey_generate: Added gnutls_tpm_key_list_deinit: Added gnutls_tpm_key_list_get_url: Added gnutls_tpm_get_registered: Added gnutls_tpm_privkey_delete: Added gnutls_pubkey_import_tpm_raw: Added gnutls_pubkey_import_tpm_url: Added gnutls_pubkey_import_url: Added gnutls_pubkey_verify_hash2: Added gnutls_pubkey_set_pin_function: Added gnutls_x509_privkey_import2: Added gnutls_x509_privkey_import_openssl: Added gnutls_x509_crt_set_pin_function: Added gnutls_load_file: Added gnutls_pkcs12_simple_parse: Added gnutls_certificate_set_x509_system_trust: Added gnutls_certificate_set_pin_function: Added gnutls_x509_trust_list_add_system_trust: Added gnutls_x509_trust_list_add_trust_file: Added gnutls_x509_trust_list_add_trust_mem: Added gnutls_pk_to_sign: Added gnutls_handshake_set_timeout: Added gnutls_pubkey_verify_hash: Deprecated (use gnutls_pubkey_verify_hash2) gnutls_pubkey_verify_data: Deprecated (use gnutls_pubkey_verify_data2) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.93 2013/04/10 15:09:10 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-3.2.1.tar.xz) = 477118eaffb8f16bd7fd511069c2c5d618f6e400 RMD160 (gnutls-3.2.1.tar.xz) = 1a94b39f2209b9226035f4d90a88a16d3d17898b Size (gnutls-3.2.1.tar.xz) = 5127332 bytes d8 1 a8 1 SHA1 (patch-lib_Makefile.in) = e97a6229381c31be6486a6671a0b34a7b72af981 a9 1 SHA1 (patch-src_benchmark.h) = d1e6801b4b76cfb299be126185616bedf658660a @ 1.93 log @update to 3.0.29 changes: minor fixes @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.92 2013/02/12 13:16:25 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-3.0.29.tar.xz) = d2baf351012f8ccff8e446b2d0bd12839872012a RMD160 (gnutls-3.0.29.tar.xz) = 5fca1e257c43be9965deda35293451c202718325 Size (gnutls-3.0.29.tar.xz) = 4666764 bytes d8 1 d10 1 @ 1.92 log @update to 3.0.28 changes: bugfixes This prevents the recent TLS CBC padding timing attack (CVE-2013-1619). @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.91 2012/11/06 19:01:36 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-3.0.28.tar.xz) = c1a083d9898c2a6448a7695a5a4bf2cea6f28f47 RMD160 (gnutls-3.0.28.tar.xz) = 4b025821451ae03095ee844068dbe43bc6556054 Size (gnutls-3.0.28.tar.xz) = 4636572 bytes @ 1.91 log @update to 3.0.25 changes: --bugfixes -added an OCSP function @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.90 2012/10/10 11:44:31 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-3.0.25.tar.xz) = f0d559812cb132cb74a4eef00181a2c598176add RMD160 (gnutls-3.0.25.tar.xz) = 9af7f5d35f6b0000c06f07e4ec749e9fd663843e Size (gnutls-3.0.25.tar.xz) = 4657300 bytes @ 1.91.2.1 log @Pullup ticket #4074 - requested by drochner security/gnutls: security update Revisions pulled up: - security/gnutls/Makefile 1.123-1.124 - security/gnutls/distinfo 1.92 --- Module Name: pkgsrc Committed By: drochner Date: Tue Jan 15 11:29:21 UTC 2013 Modified Files: pkgsrc/security/gnutls: Makefile Log Message: wants to use pkg-config --- Module Name: pkgsrc Committed By: drochner Date: Tue Feb 12 13:16:25 UTC 2013 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: update to 3.0.28 changes: bugfixes This prevents the recent TLS CBC padding timing attack (CVE-2013-1619). @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (gnutls-3.0.28.tar.xz) = c1a083d9898c2a6448a7695a5a4bf2cea6f28f47 RMD160 (gnutls-3.0.28.tar.xz) = 4b025821451ae03095ee844068dbe43bc6556054 Size (gnutls-3.0.28.tar.xz) = 4636572 bytes @ 1.90 log @update to 3.0.24 changes: -better IPv6 support -bugfixes -minor improvements @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.89 2012/08/09 18:58:11 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-3.0.24.tar.xz) = e3598199ddf341d4b43d46b7a854019661c6bf99 RMD160 (gnutls-3.0.24.tar.xz) = d3bdeeac56e301232eea8848c313b989f99881a1 Size (gnutls-3.0.24.tar.xz) = 4653116 bytes @ 1.89 log @update to 3.0.22 changes: bugfixes @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.88 2012/08/02 09:37:32 jperkin Exp $ d3 3 a5 3 SHA1 (gnutls-3.0.22.tar.xz) = 255fa958d915127a16cb77e4ce5e6eccd6f57505 RMD160 (gnutls-3.0.22.tar.xz) = 307c070659c3bfd04037d879324ace98e02202ca Size (gnutls-3.0.22.tar.xz) = 4613608 bytes @ 1.88 log @Avoid conflict between gets() and std::gets(). Fixes build on at least Solaris. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.87 2012/07/24 18:34:06 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-3.0.21.tar.xz) = 3a64b3b2587803c9e53d54ee9a44bff2b2780a38 RMD160 (gnutls-3.0.21.tar.xz) = 570ac40632b7ba50183118d556ae42a8e685baad Size (gnutls-3.0.21.tar.xz) = 4664124 bytes @ 1.87 log @update to 3.0.21 changes -DTLS improvements -bugfixes @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.86 2012/07/02 18:53:02 drochner Exp $ d7 1 @ 1.86 log @update to 3.0,20 This switches to the new stable release branch. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.80 2011/11/09 18:41:46 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-3.0.20.tar.xz) = 0c65f6a1e669c0fe85ddb2d645078b3bce9d1518 RMD160 (gnutls-3.0.20.tar.xz) = a775877a7dec4e10a5612dc0ebb71d59f78ead39 Size (gnutls-3.0.20.tar.xz) = 4426520 bytes @ 1.85 log @update to 1.12.20 changes: bugfixes: -Fixed memory leak in PKCS #8 key import -Check key identifiers when checking for an issuer pkgsrc note: This is just a last checkpoint on the 2.x branch, in case it will be needed for the Q2 branch. Will update to 3.x RSN. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.84 2012/05/30 06:51:37 adam Exp $ d3 4 a6 8 SHA1 (gnutls-2.12.20.tar.bz2) = a8a7bb1f51b4da45d32242bd2e843ab3a66f63f6 RMD160 (gnutls-2.12.20.tar.bz2) = 8b9fca72136113f250296e7399644b8aaa3503ed Size (gnutls-2.12.20.tar.bz2) = 7231438 bytes SHA1 (patch-ab) = 49de2419935972f958acacdffec32388986f1ea0 SHA1 (patch-ae) = cadc476a6a120390c3c2792b52dd02d27a3884e6 SHA1 (patch-af) = 321c3488dd383a09dd95f6a15f50b9f54f6aa5fc SHA1 (patch-ai) = 2c5c181ec6de9622cac66c2d5fe2cc8f3f89fbe8 SHA1 (patch-lib_configure) = 7ae3ff8af52648fa132154ced88c31b7ecc1eb32 @ 1.84 log @Changes 2.12.19: * libgnutls: When decoding a PKCS #11 URL the pin-source field is assumed to be a file that stores the pin. * libgnutls: Added strict tests in Diffie-Hellman and SRP key exchange public keys. * minitasn1: Upgraded to libtasn1 version 2.13 (pre-release). @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.83 2012/04/17 17:53:01 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.19.tar.bz2) = 643620216ba54b195e41e29abfdcc31125f92d25 RMD160 (gnutls-2.12.19.tar.bz2) = 077d62ab00780a6798cee92e80d542f1e74891f2 Size (gnutls-2.12.19.tar.bz2) = 7208159 bytes @ 1.83 log @update to 2.12.18 changes: -Corrected SRP-RSA ciphersuites when used under TLS 1.2 -Fixed leaks in key generation @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.82 2012/03/15 16:41:48 adam Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.18.tar.bz2) = cd5cf0932575b758ad3ee89952763a8395ea4af0 RMD160 (gnutls-2.12.18.tar.bz2) = c5c5bb91f374edd7bfa63c2b2b19ea7606353d17 Size (gnutls-2.12.18.tar.bz2) = 7207965 bytes @ 1.82 log @Changes 2.12.17: * libgnutls: Corrections in record packet parsing. * libgnutls: Fixes in SRP authentication. * libgnutls: Added function to force explicit reinitialization of PKCS 11 modules. This is required on the child process after a fork. * libgnutls: PKCS 11 objects that do not have ID no longer crash listing. * API and ABI modifications: gnutls_pkcs11_reinit: Added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.81 2012/01/17 14:54:19 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.17.tar.bz2) = 9d871ea0ee2b8b440021cf6d5bbe87ba89754269 RMD160 (gnutls-2.12.17.tar.bz2) = 71fda67352ba8466a24809b136d434db4fe03d1d Size (gnutls-2.12.17.tar.bz2) = 7207831 bytes @ 1.81 log @update to 2.12.16 changes: bugfixes @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.80 2011/11/09 18:41:46 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.16.tar.bz2) = 2d0857f7896597185b19d2861a2eb378e5d310fb RMD160 (gnutls-2.12.16.tar.bz2) = 447212115b6b39a6d52cc6b441dc3bf15e69789a Size (gnutls-2.12.16.tar.bz2) = 7167795 bytes @ 1.80 log @update to 2.12.14 This fixes a Possible buffer overflow/Denial of service problem (CVE-2011-4128) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.79 2011/10/30 18:07:56 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.14.tar.bz2) = e5680f78ee51ff9ebb9749b39504d3e981a19242 RMD160 (gnutls-2.12.14.tar.bz2) = 855c89c46898e7b934a8f6b7466d3089031c9f9a Size (gnutls-2.12.14.tar.bz2) = 7166618 bytes @ 1.79 log @update to 2.12.12 changes: minor fixes and cleanup @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.78 2011/10/06 17:56:25 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.12.tar.bz2) = 6c87591705b21f7cae845ecdae158a6c5d8f2847 RMD160 (gnutls-2.12.12.tar.bz2) = d0e26b56c44e363f95871c5e80359fab20176b25 Size (gnutls-2.12.12.tar.bz2) = 7195302 bytes @ 1.78 log @update to 2.12.11 changes: bugfixes @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.77 2011/09/12 17:31:40 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.11.tar.bz2) = 30c8977c3f32b48e523e09cb8ce8952d80520a4f RMD160 (gnutls-2.12.11.tar.bz2) = d8892c8ab44a69e45d43125fd653c25e62d1fb9d Size (gnutls-2.12.11.tar.bz2) = 7162654 bytes @ 1.77 log @update to 2.12.10 changes: bugfixes @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.76 2011/08/22 15:14:58 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.10.tar.bz2) = 52ed0bfa3dc7900f8da22f29eaace6ec34439223 RMD160 (gnutls-2.12.10.tar.bz2) = d1151b1c421cd2b66bd6363f26e0a135b6cff984 Size (gnutls-2.12.10.tar.bz2) = 7253056 bytes @ 1.76 log @Update to 2.12.9: * Version 2.12.9 (released 2011-08-21) ** libgnutls-extra: Replaced enumeration with unsigned int, in openssl.h to make it identical to the 3.0.0 version. This shouldn't introduce binary incompatibility. ** libgnutls: When asking for a PIN multiple times, the flags in the callback were not being updated to reflect for PIN low count or final try. ** API and ABI modifications: GNUTLS_PKCS11_PIN_WRONG: New flag for PIN callback @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.75 2011/08/11 11:03:35 adam Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.9.tar.bz2) = 9a775466d5bf6976e77e5f659d136e0a4733a58a RMD160 (gnutls-2.12.9.tar.bz2) = 6fab89f4cf5678ec36166a0137b5a426bb62eac8 Size (gnutls-2.12.9.tar.bz2) = 7151185 bytes @ 1.75 log @Changes 2.12.8: * libgnutls: PKCS-11 back-end was replaced by p11-kit * libgnutls: gcrypt: replaced occurences of gcry_sexp_nth_mpi (..., 0) with gcry_sexp_nth_mpi (..., GCRYMPI_FMT_USG) to fix errors with 1.5.0. * libgnutls: Verify that a certificate liste specified using gnutls_certificate_set_x509_key*(), is sorted according to TLS specification * libgnutls: Added GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag for gnutls_x509_crt_list_import. It checks whether the list to be imported is properly sorted. * libgnutls: writev_emu: stop on the first incomplete write. * libgnutls: Fix zlib handling in gnutls.pc. * certtool: bug fixes in certificate request generation. * API and ABI modifications: GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED: New element in gnutls_certificate_import_flags @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.74 2011/07/11 16:10:29 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.8.tar.bz2) = b250d3ddf3fafe69916f248d7ba909ae92022a35 RMD160 (gnutls-2.12.8.tar.bz2) = 0fc7abac111629fa3f3794ca2d5b1b72972dde00 Size (gnutls-2.12.8.tar.bz2) = 7153363 bytes d10 1 a10 1 SHA1 (patch-lib_configure) = 26b1f6c0cf6dd8af27fb1d27513c0d007f7b0da6 @ 1.74 log @update to 2.12.7 changes: -bugfixes -minor feature additions pkgsrc change: since the pkg was changed to build against "nettle" instead of libgcrypt (whether this was a good idea or not...), the latter isn't needed anymore, so remove the stale dependency This can cause build breakage -- in this case addition of a local dependency should restore the old state. (This dependency is technically unnecessary often, but the assumption that gnutls needs libgcrypt is sometimes hardwired in configure scripts and/or code.) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.73 2011/05/02 09:27:43 obache Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.7.tar.bz2) = 41943d8f8648072a8e6a40cb213c91acf0451937 RMD160 (gnutls-2.12.7.tar.bz2) = dd1043938087add3ce5e48e6253b5c5cc8140468 Size (gnutls-2.12.7.tar.bz2) = 7153031 bytes d10 1 a10 1 SHA1 (patch-lib_configure) = a3a64d0aed1929d3b4edf91d48f213da23269027 @ 1.73 log @Add a patch for lack of posix standard AF_LOCAL, fall back to AF_UNIX. for PR#44924. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.72 2011/04/27 16:56:43 tnn Exp $ d3 3 a5 3 SHA1 (gnutls-2.12.3.tar.bz2) = 1799bdea6b373e312b055fa7caf06effecb9c033 RMD160 (gnutls-2.12.3.tar.bz2) = f405a971df1e3773f26b854028b11727b28162b6 Size (gnutls-2.12.3.tar.bz2) = 7021290 bytes @ 1.72 log @"pkg-config --cflags gnutls" failed with: Package zlib was not found in the pkg-config search path. ... there is no zlib.pc, so comment out the part of the configure script that adds that to the pkg-config file. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.71 2011/04/26 10:35:29 adam Exp $ d11 1 @ 1.71 log @Changes 2.12.3: * libgnutls: Several minor bugfixes. * libgnutls: Restored HMAC-MD5 for compatibility. Although considered weak, several sites require it for connection. It is enabled for "NORMAL" and "PERFORMANCE" priority strings. * libgnutls: depend on libdl. * libgnutls: gnutls_transport_set_global_errno() was deprecated. Use your system's errno fascility or gnutls_transport_set_errno(). * gnutls-cli: Correction with usage of select to check for pending data in gnutls sessions. It now uses gnutls_record_check_pending(). * tests: More fixes and updates for win32. Patches by LRN. * libgnutls: Several files unnecessarily included ; this has been fixed. ** API and ABI modifications: gnutls_transport_set_global_errno: DEPRECATED Changes 2.12.2: * libgnutls: Several updates and fixes for win32. Patches by LRN. * libgnutls: Several bug and memory leak fixes. * srptool: Accepts the -d option to enable debugging. * libgnutls: Corrected bug in gnutls_srp_verifier() that prevented the allocation of a verifier. Reported by Andrew Wiseman. Changes 2.12.1: * certtool: Generated certificate request with stricter permissions. * libgnutls: Bug fixes in opencdk code. Reported by Vitaly Kruglikov. * libgnutls: Corrected windows system_errno() function prototype. * libgnutls: C++ compatibility fix for compat.h. Reported by Mark Brand. * libgnutls: Fix size of gnutls_openpgp_keyid_t by using the GNUTLS_OPENPGP_KEYID_SIZE definition. Reported by Andreas Metzler. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.70 2011/03/09 10:52:25 drochner Exp $ d10 1 @ 1.70 log @fix installed pkgconfig .pc file: Don't refer to zlib.pc -- this fails with system libz. We propagate a dependency per bl3 file, this should be sufficient. bump PKGREV @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.69 2011/03/07 13:45:34 adam Exp $ d3 6 a8 7 SHA1 (gnutls-2.10.5.tar.bz2) = 4530657082a0e754356de89a5529d1ad7a18e777 RMD160 (gnutls-2.10.5.tar.bz2) = 4bc886ced90742a488e00c1884e6124b37047382 Size (gnutls-2.10.5.tar.bz2) = 7287913 bytes SHA1 (patch-aa) = 45052cfc70becf7ab1e4aa880bea4fb904ddf16f SHA1 (patch-ab) = 43d53ae8f51491a0d300463df1ccd3445581e8b5 SHA1 (patch-ae) = f505476ce0477dc547e8698d205d6ba26fe85f48 SHA1 (patch-af) = bd4701640dfef5bfdce87d620befd93098b0dff3 a9 1 SHA1 (patch-aj) = 46fc301de8fec82b5296f0c708bd7cf734b69e72 @ 1.69 log @Changes 2.10.5: * libgnutls: Corrected verification of finished messages. * libgnutls: Corrected signature generation and verification in the Certificate Verify message when in TLS 1.2. * pkg-config gnutls.pc improvements. * API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.68 2010/12/13 16:03:20 tron Exp $ d11 1 @ 1.68 log @Get this close to build under Mac OS X by removing some horrible use of the C pre-processor. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.67 2010/12/12 11:58:53 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.10.4.tar.bz2) = f0dcd7b68748b48d7b945c52b6a9e64d643e4b58 RMD160 (gnutls-2.10.4.tar.bz2) = 82c3722082a35292d99ccc8cb12023244506c9cf Size (gnutls-2.10.4.tar.bz2) = 7288167 bytes @ 1.67 log @Update to 2.10.4: * Version 2.10.4 (released 2010-12-06) ** gnutls-serv: Corrected a buffer overflow. Reported and patch by Tomas Mraz. ** libgnutls: Use ASN1_NULL when writing parameters for RSA signatures. This makes us comply with RFC3279. Reported by Michael Rommel. ** libgnutls: Reverted default behavior for verification and introduced GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT. Thus by default V1 trusted CAs are allowed, unless the new flag is specified. ** minitasn1: Updated to Libtasn1 2.9. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.66 2010/11/26 17:56:14 drochner Exp $ d6 1 @ 1.66 log @update to 2.10.3 changes: bugfixes @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.65 2010/10/16 16:43:42 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.10.3.tar.bz2) = b17b23d462ecf829f3b9aff3248d25d4979ebe4f RMD160 (gnutls-2.10.3.tar.bz2) = 70566eab9cc9657fc5408525c0067352376b4c4f Size (gnutls-2.10.3.tar.bz2) = 6633204 bytes @ 1.65 log @Update to 2.10.2: * Version 2.10.2 (released 2010-09-30) ** Use Libtool 2.2.10 to ease MinGW64 builds. ** libgnutls: Add new extended key usage ipsecIKE. ** libgnutls: Is now more liberal in the PEM decoding. That is spaces and tabs are being skipped. ** libgnutls: Renamed NULL MAC to MAC-NULL to prevent clash with NULL cipher. This prevented the usage of the TLS ciphersuites with NULL cipher. See . ** libgnutls: The %COMPAT flag now allows larger records that violate the TLS spec. ** libgnutls: Fix asynchronous API handling. The code was clearing session hash data on EAGAIN. Problem reported by Sjoerd Simons and Vivek Dasmohapatra . See . ** gnutls-cli: Flush stdout/stderr before removing buffering. Reported by Knut Anders Hatlen see . @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.64 2010/09/01 16:32:17 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.10.2.tar.bz2) = 2704b7b86fc5e3444afcf20feb7bc9ff117d4816 RMD160 (gnutls-2.10.2.tar.bz2) = 21249b1ab9e2952bd65c7039e0a833837934c108 Size (gnutls-2.10.2.tar.bz2) = 7458438 bytes a9 1 SHA1 (patch-am) = d5fbc2ef0ad39b55a723dc0873f6095820a92538 @ 1.64 log @update to 2.10.1 many fixes and API extensions, but still binary compatible afaict @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.63 2010/04/13 16:31:27 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.10.1.tar.bz2) = 507ff8ad7c1e042f8ecaa4314f32777e74caf0d3 RMD160 (gnutls-2.10.1.tar.bz2) = c7f9ca00f326f93331b139af34f3dd5d2db43626 Size (gnutls-2.10.1.tar.bz2) = 7442084 bytes @ 1.63 log @update to 2.8.6 changes: -interoperability improvements (especially for VeriSign) -misc fixes -translation updates @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.62 2009/11/03 00:15:41 wiz Exp $ d3 4 a6 4 SHA1 (gnutls-2.8.6.tar.bz2) = bff911d4fd7389aa6698a644b3748eb2d23715bc RMD160 (gnutls-2.8.6.tar.bz2) = 1cfda29a60df3b032b8b611e4341c2e834bb26b2 Size (gnutls-2.8.6.tar.bz2) = 6469369 bytes SHA1 (patch-ab) = 4b6801f6c8f00b8da8e78f7277450c6f53366fb4 d10 1 a10 3 SHA1 (patch-aj) = 55187c2a07d67f789678b1a404c6b119b311fc82 SHA1 (patch-ak) = f2f4e6f1c6f937eca67235cb01aff1b32cbe4fd8 SHA1 (patch-al) = f1c9def7d8150d93e14678b1acdbbc1534099452 @ 1.62 log @Update to 2.8.5: * Version 2.8.5 (released 2009-11-02) ** libgnutls: In server side when resuming a session do not overwrite the ** initial session data with the resumed session data. ** libgnutls: Fix PKCS#12 encoding. The error you would get was "The OID is not supported.". Problem introduced for the v2.8.x branch in 2.7.6. ** guile: Compatibility with guile 2.x. By Ludovic Courtes . ** tests: Fix expired cert in chainverify self-test. ** tests: Fix time bomb in chainverify self-test. Reported by Andreas Metzler in . ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.61 2009/10/31 01:16:42 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.8.5.tar.bz2) = 5121c52efd4718ad3d8b641d28343b0c6abaa571 RMD160 (gnutls-2.8.5.tar.bz2) = f160b8b413ae7e0b9243135fd8ffd0dd350d1504 Size (gnutls-2.8.5.tar.bz2) = 6196862 bytes @ 1.61 log @Update to 2.8.4: * Version 2.8.4 (released 2009-09-18) ** libgnutls: Enable Camellia ciphers by default. ** libgnutls: Make OpenPGP hostname checking work again. The patch to resolve the X.509 CN/SAN issue accidentally broken OpenPGP hostname comparison. ** libgnutls: When printing X.509 certificates, handle XMPP SANs better. Reported by Howard Chu in . ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.60 2009/08/13 18:56:32 snj Exp $ d3 3 a5 3 SHA1 (gnutls-2.8.4.tar.bz2) = 27bea240164b9287807543387682c7052f7318c2 RMD160 (gnutls-2.8.4.tar.bz2) = f9236b3adf8ea3e747e1fb84d0ed19ae3294a522 Size (gnutls-2.8.4.tar.bz2) = 6193111 bytes @ 1.60 log @Update to 2.8.3. Changes: * Version 2.8.3 (released 2009-08-13) ** libgnutls: Fix patch for NUL in CN/SAN in last release. Code intended to be removed would lead to an read-out-bound error in some situations. Reported by Tomas Hoger . A CVE code have been allocated for the vulnerability: [CVE-2009-2730]. ** libgnutls: Fix rare failure in gnutls_x509_crt_import. The function may fail incorrectly when an earlier certificate was imported to the same gnutls_x509_crt_t structure. ** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build error. ** tests: Made self-test mini-eagain take less time. ** doc: Typo fixes. ** API and ABI modifications: No changes since last version. * Version 2.8.2 (released 2009-08-10) ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields. By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS into 1) not printing the entire CN/SAN field value when printing a certificate and 2) cause incorrect positive matches when matching a hostname against a certificate. Some CAs apparently have poor checking of CN/SAN values and issue these (arguable invalid) certificates. Combined, this can be used by attackers to become a MITM on server-authenticated TLS sessions. The problem is mitigated since attackers needs to get one certificate per site they want to attack, and the attacker reveals his tracks by applying for a certificate at the CA. It does not apply to client authenticated TLS sessions. Research presented independently by Dan Kaminsky and Moxie Marlinspike at BlackHat09. Thanks to Tomas Hoger for providing one part of the patch. [GNUTLS-SA-2009-4]. ** libgnutls: Fix return value of gnutls_certificate_client_get_request_status. Before it always returned false. Reported by Peter Hendrickson in . ** libgnutls: Fix off-by-one size computation error in unknown DN printing. The error resulted in truncated strings when printing unknown OIDs in X.509 certificate DNs. Reported by Tim Kosse in . ** libgnutls: Return correct bit lengths of some MPIs. gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and gnutls_dh_get_peers_public_bits. Before the reported value was overestimated. Reported by Peter Hendrickson in . ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. Report and patch by Tim Kosse in and . ** libgnutls: Relax checking of required libtasn1/libgcrypt versions. Before we required that the runtime library used the same (or more recent) libgcrypt/libtasn1 as it was compiled with. Now we just check that the runtime usage is above the minimum required. Reported by Marco d'Itri via Andreas Metzler in . ** minitasn1: Internal copy updated to libtasn1 v2.3. ** tests: Fix failure in "chainverify" because a certificate have expired. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.59 2009/07/22 16:50:07 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.8.3.tar.bz2) = c25fb354258777f9ee34b79b08eb87c024cada75 RMD160 (gnutls-2.8.3.tar.bz2) = 01763fad93e4b76e18dcfb1881c5f09011804dca Size (gnutls-2.8.3.tar.bz2) = 6198273 bytes @ 1.59 log @disable the openssl compatibility library -- no pkg I know of needs it, and it only has a potential to conflict with the real openssl (bad things will happen if a program links or dlopen()s both) bump PKGREVISION (the bug fixed in the added patches is already fixed upstream, will be in the next release) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.58 2009/07/18 10:32:32 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.8.1.tar.bz2) = b5fd364848709393d05def7e926caddd27169525 RMD160 (gnutls-2.8.1.tar.bz2) = 3b0d7a80a60dfc3222357d2c83a7ec32bd2c8e33 Size (gnutls-2.8.1.tar.bz2) = 6178662 bytes d11 2 a12 2 SHA1 (patch-ak) = ba01d607e6fad2108aed0ba2ef4a7c1168b42048 SHA1 (patch-al) = 5b2e6bab1bc91b6e508915b984dcfa4e6030a8a6 @ 1.58 log @Update to 2.8.1: * Version 2.8.1 (released 2009-06-10) ** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cycle. Forwarded by Martin von Gagern from . ** libgnutls: Fix PKCS#12 decryption from password. The encryption key derived from the password was incorrect for (on average) 1 in every 128 input for random inputs. Reported by "Kukosa, Tomas" in . ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.57 2009/06/18 10:19:47 drochner Exp $ d11 2 @ 1.57 log @Don't build in the doc/examples subdir, as suggested by Joern Clausen in PRs pkg/39612 and pkg/41610. The examples are not installed anyway, and this way build problems on Solaris are avoided. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.56 2009/06/17 17:54:46 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.8.0.tar.bz2) = 7c102253bb4e817f393b9979a62c647010312eac RMD160 (gnutls-2.8.0.tar.bz2) = ad9d356ab55567ffc65c7fa4f48d8594a1cd5981 Size (gnutls-2.8.0.tar.bz2) = 6177498 bytes @ 1.57.2.1 log @Pullup ticket 2874 - requested by tron security update Revisions pulled up: - pkgsrc/security/gnutls/Makefile 1.86 - pkgsrc/security/gnutls/PLIST 1.36 - pkgsrc/security/gnutls/distinfo 1.60 Files added: pkgsrc/security/gnutls/patches/patch-ak 1.2 pkgsrc/security/gnutls/patches/patch-al 1.2 Module Name: pkgsrc Committed By: wiz Date: Sat Jul 18 10:32:32 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: Update to 2.8.1: * Version 2.8.1 (released 2009-06-10) ** libgnutls: Fix crash in gnutls_global_init after earlier init/deinit cyc= le. Forwarded by Martin von Gagern from . ** libgnutls: Fix PKCS#12 decryption from password. The encryption key derived from the password was incorrect for (on average) 1 in every 128 input for random inputs. Reported by "Kukosa, Tomas" in . ** API and ABI modifications: No changes since last version. To generate a diff of this commit: cvs rdiff -u -r1.83 -r1.84 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.57 -r1.58 pkgsrc/security/gnutls/distinfo ---------------------------------------------------------------------- Module Name: pkgsrc Committed By: drochner Date: Wed Jul 22 16:50:07 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Added Files: pkgsrc/security/gnutls/patches: patch-ak patch-al Log Message: disable the openssl compatibility library -- no pkg I know of needs it, and it only has a potential to conflict with the real openssl (bad things will happen if a program links or dlopen()s both) bump PKGREVISION (the bug fixed in the added patches is already fixed upstream, will be in the next release) To generate a diff of this commit: cvs rdiff -u -r1.84 -r1.85 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.35 -r1.36 pkgsrc/security/gnutls/PLIST cvs rdiff -u -r1.58 -r1.59 pkgsrc/security/gnutls/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/security/gnutls/patches/patch-ak \ pkgsrc/security/gnutls/patches/patch-al ---------------------------------------------------------------------- Module Name: pkgsrc Committed By: snj Date: Thu Aug 13 18:56:32 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile distinfo pkgsrc/security/gnutls/patches: patch-ak patch-al Log Message: Update to 2.8.3. Changes: * Version 2.8.3 (released 2009-08-13) ** libgnutls: Fix patch for NUL in CN/SAN in last release. Code intended to be removed would lead to an read-out-bound error in some situations. Reported by Tomas Hoger . A CVE code have been allocated for the vulnerability: [CVE-2009-2730]. ** libgnutls: Fix rare failure in gnutls_x509_crt_import. The function may fail incorrectly when an earlier certificate was imported to the same gnutls_x509_crt_t structure. ** libgnutls-extra, libgnutls-openssl: Fix MinGW cross-compiling build error. ** tests: Made self-test mini-eagain take less time. ** doc: Typo fixes. ** API and ABI modifications: No changes since last version. * Version 2.8.2 (released 2009-08-10) ** libgnutls: Fix problem with NUL bytes in X.509 CN and SAN fields. By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS into 1) not printing the entire CN/SAN field value when printing a certificate and 2) cause incorrect positive matches when matching a hostname against a certificate. Some CAs apparently have poor checking of CN/SAN values and issue these (arguable invalid) certificates. Combined, this can be used by attackers to become a MITM on server-authenticated TLS sessions. The problem is mitigated since attackers needs to get one certificate per site they want to attack, and the attacker reveals his tracks by applying for a certificate at the CA. It does not apply to client authenticated TLS sessions. Research presented independently by Dan Kaminsky and Moxie Marlinspike at BlackHat09. Thanks to Tomas Hoger for providing one part of the patch. [GNUTLS-SA-2009-4]. ** libgnutls: Fix return value of gnutls_certificate_client_get_request_sta= tus. Before it always returned false. Reported by Peter Hendrickson in . ** libgnutls: Fix off-by-one size computation error in unknown DN printing. The error resulted in truncated strings when printing unknown OIDs in X.509 certificate DNs. Reported by Tim Kosse in . ** libgnutls: Return correct bit lengths of some MPIs. gnutls_dh_get_prime_bits, gnutls_rsa_export_get_modulus_bits, and gnutls_dh_get_peers_public_bits. Before the reported value was overestimated. Reported by Peter Hendrickson in . ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. Report and patch by Tim Kosse in and . ** libgnutls: Relax checking of required libtasn1/libgcrypt versions. Before we required that the runtime library used the same (or more recent) libgcrypt/libtasn1 as it was compiled with. Now we just check that the runtime usage is above the minimum required. Reported by Marco d'Itri via Andreas Metzler in . ** minitasn1: Internal copy updated to libtasn1 v2.3. ** tests: Fix failure in "chainverify" because a certificate have expired. ** API and ABI modifications: No changes since last version. To generate a diff of this commit: cvs rdiff -u -r1.85 -r1.86 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.59 -r1.60 pkgsrc/security/gnutls/distinfo cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/gnutls/patches/patch-ak \ pkgsrc/security/gnutls/patches/patch-al @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.60 2009/08/13 18:56:32 snj Exp $ d3 3 a5 3 SHA1 (gnutls-2.8.3.tar.bz2) = c25fb354258777f9ee34b79b08eb87c024cada75 RMD160 (gnutls-2.8.3.tar.bz2) = 01763fad93e4b76e18dcfb1881c5f09011804dca Size (gnutls-2.8.3.tar.bz2) = 6198273 bytes a10 2 SHA1 (patch-ak) = f2f4e6f1c6f937eca67235cb01aff1b32cbe4fd8 SHA1 (patch-al) = f1c9def7d8150d93e14678b1acdbbc1534099452 @ 1.56 log @fix build for systems without sys/ioctl.h (as Solaris 10), addresses the first half of PR pkg/41610 by Joern Clausen @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.55 2009/06/09 18:56:37 wiz Exp $ d6 1 a6 1 SHA1 (patch-ab) = 17605f0d3b1895c1c63c8dabc21bdebf95eb7785 @ 1.55 log @Update to 2.8.0: * Version 2.8.0 (released 2009-05-27) ** doc: Fix gnutls_dh_get_prime_bits. Fix error codes and algorithm lists. ** Major changes compared to the v2.4 branch: *** lib: Linker version scripts reduces number of exported symbols. *** lib: Limit exported symbols on systems without LD linker scripts. *** libgnutls: Fix namespace issue with version symbols. *** libgnutls: Add functions to verify a hash against a certificate. gnutls_x509_crt_verify_hash: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED *** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6. *** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'. *** certtool: Query for multiple dnsName subjectAltName in interactive mode. *** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify. *** gnutls-serv: No longer disable MAC padding by default. *** gnutls-cli: Certificate information output format changed. *** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5 *** and %VERIFY_ALLOW_X509_V1_CA_CRT. *** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode. *** libgnutls: gnutls_openpgp_crt_print supports oneline mode. *** libgnutls: gnutls_handshake when sending client hello during a rehandshake, will not offer a version number larger than the current. *** libgnutls: New interface to get key id for certificate requests. gnutls_x509_crq_get_key_id: ADDED. *** libgnutls: gnutls_x509_crq_print will now also print public key id. *** certtool: --verify-chain now prints results of using library verification. *** libgnutls: Libgcrypt initialization changed. *** libgnutls: Small byte reads via gnutls_record_recv() optimized. *** gnutls-cli: Return non-zero exit code on error conditions. *** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored. *** certtool: allow setting arbitrary key purpose object identifiers. *** libgnutls: Change detection of when to use a linker version script. Use --enable-ld-version-script or --disable-ld-version-script to override auto-detection logic. *** Fix warnings and build GnuTLS with more warnings enabled. *** New API to set X.509 credentials from PKCS#12 memory structure. gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED *** Old libgnutls.m4 and libgnutls-config scripts removed. Please use pkg-config instead. *** libgnutls: Added functions to handle CRL extensions. gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED *** libgnutls: Added functions to handle X.509 extensions in Certificate Requests. gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crt_set_crq_extensions: ADDED *** certtool: Print and set CRL and CRQ extensions. *** minitasn1: Internal copy updated to libtasn1 v2.1. *** examples: Now released into the public domain. *** The Texinfo and GTK-DOC manuals were improved. *** Several self-tests were added and others improved. *** API/ABI changes in GnuTLS 2.8 compared to GnuTLS 2.6.x No offically supported interfaces have been modified or removed. The library should be completely backwards compatible on both the source and binary level. The shared library no longer exports some symbols that have never been officially supported, i.e., not mentioned in any of the header files. The symbols are: _gnutls* gnutls_asn1_tab Normally when symbols are removed, the shared library version has to be incremented. This leads to a significant cost for everyone using the library. Because none of the above symbols have ever been intended for use by well-behaved applications, we decided that the it would be better for those applications to pay the price rather than incurring problems on the majority of applications. If it turns out that applications have been using unofficial interfaces, we will need to release a follow-on release on the v2.8 branch to exports additional interfaces. However, initial testing suggests that few if any applications have been using any of the internal symbols. Although not a new change compared to 2.6.x, we'd like to remind you interfaces have been modified so that X.509 chain verification now also checks activation/expiration times on certificates. The affected functions are: gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times. gnutls_certificate_verify_peers: Likewise. gnutls_certificate_verify_peers2: Likewise. GNUTLS_CERT_NOT_ACTIVATED: ADDED. GNUTLS_CERT_EXPIRED: ADDED. GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED. This change in behaviour was made during the GnuTLS 2.6.x cycle, and we gave our rationale for it in earlier release notes. The following symbols have been added to the library: gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_key_id: ADDED. gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED gnutls_x509_crt_set_crq_extensions: ADDED gnutls_x509_crt_verify_hash: ADDED The following interfaces have been added to the header files: GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION. GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR. GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR. GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH. GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER. GNUTLS_EXTRA_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION. The following interfaces have been deprecated: LIBGNUTLS_VERSION: DEPRECATED. LIBGNUTLS_VERSION_MAJOR: DEPRECATED. LIBGNUTLS_VERSION_MINOR: DEPRECATED. LIBGNUTLS_VERSION_PATCH: DEPRECATED. LIBGNUTLS_VERSION_NUMBER: DEPRECATED. LIBGNUTLS_EXTRA_VERSION: DEPRECATED. * Version 2.7.14 (released 2009-05-26) ** libgnutls: Fix namespace issue with version symbol for libgnutls-extra. The symbol LIBGNUTLS_EXTRA_VERSION were renamed to GNUTLS_EXTRA_VERSION. The old symbol will continue to work but is deprecated. ** Doc: Several typo fixes in documentation. Reported by Peter Hendrickson . ** API and ABI modifications: GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION. LIBGNUTLS_EXTRA_VERSION: DEPRECATED. * Version 2.7.13 (released 2009-05-25) ** libgnutls: Fix version of some exported symbols in the shared library. Reported by Andreas Metzler in . ** tests: Handle recently expired certificates in chainverify self-test. Reported by Andreas Metzler in . ** API and ABI modifications: No changes since last version. * Version 2.7.12 (released 2009-05-20) ** gnutls-serv, gnutls-cli-debug: Make them work on Windows. ** tests/crq_key_id: Don't read entropy from /dev/random in self-test. Reported by Andreas Metzler in . ** Fix build failures. Missing sa_family_t and vsnprintf on IRIX. Reported by "Tom G. Christensen" in . ** minitasn1: Internal copy updated to libtasn1 v2.2. GnuTLS should work fine with libtasn1 v1.x and that is still supported. ** API and ABI modifications: No changes since last version. * Version 2.7.11 (released 2009-05-18) ** minitasn1: Fix build failure when using internal libtasn1. Reported by "Tom G. Christensen" in . ** libgnutls: Fix build failure with --disable-cxx. Reported by Andreas Metzler in . ** gnutls-serv: Fix build failure for unportable NI_MAXHOST/NI_MAXSERV. Reported by "Tom G. Christensen" in ** Building with many warning flags now requires --enable-gcc-warnings. This avoids crying wolf for normal compiles. ** API and ABI modifications: No changes since last version. * Version 2.7.10 (released 2009-05-13) ** examples: Now released into the public domain. This makes the license of the example code compatible with more licenses, including the (L)GPL. ** minitasn1: Internal copy updated to libtasn1 v2.1. GnuTLS should work fine with libtasn1 v1.x and that is still supported. ** libgnutls: Fix crash in signature verification The fix for the CVE-2009-1415 problem wasn't merged completely. ** doc: Fixes for GTK-DOC output. ** API and ABI modifications: No changes since last version. * Version 2.7.9 (released 2009-05-11) ** doc: Fix strings in man page of gnutls_priority_init. ** doc: Fix tables of error codes and supported algorithms. ** Fix build failure when cross-compiled using MinGW. ** Fix build failure when LZO is enabled. Reported by Arfrever Frehtes Taifersar Arahesis in . ** Fix build failure on systems without AF_INET6, e.g., Solaris 2.6. Reported by "Tom G. Christensen" in . ** Fix warnings in self-tests. ** API and ABI modifications: No changes since last version. * Version 2.7.8 (released 2009-05-03) ** libgnutls: Fix DSA key generation. Merged from stable branch. [GNUTLS-SA-2009-2] [CVE-2009-1416] ** libgnutls: Check expiration/activation time on untrusted certificates. Merged from stable branch. Reported by Romain Francoise . This changes the semantics of gnutls_x509_crt_list_verify, which in turn is used by gnutls_certificate_verify_peers and gnutls_certificate_verify_peers2. We add two new gnutls_certificate_status_t codes for reporting the new error condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED. We also add a new gnutls_certificate_verify_flags flag, GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new behaviour. [GNUTLS-SA-2009-3] [CVE-2009-1417] ** lib: Linker version scripts reduces number of exported symbols. The linker version script now lists all exported ABIs explicitly, to avoid accidentally exporting unintended functions. Compared to before, most symbols beginning with _gnutls* are no longer exported. These functions have never been intended for use by applications, and there were no prototypes for these function in the public header files. Thus we believe it is possible to do this without incrementing the library ABI version which normally has to be done when removing an interface. ** lib: Limit exported symbols on systems without LD linker scripts. Before all symbols were exported. Now we limit the exported symbols to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls) _gnutls*. This is a superset of the actual supported ABI, but still an improvement compared to before. This is implemented using Libtool -export-symbols-regex. It is more portable than linker version scripts. ** libgnutls: Incremented CURRENT/AGE libtool version to reflect new symbols. This should have been done in the last release. ** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6. Reported by Peter Hendrickson in . ** doc: Improved sections for the info manual. We now follow the advice given by the texinfo manual on which directory categories to use. In particular, libgnutls moved from the 'GNU Libraries' section to the 'Software libraries' and the command line tools moved from 'Network Applications' to 'System Administration'. ** API and ABI modifications: gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times. gnutls_certificate_verify_peers: Likewise. gnutls_certificate_verify_peers2: Likewise. GNUTLS_CERT_NOT_ACTIVATED: ADDED. GNUTLS_CERT_EXPIRED: ADDED. GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED. * Version 2.7.7 (released 2009-04-20) ** libgnutls: Applied patch by Cedric Bail to add functions gnutls_x509_crt_verify_hash() and gnutls_x509_crt_get_verify_algorithm(). ** gnutls.pc: Add -ltasn1 to 'pkg-config --libs --static gnutls' output. Reported by Andreas Metzler in . ** minitasn1: Internal copy updated to libtasn1 v1.8. GnuTLS is also internally ready to be used with libtasn1 v2.0. ** doc: Fix build failure of errcodes/printlist. Reported by Roman Bogorodskiy in . ** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'. It is currently only used by the core library. This will enable a new domain 'gnutls' for translations of the command line tools. ** Corrected possible memory corruption on signature verification failure. Reported by Miroslav Kratochvil ** API and ABI modifications: gnutls_x509_crt_verify_hash: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED * Version 2.7.6 (released 2009-02-27) ** certtool: Query for multiple dnsName subjectAltName in interactive mode. This applies both to generating certificates and certificate requests. ** pkix.asn: Removed unneeded definitions to reduce memory usage. ** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify. Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to be used for chain verification. ** gnutls-serv: No longer disable MAC padding by default. Use --priority NORMAL:%COMPAT to disable MAC padding again. ** gnutls-cli: Certificate information output format changed. The tool now uses libgnutls' functions to print certificate information. This avoids code duplication. ** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5 ** and %VERIFY_ALLOW_X509_V1_CA_CRT. They can be used to override the default certificate chain validation behaviour. ** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to specify the client hello message record version. Used to overcome buggy TLS servers. Report by Martin von Gagern. ** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode. ** libgnutls: gnutls_openpgp_crt_print supports oneline mode. ** doc: Update gnutls-cli and gnutls-serv --help output descriptions. ** API and ABI modifications: No changes since last version. * Version 2.7.5 (released 2009-02-06) ** libgnutls: Accept chains where intermediary certs are trusted. Before GnuTLS needed to validate the entire chain back to a self-signed certificate. GnuTLS will now stop looking when it has found an intermediary trusted certificate. The new behaviour is useful when chains, for example, contains a top-level CA, an intermediary CA signed using RSA-MD5, and an end-entity certificate. To avoid chain validation errors due to the RSA-MD5 cert, you can explicitly add the intermediary RSA-MD5 cert to your trusted certs. The signature on trusted certificates are not checked, so the chain has a chance to validate correctly. Reported by "Douglas E. Engert" in . ** libgnutls: result_size in gnutls_hex_encode now holds the size of the result. Report by John Brooks . ** libgnutls: gnutls_handshake when sending client hello during a rehandshake, will not offer a version number larger than the current. Reported by Tristan Hill . ** libgnutls: Permit V1 Certificate Authorities properly. Before they were mistakenly rejected even though GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Reported by "Douglas E. Engert" in . ** API and ABI modifications: No changes since last version. * Version 2.7.4 (released 2009-01-07) ** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures. This is a bugfix -- the previous attempt to do this from internal x509 certificate verification procedures did not return the correct value for certificates using a weak hash. Reported by Daniel Kahn Gillmor in , debugged and patch by Tomas Mraz and Daniel Kahn Gillmor . ** libgnutls: New interface to get key id for certificate requests. Patch from David Marín Carreño in . ** libgnutls: gnutls_x509_crq_print will now also print public key id. ** certtool: --verify-chain now prints results of using library verification. Earlier, certtool --verify-chain used its own validation algorithm which wasn't guaranteed to give the same result as the libgnutls internal validation algorithm. Now this command print a new final line with header 'Chain verification output:' that contains the result from using the internal verification algorithm on the same chain. ** tests: Add crq_key_id self-test of gnutls_x509_crq_get_key_id. ** API and ABI modifications: gnutls_x509_crq_get_key_id: ADDED. * Version 2.7.3 (released 2008-12-10) ** libgnutls: Fix chain verification for chains that ends with RSA-MD2 CAs. Reported by Michael Kiefer in forwarded by Andreas Metzler in . ** libgnutls: Libgcrypt initialization changed. If libgcrypt has not already been initialized, GnuTLS will now initialize libgcrypt with disabled secure memory. Initialize libgcrypt explicitly in your application if you want to enable secure memory. Before GnuTLS initialized libgcrypt to use GnuTLS's memory allocation functions, which doesn't use secure memory, so there is no real change in behaviour. ** libgnutls: Fix memory leak in PSK authentication. Reported by Michael Weiser in . ** libgnutls: Small byte reads via gnutls_record_recv() optimized. ** certtool: Move gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0) call earlier. It needs to be invoked before libgcrypt is initialized. ** gnutls-cli: Return non-zero exit code on error conditions. ** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored. ** tests: Added chainverify self-test that tests X.509 chain verifications. ** API and ABI modifications: No changes since last version. * Version 2.7.2 (released 2008-11-18) ** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3] The flaw makes it possible for man in the middle attackers (i.e., active attackers) to assume any name and trick GNU TLS clients into trusting that name. Thanks for report and analysis from Martin von Gagern . [CVE-2008-4989] Any updates with more details about this vulnerability will be added to ** libgnutls: Fix namespace issue with version symbols. The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR, LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER, GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and GNUTLS_VERSION_NUMBER respectively. The old symbols will continue to work but are deprecated. ** certtool: allow setting arbitrary key purpose object identifiers. ** libgnutls: Fix detection of C99 macros, to make debug logging work again. ** libgnutls: Add missing prototype for gnutls_srp_set_prime_bits. Reported by Kevin Quick in . ** libgnutls-extra: Make building with LZO compression work again. Build failure reported by Arfrever Frehtes Taifersar Arahesis in . ** libgnutls: Change detection of when to use a linker version script. Use --enable-ld-version-script or --disable-ld-version-script to override auto-detection logic. ** doc: Change license on the manual to GFDLv1.3+. ** doc: GTK-DOC fixes for new splitted configuration system. ** doc: Texinfo stylesheet uses white background. ** tests: Add cve-2008-4989.c self-test. Tests regressions of the GNUTLS-SA-2008-3 security problem, and the follow-on problem with crashes on length 1 certificate chains. ** gnulib: Deprecated modules removed. Modules include memchr and memcmp. ** Fix warnings and build GnuTLS with more warnings enabled. ** minitasn1: Internal copy updated to libtasn1 v1.7. ** API and ABI modifications: gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION. GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR. GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR. GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH. GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER. LIBGNUTLS_VERSION: DEPRECATED. LIBGNUTLS_VERSION_MAJOR: DEPRECATED. LIBGNUTLS_VERSION_MINOR: DEPRECATED. LIBGNUTLS_VERSION_PATCH: DEPRECATED. LIBGNUTLS_VERSION_NUMBER: DEPRECATED. * Version 2.7.1 (released 2008-10-31) ** certtool: print a PKCS #8 key even if it is not encrypted. ** Old libgnutls.m4 and libgnutls-config scripts removed. Please use pkg-config instead. ** Configuration system modified. There is now a configure script in lib/ and libextra/ as well, because gnulib works better with a config.h per gnulib directory. ** API and ABI modifications: No changes since last version. * Version 2.7.0 (released 2008-10-16) ** libgnutls: Added functions to handle CRL extensions. ** libgnutls: Added functions to handle X.509 extensions in Certificate Requests. ** libgnutls: Improved error string for GNUTLS_E_AGAIN. Suggested by "Lavrentiev, Anton (NIH/NLM/NCBI) [C]" . ** certtool: Print and set CRL and CRQ extensions. ** libgnutls-extra: Protect internal symbols with static. Fixes problem when linking certtool statically. Tiny patch from Aaron Ucko . ** libgnutls-openssl: fix out of bounds access. Problem in X509_get_subject_name and X509_get_issuer_name. Tiny patch from Thomas Viehmann . ** libgnutlsxx: Define server_session::get_srp_username even if no SRP. ** tests: Make tests compile when using internal libtasn1. Patch by ludo@@gnu.org (Ludovic Courtès). ** Changed detection of libtasn1 and libgcrypt to avoid depending on *-config. We now require a libgcrypt that has Camellia constants declared in gcrypt.h, which means v1.3.0 or later. ** API and ABI modifications: gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crt_set_crq_extensions: ADDED @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.54 2009/05/02 20:04:33 tnn Exp $ d10 1 @ 1.54 log @Update to gnutls-2.6.6. * Version 2.6.6 (released 2009-04-30) libgnutls: Corrected double free on signature verification failure. Reported by Miroslav Kratochvil. See the advisory for more details. [GNUTLS-SA-2009-1] [CVE-2009-1415] libgnutls: Fix DSA key generation. Noticed when investigating the previous GNUTLS-SA-2009-1 problem. All DSA keys generated using GnuTLS 2.6.x are corrupt. See the advisory for more details. [GNUTLS-SA-2009-2] [CVE-2009-1416] libgnutls: Check expiration/activation time on untrusted certificates. Reported by Romain Francoise. Before the library did not check activation/expiration times on certificates, and was documented as not doing so. We have realized that many applications that use libgnutls, including gnutls-cli, fail to perform proper checks. Implementing similar logic in all applications leads to code duplication. Hence, we decided to check whether the current time (as reported by the time function) is within the activation/expiration period of certificates when verifying untrusted certificates. This changes the semantics of gnutls_x509_crt_list_verify, which in turn is used by gnutls_certificate_verify_peers and gnutls_certificate_verify_peers2. We add two new gnutls_certificate_status_t codes for reporting the new error condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED. We also add a new gnutls_certificate_verify_flags flag, GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new behaviour. API and ABI modifications: gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times. gnutls_certificate_verify_peers: Likewise. gnutls_certificate_verify_peers2: Likewise. GNUTLS_CERT_NOT_ACTIVATED: ADDED. GNUTLS_CERT_EXPIRED: ADDED. GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.53 2009/04/20 13:11:57 wiz Exp $ d3 3 a5 4 SHA1 (gnutls-2.6.6.tar.bz2) = d1693e611aa7270f14bc500bd56ef529ffcb1703 RMD160 (gnutls-2.6.6.tar.bz2) = dc6e717e38741628508208244f07fed8faedb13c Size (gnutls-2.6.6.tar.bz2) = 5116385 bytes SHA1 (patch-aa) = 8e9ea317342d584fb6f931f96458cc3d7d747ca0 @ 1.53 log @Update to 2.6.5. Update commented out LICENSE (needs two). * Version 2.6.5 (released 2009-04-11) ** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to specify the client hello message record version. Used to overcome buggy TLS servers. Report by Martin von Gagern. ** GnuTLS no longer uses the libtasn1-config script to find libtasn1. Libtasn1 0.3.4 or later is required. This is to align with the upcoming libtasn1 v2.0 release that doesn't have a libtasn1-script. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.52 2009/02/21 13:45:31 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.6.5.tar.bz2) = 87d0fd82debee0d644f72fcf404ccd7540c6c71a RMD160 (gnutls-2.6.5.tar.bz2) = 9e484d26c50bda0e26e0788ca5465da1ef620fe3 Size (gnutls-2.6.5.tar.bz2) = 5112923 bytes @ 1.52 log @Update to 2.6.4: * Version 2.6.4 (released 2009-02-06) ** libgnutls: Accept chains where intermediary certs are trusted. Before GnuTLS needed to validate the entire chain back to a self-signed certificate. GnuTLS will now stop looking when it has found an intermediary trusted certificate. The new behaviour is useful when chains, for example, contains a top-level CA, an intermediary CA signed using RSA-MD5, and an end-entity certificate. To avoid chain validation errors due to the RSA-MD5 cert, you can explicitly add the intermediary RSA-MD5 cert to your trusted certs. The signature on trusted certificates are not checked, so the chain has a chance to validate correctly. Reported by "Douglas E. Engert" in . ** libgnutls: result_size in gnutls_hex_encode now holds the size of the result. Report by John Brooks . ** libgnutls: gnutls_handshake when sending client hello during a rehandshake, will not offer a version number larger than the current. Reported by Tristan Hill . ** libgnutls: Permit V1 Certificate Authorities properly. Before they were mistakenly rejected even though GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Reported by "Douglas E. Engert" in . ** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures. This is a bugfix -- the previous attempt to do this from internal x509 certificate verification procedures did not return the correct value for certificates using a weak hash. Reported by Daniel Kahn Gillmor in , debugged and patch by Tomas Mraz and Daniel Kahn Gillmor . ** libgnutls: Fix compile error with Sun CC. Reported by Jeff Cai in . @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.51 2008/12/19 15:43:20 adam Exp $ d3 3 a5 3 SHA1 (gnutls-2.6.4.tar.bz2) = 11dd1e11599906a32b3ff92308f4c4dbaadbad58 RMD160 (gnutls-2.6.4.tar.bz2) = 771fd64026df69d770a0a681141591b21f9be751 Size (gnutls-2.6.4.tar.bz2) = 5115205 bytes @ 1.52.2.1 log @Pullup ticket 2756 - requested by tnn Security fix Revisions pulled up: - pkgsrc/security/gnutls/Makefile 1.80 - pkgsrc/security/gnutls/distinfo 1.54 Module Name: pkgsrc Committed By: wiz Date: Mon Apr 20 13:11:57 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: Update to 2.6.5. Update commented out LICENSE (needs two). * Version 2.6.5 (released 2009-04-11) ** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to specify the client hello message record version. Used to overcome buggy TLS servers. Report by Martin von Gagern. ** GnuTLS no longer uses the libtasn1-config script to find libtasn1. Libtasn1 0.3.4 or later is required. This is to align with the upcoming libtasn1 v2.0 release that doesn't have a libtasn1-script. ** API and ABI modifications: No changes since last version. To generate a diff of this commit: cvs rdiff -u -r1.77 -r1.78 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.52 -r1.53 pkgsrc/security/gnutls/distinfo Module Name: pkgsrc Committed By: zafer Date: Fri May 1 13:49:07 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile Log Message: replace non working mirrors with working ones. To generate a diff of this commit: cvs rdiff -u -r1.78 -r1.79 pkgsrc/security/gnutls/Makefile Module Name: pkgsrc Committed By: tnn Date: Sat May 2 20:04:33 UTC 2009 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: Update to gnutls-2.6.6. * Version 2.6.6 (released 2009-04-30) libgnutls: Corrected double free on signature verification failure. Reported by Miroslav Kratochvil. See the advisory for more details. [GNUTLS-SA-2009-1] [CVE-2009-1415] libgnutls: Fix DSA key generation. Noticed when investigating the previous GNUTLS-SA-2009-1 problem. All DSA keys generated using GnuTLS 2.6.x are corrupt. See the advisory for more details. [GNUTLS-SA-2009-2] [CVE-2009-1416] To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.53 -r1.54 pkgsrc/security/gnutls/distinfo @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.54 2009/05/02 20:04:33 tnn Exp $ d3 3 a5 3 SHA1 (gnutls-2.6.6.tar.bz2) = d1693e611aa7270f14bc500bd56ef529ffcb1703 RMD160 (gnutls-2.6.6.tar.bz2) = dc6e717e38741628508208244f07fed8faedb13c Size (gnutls-2.6.6.tar.bz2) = 5116385 bytes @ 1.51 log @Changes 2.6.3 * gnutls: Fix chain verification for chains that ends with RSA-MD2 CAs. * gnutls: Fix memory leak in PSK authentication. * certtool: Move gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0) call earlier. It needs to be invoked before libgcrypt is initialized. * gnutls-cli: Return non-zero exit code on error conditions. * gnutls-cli: Corrected bug which caused a rehandshake request to be ignored. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.50 2008/11/15 23:02:09 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.6.3.tar.bz2) = f9b6a1d6135ef0a57a5cdd9fcb3e82bc62a27dcd RMD160 (gnutls-2.6.3.tar.bz2) = 318c91f167988f2dfcde50015491b7dc7d4eea33 Size (gnutls-2.6.3.tar.bz2) = 5114214 bytes a9 2 SHA1 (patch-ag) = 39298bf6cbff77d880654067e797a9a4cb868b9b SHA1 (patch-ah) = 889b69c23b4b0584fddd08a6827b10b78fc8f018 @ 1.50 log @Update to 2.6.2: * Version 2.6.2 (released 2008-11-12) ** libgnutls: Fix crash in X.509 validation code for self-signed certificates. The patch to fix the security problem GNUTLS-SA-2008-3 introduced a problem for certificate chains that contained just one self-signed certificate. Reported by Michael Meskes in . ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.49 2008/11/10 17:33:20 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.6.2.tar.bz2) = 2c7701b61c86d5cec8305f8741bc18bc64f33b31 RMD160 (gnutls-2.6.2.tar.bz2) = 10a37efe6bd90add75e338ca98eb09cc4ab69dc7 Size (gnutls-2.6.2.tar.bz2) = 5113586 bytes @ 1.49 log @Update to 2.6.1: * Version 2.6.1 (released 2008-11-10) ** libgnutls: Fix X.509 certificate chain validation error. [GNUTLS-SA-2008-3] The flaw makes it possible for man in the middle attackers (i.e., active attackers) to assume any name and trick GNU TLS clients into trusting that name. Thanks for report and analysis from Martin von Gagern . [CVE-2008-4989] Any updates with more details about this vulnerability will be added to ** libgnutls: Add missing prototype for gnutls_srp_set_prime_bits. Reported by Kevin Quick in . ** libgnutls-extra: Protect internal symbols with static. Fixes problem when linking certtool statically. Tiny patch from Aaron Ucko . ** libgnutls-openssl: Fix patch against X509_get_issuer_name. It incorrectly returned the subject DN instead of issuer DN in v2.6.0. Thanks to Thomas Viehmann for report. ** certtool: Print a PKCS #8 key even if it is not encrypted. ** tests: Make tests compile when using internal libtasn1. Patch by ludo@@gnu.org (Ludovic Courtès). ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.48 2008/10/29 11:45:34 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.6.1.tar.bz2) = a445e84176bf772794db9d8c71d5515dedb14bcc RMD160 (gnutls-2.6.1.tar.bz2) = c39539bd5d4e07dc09f5827a8c22d876272b4bbc Size (gnutls-2.6.1.tar.bz2) = 5113327 bytes @ 1.48 log @Add patch-ag, patch-ah, patch-ai (hi, shannonjr!). @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.47 2008/10/18 11:55:11 adam Exp $ d3 3 a5 3 SHA1 (gnutls-2.6.0.tar.bz2) = bbd9e5f3a77bfcbef5a769c67d1576e7a6e4bda5 RMD160 (gnutls-2.6.0.tar.bz2) = 1d92662edd64e93e658fc527f1dfbfc99ab3a1da Size (gnutls-2.6.0.tar.bz2) = 5112845 bytes @ 1.47 log @Changes 2.6.0: * libgnutls: Correct printing and parsing of IPv6 addresses. * libgnutls-openssl: fix out of bounds access. * certtool: Use inet_pton for parsing IPv6 addresses. * Added API to replace and update the crypto backend. * certtool: can add several subject alternative names via template file. * opencdk: Parse (but not decrypt) encrypted secret keys. * more... @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.46 2008/09/27 23:11:37 tonnerre Exp $ d10 3 @ 1.46 log @If strverscmp() is not present, gnutls shouldn't export a symbol of the same name, breaking the builds of libraries trying to both link against libcurl and use strverscmp(). Bump PKGREVISION. Fixes PR 39640. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.45 2008/07/30 17:17:21 kefren Exp $ d3 5 a7 7 SHA1 (gnutls-2.4.1.tar.bz2) = 7a439542e6344d5ccf11a29431a0600e7fe1c735 RMD160 (gnutls-2.4.1.tar.bz2) = 4e21a82047add916b8ccce8aa82c36b2c9bcff90 Size (gnutls-2.4.1.tar.bz2) = 4940118 bytes SHA1 (patch-aa) = b2024cb515196e64efcdbba227f05db9eb07c236 SHA1 (patch-ab) = d30748128877d2ec5942d2b852f23a05d36102d0 SHA1 (patch-ac) = 21f2ab373a888aadeb66d58b70e54bab4c3be7eb SHA1 (patch-ad) = 720d096d95a4d76aedaa13606ad4bee7872da5b0 @ 1.45 log @update to gnutls-2.4.1 Changes: ** libgnutls: Fix local crash in gnutls_handshake. [GNUTLS-SA-2008-2] ** libgnutls: Fix memory leaks when doing a re-handshake. ** Fix compiler warnings. ** Fix ordering of -I's to avoid opencdk.h conflict with system headers. ** srptool: Fix a problem where --verify check does not succeed. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.44 2008/05/22 13:18:52 tnn Exp $ d8 2 @ 1.44 log @Update to gnutls-2.2.5. * Version 2.2.5 (released 2008-05-19) Fix flaw in fix for GNUTLS-SA-2008-1-3. * Version 2.2.4 (released 2008-05-19) Fix three security vulnerabilities. [GNUTLS-SA-2008-1] [GNUTLS-SA-2008-1-1] libgnutls: Fix crash when sending invalid server name. [GNUTLS-SA-2008-1-2] libgnutls: Fix crash when sending repeated client hellos. [GNUTLS-SA-2008-1-3] libgnutls: Fix crash in cipher padding decoding for invalid record lengths. * Version 2.2.3 (released 2008-05-06) Increase default handshake packet size limit to 48kb. Fix compilation error related to __FUNCTION__ on some systems. Documented the --priority option to gnutls-cli and gnutls-serv. Fix fopen file descriptor leak in PSK server code. Build Guile code with -fgnu89-inline only when supported. Make Camellia encryption work. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.43 2008/03/06 14:52:13 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.2.5.tar.bz2) = 7620d092c790f0a5ac5486c3563786ca8777083d RMD160 (gnutls-2.2.5.tar.bz2) = dd48a780849fc81c0a688116984eab8f41ea8ebf Size (gnutls-2.2.5.tar.bz2) = 4920322 bytes a7 1 SHA1 (patch-ad) = 585a6b64cc52403d83804ef22726110c4aae6169 @ 1.44.4.1 log @pullup ticket #2497 - requested by kefren gnutls: update package for fixes revisions pulled up: pkgsrc/security/gnutls/Makefile 1.71 pkgsrc/security/gnutls/PLIST 1.32 pkgsrc/security/gnutls/distinfo 1.45 pkgsrc/security/gnutls/patches/patch-ad r0 Module Name: pkgsrc Committed By: kefren Date: Wed Jul 30 17:17:21 UTC 2008 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Removed Files: pkgsrc/security/gnutls/patches: patch-ad Log Message: update to gnutls-2.4.1 Changes: ** libgnutls: Fix local crash in gnutls_handshake. [GNUTLS-SA-2008-2] ** libgnutls: Fix memory leaks when doing a re-handshake. ** Fix compiler warnings. ** Fix ordering of -I's to avoid opencdk.h conflict with system headers. ** srptool: Fix a problem where --verify check does not succeed. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.44 2008/05/22 13:18:52 tnn Exp $ d3 3 a5 3 SHA1 (gnutls-2.4.1.tar.bz2) = 7a439542e6344d5ccf11a29431a0600e7fe1c735 RMD160 (gnutls-2.4.1.tar.bz2) = 4e21a82047add916b8ccce8aa82c36b2c9bcff90 Size (gnutls-2.4.1.tar.bz2) = 4940118 bytes d8 1 @ 1.43 log @Update to 2.2.2: * Version 2.2.2 (released 2008-02-21) ** Cipher priority string handling now handle strings that starts with NULL. Thanks to Laurence Withers . ** Corrected memory leaks in session resuming and DHE ciphersuites. Reported by Daniel Stenberg. ** Increased the default certificate verification chain limits and allowed for checks without limitation. ** Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name() and gnutls_x509_crt_get_subject_alt_name() to not null terminate binary strings and return the proper size. ** API and ABI modifications: No changes since last version. * Version 2.2.1 (released 2008-01-17) ** Prevent linking libextra against previously installed libgnutls. Tiny patch from "Alon Bar-Lev" , see . ** Fixes the post_client_hello_function(). The extensions are now parsed in a callback friendly way. ** Fix for certificate selection in servers with certificate callbacks. ** API and ABI modifications: No changes since last version. * Version 2.2.0 (released 2007-12-14) Major changes compared to the v2.0 branch: * SRP support aligned with newly published RFC 5054. * OpenPGP support aligned with newly published RFC 5081. * Support for DSA2 keys. * Support for Camellia cipher. * Support for Opaque PRF Input extension. * PKCS#8 parser now handle DSA keys. * Change from GPLv2 to GPLv3 for command-line tools, libgnutls-extra, etc. Notice that liblzo2 2.02 is licensed under GPLv2 only. Earlier versions, such as 2.01 which is included with GnuTLS, is available under GPLv2 or later. If this incompatibility causes problems, we recommend you to disable LZO using --without-lzo. LZO compression is not a standard TLS compression algorithm, so the impact should be minimal. * Functions for disabling record protocol padding. Works around bugs on Nokia/Ericsson phones. * New functions gnutls_priority_set() for setting cipher priorities easily. Priorities like "COMPAT" also enables other work arounds, such as disabling padding. * Other minor improvements and bug fixes. Minor changes compared to the latest v2.1.8 release candidate: * Update internal copy of libtasn1 to version 1.2. * Certtool --verify-chain now handle inputs larger than 64kb. This fixes the self-test "rsa-md5-collision" under MinGW+Wine with recent versions of libgcrypt. The problem was that Wine with the libgcrypt RNG generates huge amounts of debugging output. * Translation updates. Added Dutch translation. Updated Polish and Swedish translation. Backwards incompatible API/ABI changes in GnuTLS 2.2 ==================================================== To adapt to changes in the TLS extension specifications for OpenPGP and SRP, the GnuTLS API had to be modified. This means breaking the API and ABI backwards compatibility. That is something we try to avoid unless it is necessary. We decided to also remove the already deprecated stub functions for X.509 to XML conversion and TLS authorization (see below) when we had the opportunity. Generally, most applications does not need to be modified. Just re-compile them against the latest GnuTLS release, and it should work fine. Applications that use the OpenPGP or SRP features needs to be modified. Below is a list of the modified APIs and discussion of what the minimal things you need to modify in your application to make it work with GnuTLS 2.2. Note that GnuTLS 2.2 also introduces new APIs -- such as gnutls_set_priority() that is superior to gnutls_set_default_priority() -- that you may want to start using. However, using those new APIs is not required to use GnuTLS 2.2 since the old functions continue are still supported. This text only discuss what you minimally have to modify. XML related changes ------------------- The function `gnutls_x509_crt_to_xml' has been removed. It has been deprecated and only returned an error code since GnuTLS version 1.2.11. Nobody has complained, so users doesn't seem to miss the functionality. We don't know of any other library to convert X.509 certificates into XML format, but we decided (long ago) that GnuTLS isn't the right place for this kind of functionality. If you want help to find some other library to use here, please explain and discuss your use case on help-gnutls gnu.org. TLS Authorization related changes --------------------------------- Everything related to TLS authorizations have been removed, they were only stub functions that returned an error code: GNUTLS_SUPPLEMENTAL_AUTHZ_DATA gnutls_authz_data_format_type_t gnutls_authz_recv_callback_func gnutls_authz_send_callback_func gnutls_authz_enable gnutls_authz_send_x509_attr_cert gnutls_authz_send_saml_assertion gnutls_authz_send_x509_attr_cert_url gnutls_authz_send_saml_assertion_url SRP related changes ------------------- The callback gnutls_srp_client_credentials_function has a new prototype, and its semantic has changed. You need to rewrite the callback, see the updated function documentation and SRP example code (doc/examples/ex-client-srp.c and doc/examples/ex-serv-srp.c) for more information. The alert codes GNUTLS_A_MISSING_SRP_USERNAME and GNUTLS_A_UNKNOWN_SRP_USERNAME are no longer used by the SRP specification, instead the GNUTLS_A_UNKNOWN_PSK_IDENTITY alert is used. There are #define's to map the old names to the new. You may run into problems if you have a switch-case with cases for both SRP alerts, since they are now mapped to the same value. The solution is to drop the SRP alerts from such switch cases, as they are now deprecated in favor of GNUTLS_A_UNKNOWN_PSK_IDENTITY. OpenPGP related changes ----------------------- The function `gnutls_certificate_set_openpgp_keyserver' have been removed. There is no replacement functionality inside GnuTLS. If you need keyserver functionality, consider using the GnuPG tools. All functions, types, and error codes related to OpenPGP trustdb format have been removed. The trustdb format is a non-standard GnuPG-specific format, and we recommend you to use key rings instead. The following have been removed: gnutls_certificate_set_openpgp_trustdb gnutls_openpgp_trustdb_init gnutls_openpgp_trustdb_deinit gnutls_openpgp_trustdb_import gnutls_openpgp_key_verify_trustdb gnutls_openpgp_trustdb_t GNUTLS_E_OPENPGP_TRUSTDB_VERSION_UNSUPPORTED The following functions has an added parameter of the (new) type `gnutls_openpgp_crt_fmt_t'. The type specify the format of the data (binary or base64). The functions are: gnutls_certificate_set_openpgp_key_file gnutls_certificate_set_openpgp_key_mem gnutls_certificate_set_openpgp_keyring_mem gnutls_certificate_set_openpgp_keyring_file To improve terminology and align with the X.509 interface, some functions have been renamed. Compatibility mappings exists. The old and new names of the affected functions and types are: Old name New name gnutls_openpgp_key_t gnutls_openpgp_crt_t gnutls_openpgp_key_fmt_t gnutls_openpgp_crt_fmt_t gnutls_openpgp_key_status_t gnutls_openpgp_crt_status_t GNUTLS_OPENPGP_KEY GNUTLS_OPENPGP_CERT GNUTLS_OPENPGP_KEY_FINGERPRINT GNUTLS_OPENPGP_CERT_FINGERPRINT gnutls_openpgp_key_init gnutls_openpgp_crt_init gnutls_openpgp_key_deinit gnutls_openpgp_crt_deinit gnutls_openpgp_key_import gnutls_openpgp_crt_import gnutls_openpgp_key_export gnutls_openpgp_crt_export gnutls_openpgp_key_get_key_usage gnutls_openpgp_crt_get_key_usage gnutls_openpgp_key_get_fingerprint gnutls_openpgp_crt_get_fingerprint gnutls_openpgp_key_get_pk_algorithm gnutls_openpgp_crt_get_pk_algorithm gnutls_openpgp_key_get_name gnutls_openpgp_crt_get_name gnutls_openpgp_key_get_version gnutls_openpgp_crt_get_version gnutls_openpgp_key_get_creation_time gnutls_openpgp_crt_get_creation_time gnutls_openpgp_key_get_expiration_time gnutls_openpgp_crt_get_expiration_time gnutls_openpgp_key_get_id gnutls_openpgp_crt_get_id gnutls_openpgp_key_check_hostname gnutls_openpgp_crt_check_hostname gnutls_openpgp_send_key gnutls_openpgp_send_cert * Version 2.0.0 (released 2007-09-04) The following changes have been made since GnuTLS 1.6: * Support for external RSA/DSA signing for TLS client authentication. This allows you to secure the private key better, for example by using privilege-separation techniques between the private key and the network client/server. * Support for signing X.509 certificates using RSA with SHA-256/384/512. * Experimental support for TLS 1.2 (disabled by default). The TLS 1.2 specification is not finalized yet, but we implement a draft version for testing. * Support for X.509 Proxy Certificates (RFC 3820) * Support for Supplemental handshakes messages (RFC 4680). * Support for TLS authorization extension (draft-housley-tls-authz-extns-07). * Support for the X.509 'otherName' Subject Altnerative Names (for XMPP). * Guile bindings for GnuTLS have been added, thanks to Ludovic Courtes. * Improve logic of gnutls_set_default_priority() which can now be more recommended. * New APIs to enumerate supported algorithms in the library. * New APIs to access X.509 Certificate extension sequentially. * New APIs to print X.509 Certificates and CRLs in human readable formats. * New APIs to extract X.509 Distinguished Names from certificates. * New APIs to handle pathLenConstraint in X.509 Basic Constraints. * Certtool can export more than one certificate to PKCS#12. * Several message translation improvements. * Instructions and improvements to easily set up a HTTPS test server. * Included copies updated to Libtasn1 1.1 and OpenCDK 0.6.4. * Build improvements for Windows, Mac OS X, uClinux, etc. * GnuTLS is now developed in GIT. * Improved manual * Many bugfixes and minor improvements. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.42 2007/11/25 23:45:16 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.2.2.tar.bz2) = 6b9586083c6460b0efa73959d86036ecb0a6acf8 RMD160 (gnutls-2.2.2.tar.bz2) = 120f5c014169914fee62a637c4e3efb3d5400165 Size (gnutls-2.2.2.tar.bz2) = 4923519 bytes @ 1.43.2.1 log @pullup ticket #2397 - requested by tnn gnutls: update for security fixes revisions pulled up: - pkgsrc/security/gnutls/Makefile 1.69 - pkgsrc/security/gnutls/distinfo 1.44 Module Name: pkgsrc Committed By: tnn Date: Thu May 22 13:18:52 UTC 2008 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: Update to gnutls-2.2.5. * Version 2.2.5 (released 2008-05-19) Fix flaw in fix for GNUTLS-SA-2008-1-3. * Version 2.2.4 (released 2008-05-19) Fix three security vulnerabilities. [GNUTLS-SA-2008-1] [GNUTLS-SA-2008-1-1] libgnutls: Fix crash when sending invalid server name. [GNUTLS-SA-2008-1-2] libgnutls: Fix crash when sending repeated client hellos. [GNUTLS-SA-2008-1-3] libgnutls: Fix crash in cipher padding decoding for invalid record lengths. * Version 2.2.3 (released 2008-05-06) Increase default handshake packet size limit to 48kb. Fix compilation error related to __FUNCTION__ on some systems. Documented the --priority option to gnutls-cli and gnutls-serv. Fix fopen file descriptor leak in PSK server code. Build Guile code with -fgnu89-inline only when supported. Make Camellia encryption work. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.43 2008/03/06 14:52:13 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.2.5.tar.bz2) = 7620d092c790f0a5ac5486c3563786ca8777083d RMD160 (gnutls-2.2.5.tar.bz2) = dd48a780849fc81c0a688116984eab8f41ea8ebf Size (gnutls-2.2.5.tar.bz2) = 4920322 bytes @ 1.42 log @Update to 2.0.4: * Version 2.0.4 (released 2007-11-16) ** Corrected bug in decompression of expanded compression data. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.41 2007/11/11 19:28:27 wiz Exp $ d3 5 a7 5 SHA1 (gnutls-2.0.4.tar.bz2) = 52e17e749a0ad35c54ef204d43ceecda9e5b70d7 RMD160 (gnutls-2.0.4.tar.bz2) = e7fa86f5f9a78da73575507025cde8be6cdc0be6 Size (gnutls-2.0.4.tar.bz2) = 4911330 bytes SHA1 (patch-aa) = 1d4ee449fd02fce00fdab055857281b69b17c1ae SHA1 (patch-ab) = 1bdf8bb767dc0de591346a98f1a6b3453de116dc a10 1 SHA1 (patch-ag) = 47892013971866ae69d7fb6fa2a7c992777ca71a @ 1.41 log @Update to 2.0.3: * Version 2.0.3 (released 2007-11-10) ** This version backports several fixes from the 2.1.x branch. ** Fixed PKCS #3 parameter export. ** Added gnutls_record_disable_padding() to allow servers talking to buggy clients that complain if the TLS 1.0 record protocol padding is used. ** Introduced gnutls_session_enable_compatibility_mode() to allow enabling all supported compatibility options (like disabling padding). ** Corrected bug which did not allow a server to run without supporting certificates. ** API and ABI modifications: gnutls_session_enable_compatibility_mode: ADDED gnutls_record_disable_padding: ADDED Add LICENSE, commented out; it contains both LGPL-2.1 and GPL2 code. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.40 2007/11/03 23:45:56 rillig Exp $ d3 3 a5 3 SHA1 (gnutls-2.0.3.tar.bz2) = e329e30f7f80ee905809012cad132eab8f6e9a87 RMD160 (gnutls-2.0.3.tar.bz2) = a22eaad937eca8899ea79c529917a1bd838c6120 Size (gnutls-2.0.3.tar.bz2) = 4911980 bytes @ 1.40 log @Fixed building the package with sunpro. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.39 2007/10/23 11:43:56 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-2.0.2.tar.bz2) = 1e67565e1dbdfdbcf67a7467f7507f849e582730 RMD160 (gnutls-2.0.2.tar.bz2) = 1b449d8c025324988e04722f10c1980652c221fe Size (gnutls-2.0.2.tar.bz2) = 4831867 bytes @ 1.39 log @Update to 2.0.2: * Version 2.0.2 (released 2007-10-17) ** TLS authorization support removed. This technique may be patented in the future, and it is not of crucial importance for the Internet community. After deliberation we have concluded that the best thing we can do in this situation is to encourage society not to adopt this technique. We have decided to lead the way with our own actions. ** certtool: Fixed data corruption when using --outder. ** Fix configure-time Guile detection. ** API and ABI modifications: GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA: ADDED. To avoid that the gnutls_supplemental_data_format_type_t enum type becomes empty. * Version 2.0.1 (released 2007-09-20) ** New directory doc/credentials/ with test credentials. This collects the test credentials from the web page and from src/. The script gnutls-http-serv has also been moved to that directory. ** Update SRP extension type and cipher suite with official IANA values. This breaks backwards compatibility with SRP in older versions of GnuTLS, but this is intentional to speed up the adoption of the official values. The old values we used were incorrect. ** Guile: Fix `x509-certificate-dn-oid' ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.38 2007/09/14 12:03:37 joerg Exp $ d11 1 @ 1.38 log @Hack around stupid GNUlib mess to allow building on DragonFly. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.37 2007/09/05 21:51:21 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-2.0.0.tar.bz2) = 985d86cb942b9d79abb5c8966439f23141ad803a RMD160 (gnutls-2.0.0.tar.bz2) = 4f0fac158749ac9df9d0f1c0dd0264ef26230b93 Size (gnutls-2.0.0.tar.bz2) = 4764031 bytes d7 3 a9 4 SHA1 (patch-ab) = d1e28c1e8bf1af4f65f38571840d92c88b222d8f SHA1 (patch-ac) = 2c31d26f4187f37bfbba08bedcb25ecb51225d4f SHA1 (patch-ad) = 24d7eb4fc75b90b97697a05267de8966313e8899 SHA1 (patch-ae) = 3b74520c79a129a29dbeee6c6b66d5aa42b9aa47 @ 1.37 log @update to 2.0.0 While an update to a .0 version is somehow risky, it finishes the unfortunate state that the pkgsrc gnutls didn't work with the pkgsrc opencdk, which I wouldn't like to go into the next stable branch. Release candidates have worked for me, and there is some time left before the Q3 branch, so I'm confident. changes: * Support for external RSA/DSA signing for TLS client authentication -many X.509 enhancements Support for Supplemental handshakes messages (RFC 4680) * Support for TLS authorization extension (draft-housley-tls-authz-extns-07) * Improve logic of gnutls_set_default_priority() * New APIs to enumerate supported algorithms in the library * Certtool can export more than one certificate to PKCS#12 * Several message translation improvements * Improved manual * Many bugfixes and minor improvements @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.36 2007/06/01 20:12:45 wiz Exp $ d6 1 d8 1 @ 1.36 log @Update to 1.6.3: * Version 1.6.3 (released 2007-05-26) ** New API functions to extract DER encoded X.509 Subject/Issuer DN. Suggested by Nate Nielsen . Backported from the 1.7.x branch, see . ** Have PKCS8 parser return better error codes. Reported by Nate Nielsen , see and . ** Fix mem leak for sessions with client authentication via certificates. Reported by Andrew W. Nosenko , see . ** Fix building of 'tlsia' self test. Earlier some gcc are known to build tlsia linking to $prefix/lib/libgnutls-extra.so rather than the libgnutls-extra.so in the build directory, even though command line parameters look OK. Changing order of some parameters fixes it. ** API and ABI modifications: gnutls_x509_crt_get_raw_issuer_dn: ADD. gnutls_x509_crt_get_raw_dn: ADD. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.35 2007/04/20 06:07:16 wiz Exp $ d3 7 a9 6 SHA1 (gnutls-1.6.3.tar.bz2) = 7553b9f7ddd4982c0759b814bc6d9bf892cf7347 RMD160 (gnutls-1.6.3.tar.bz2) = 31f9a5b5747b532199ecf6d6b45f0bf5f3b389f3 Size (gnutls-1.6.3.tar.bz2) = 4286276 bytes SHA1 (patch-aa) = eb29cda3b79c6cf7303ebf53ace62a7834eac6bf SHA1 (patch-ab) = 088e7b11194dafeae0b6e2cf2736c6d34eecf6b6 SHA1 (patch-ac) = 937b2ea324ffa0dccb37a0612d7ace8b0de9c00a @ 1.35 log @Update to 1.6.2: * Version 1.6.2 (released 2007-04-18) ** Fix X.509 signing with RSA-PKCS#1 to set a NULL parameters fields. Before, we remove the parameters field, which resulted in a slightly different DER encoding which in turn caused signature verification failures of GnuTLS-generated RSA certificates in some other implementations (e.g., GnuPG 2.x's gpgsm). Depending on which RFCs you read, this may or may not be correct, but our new behaviour appear to be consistent with other widely used implementations. ** Regenerate the PKIX ASN.1 syntax tree. For some reason, after changing the ASN.1 type of ldap-UID in the last release, the generated C file built from the ASN.1 schema was not refreshed. This can cause problems when reading/writing UID components inside X.500 Distinguished Names. Reported by devel . ** Updated translations. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.34 2007/01/24 15:58:04 tron Exp $ d3 3 a5 3 SHA1 (gnutls-1.6.2.tar.bz2) = d9b0cc20d10d4f0d4f2427a111b0481ae3cbb7da RMD160 (gnutls-1.6.2.tar.bz2) = 8f24683bea7bf973a6df5b5249a4471801834935 Size (gnutls-1.6.2.tar.bz2) = 4285763 bytes @ 1.34 log @Renable and fix build of C++ library under Mac OS X. Bump package revision because of this fix. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.33 2007/01/20 17:38:06 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.6.1.tar.bz2) = e9517a6ad324245a5ebf8d86a16fc1486cd0b6ee RMD160 (gnutls-1.6.1.tar.bz2) = e1b780885dadc6cb355af53a4e69172f1037e06c Size (gnutls-1.6.1.tar.bz2) = 4226536 bytes d7 1 a7 1 SHA1 (patch-ab) = 503bf7fa154341504db7ba3b5c6602627ff27dc5 @ 1.33 log @Update to 1.6.1: * Version 1.6.1 (released 2006-12-28) ** Fix the list of trusted CAs that server's send to clients. Before, the list contained issuer DN's instead of subject DN's of the trusted CAs. Reported by Max Kellermann ** Fix gnutls_certificate_set_x509_crl to initialize the CRL before using it. Reported by Max Kellermann ** Encode UID fields in DN's as DirectoryString. Before GnuTLS encoded and parsed UID fields as IA5String. This was incorrect, it should have used DirectoryString. Now it will use DirectoryString for the UID field, but for backwards compatibility it will also accept IA5String UID's. Reported by Max Kellermann ** Fix ./configure failure with non-GCC compilers. This fixes the following error message: configure: error: conditional "HAVE_LD_OUTPUT_DEF" was never defined. Reported by "Michael C. Vergallen" * Version 1.6.0 (released 2006-11-17) ** No changes since 1.5.5. The major changes compared to the 1.4.x branch are: *** A GnuTLS C++ library is part of the official distribution. Currently there are no examples or documentation, but hopefully this will change. See gnutlsxx.h for the API. *** Windows is a supported platform. There are, however, two know bugs. One is related to select() in command line tools (not, nota bene, in the library), the other is a problem with libgcrypt that causes delays. Help is needed to resolve those issues, so we feel we can't delay the release because of this. *** New APIs for custom push/pull function error reporting. The new APIs are gnutls_transport_set_errno and gnutls_transport_set_global_errno. See the release notes for version 1.5.4 for more information. *** Self tests are run under valgrind, if available. See --disable-valgrind. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.32 2006/11/13 18:15:14 drochner Exp $ d6 1 d8 1 @ 1.32 log @update to 1.4.5 changes: minor bugfixes @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.31 2006/09/16 06:21:22 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.4.5.tar.bz2) = 49a468de975ee6d10778ac43884ea4febb03d9dc RMD160 (gnutls-1.4.5.tar.bz2) = 74bb6f9fc4286b92f04edffa513ea0524f574099 Size (gnutls-1.4.5.tar.bz2) = 4045874 bytes @ 1.31 log @Update to 1.4.4: * Version 1.4.4 (released 2006-09-12) ** Relax the test that caught signatures that exploit the variant of ** Bleichenbacher's Crypto 06 rump session attack on our ** verification logic flaw. In particular, we now permit the digestAlgorithm.parameters field to be present but empty, whereas in 1.4.3 we actually checked that the field was absent. ** Revert the removal of debug information for the GNUTLS-SA-2006-3 problem. The messages are only printed in debug mode, which is not recommended for normal use, and thus logging this situation cannot be abused as an oracle in typical recommended situations. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.30 2006/09/10 21:12:21 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.4.4.tar.bz2) = 8f6ee112c8d93dd726e8e3d0e3fbf234f085a2cd RMD160 (gnutls-1.4.4.tar.bz2) = a31dfe33934ddf2500ae0e6c67aa265cd5b9ede4 Size (gnutls-1.4.4.tar.bz2) = 4048916 bytes @ 1.30 log @Update to 1.4.3: * Version 1.4.3 (released 2006-09-08) ** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's ** Crypto 06 rump session attack. In particular, we check that the digestAlgorithm.parameters field is empty, to avoid that it can contain "garbage" that may be used to alter the numeric properties of the signature. See (which is not exactly the same as the problem we fix here). Reported by Yutaka OIWA . See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more up to date information. ** Fix PKCS#1 decryption to avoid Bleichenbacher's Crypto 98 attack. See . Reported by Werner Koch . See GNUTLS-SA-2006-3 on http://www.gnutls.org/security.html for more up to date information. ** Fix crash in gnutls_x509_crt_sign2 if passed a NULL issuer_key. ** API and ABI modifications: No changes since last version. * Version 1.4.2 (released 2006-08-12) ** Fix a crash (strcmp() on a NULL value) in the certificate verification logic. This can happen if you call gnutls_certificate_verify_peers2 and have a certain mix of local CA certificates and the peer send special certificates, that together trigger certain behaviour. It is not known at this point whether the crash can be triggered without the special local CA certificate, and thus turn this into a remote crash of clients that verify server certificates when they talk to a server with the special server certificate. See GNUTLS-SA-2006-2 on http://www.gnu.org/software/gnutls/security.html for more up to date information. Reported by satyakumar . ** Change SRP and Cert-Type extensions to match IANA registry. ** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support. ** Make --without-included-libtasn1 work. Reported by Daniel Black . ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.29 2006/07/17 17:02:02 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.4.3.tar.bz2) = c4182c3804235d6f3eb2f3e59bb560f22370d4fc RMD160 (gnutls-1.4.3.tar.bz2) = 3be97523303c5350dea1b74e50feeab71804f857 Size (gnutls-1.4.3.tar.bz2) = 4047997 bytes @ 1.29 log @Update to 1.4.1: * Version 1.4.1 (released 2006-06-14) ** Replaced inactive ifdefs to enable openpgp support in test programs. ** Fixed bug in OpenPGP authentication handshake. ** Fixed typographical in man pages. ** Build fixes of the manual. ** Added Swedish translation. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.28 2006/05/17 21:50:22 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.4.1.tar.bz2) = 25d183fef21abbcaab0afe6b5809893aa70b577d RMD160 (gnutls-1.4.1.tar.bz2) = 1bb959a118ce8d776693f602034342c31a8737aa Size (gnutls-1.4.1.tar.bz2) = 4046780 bytes @ 1.28 log @Update to 1.4.0: * Version 1.4.0 (released 2006-05-15) ** Remove GnuTLS 0.8.x compatibility functions. ** The libgcrypt RNG is initialized in gnutls_global_init(). ** TLS/IA API changes from Emile van Bergen. A dummy credential structure is not needed now, if you wish to use the low-level TLS/IA API, simply call gnutls_ia_enable to enable TLS/IA on a session. ** The self-tests are now run under valgrind, if it is installed. ** Libtasn1 is updated to 0.3.4, and that version is now required. ** The command line tools now use getaddrinfo and support IPv6. ** API and ABI modifications: _gnutls_x509_get_raw_crt_activation_time, _gnutls_x509_get_raw_crt_expiration_time: Removed. gnutls_ia_require_inner_phase: Removed, replaced by gnutls_ia_enable. gnutls_ia_enable: Added. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.27 2006/03/09 17:25:54 cube Exp $ d3 3 a5 3 SHA1 (gnutls-1.4.0.tar.bz2) = 71c2df8072796592bb20910f3554923b4178b352 RMD160 (gnutls-1.4.0.tar.bz2) = f3af3a76a630244e82461cdb804b09218f79eff5 Size (gnutls-1.4.0.tar.bz2) = 3281324 bytes @ 1.28.2.1 log @Pullup ticket 1830 - requested by wiz security update for gnutls Revisions pulled up: - pkgsrc/security/gnutls/Makefile 1.50, 1.51, 1.52 - pkgsrc/security/gnutls/PLIST 1.22 - pkgsrc/security/gnutls/distinfo 1.29, 1.30, 1.31 Module Name: pkgsrc Committed By: wiz Date: Mon Jul 17 17:02:02 UTC 2006 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Log Message: Update to 1.4.1: * Version 1.4.1 (released 2006-06-14) ** Replaced inactive ifdefs to enable openpgp support in test programs. ** Fixed bug in OpenPGP authentication handshake. ** Fixed typographical in man pages. ** Build fixes of the manual. ** Added Swedish translation. ** API and ABI modifications: No changes since last version. --- Module Name: pkgsrc Committed By: wiz Date: Sun Sep 10 21:12:21 UTC 2006 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: Update to 1.4.3: * Version 1.4.3 (released 2006-09-08) ** Fix PKCS#1 verification to avoid a variant of Bleichenbacher's ** Crypto 06 rump session attack. In particular, we check that the digestAlgorithm.parameters field is empty, to avoid that it can contain "garbage" that may be used to alter the numeric properties of the signature. See (which is not exactly the same as the problem we fix here). Reported by Yutaka OIWA . See GNUTLS-SA-2006-4 on http://www.gnutls.org/security.html for more up to date information. ** Fix PKCS#1 decryption to avoid Bleichenbacher's Crypto 98 attack. See . Reported by Werner Koch . See GNUTLS-SA-2006-3 on http://www.gnutls.org/security.html for more up to date information. ** Fix crash in gnutls_x509_crt_sign2 if passed a NULL issuer_key. ** API and ABI modifications: No changes since last version. * Version 1.4.2 (released 2006-08-12) ** Fix a crash (strcmp() on a NULL value) in the certificate verification logic. This can happen if you call gnutls_certificate_verify_peers2 and have a certain mix of local CA certificates and the peer send special certificates, that together trigger certain behaviour. It is not known at this point whether the crash can be triggered without the special local CA certificate, and thus turn this into a remote crash of clients that verify server certificates when they talk to a server with the special server certificate. See GNUTLS-SA-2006-2 on http://www.gnu.org/software/gnutls/security.html for more up to date information. Reported by satyakumar . ** Change SRP and Cert-Type extensions to match IANA registry. ** OpenCDK updated to 0.5.9 to fix some problems with OpenPGP support. ** Make --without-included-libtasn1 work. Reported by Daniel Black . ** API and ABI modifications: No changes since last version. --- Module Name: pkgsrc Committed By: wiz Date: Sat Sep 16 06:21:22 UTC 2006 Modified Files: pkgsrc/security/gnutls: Makefile distinfo Log Message: Update to 1.4.4: * Version 1.4.4 (released 2006-09-12) ** Relax the test that caught signatures that exploit the variant of ** Bleichenbacher's Crypto 06 rump session attack on our ** verification logic flaw. In particular, we now permit the digestAlgorithm.parameters field to be present but empty, whereas in 1.4.3 we actually checked that the field was absent. ** Revert the removal of debug information for the GNUTLS-SA-2006-3 problem. The messages are only printed in debug mode, which is not recommended for normal use, and thus logging this situation cannot be abused as an oracle in typical recommended situations. ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.31 2006/09/16 06:21:22 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.4.4.tar.bz2) = 8f6ee112c8d93dd726e8e3d0e3fbf234f085a2cd RMD160 (gnutls-1.4.4.tar.bz2) = a31dfe33934ddf2500ae0e6c67aa265cd5b9ede4 Size (gnutls-1.4.4.tar.bz2) = 4048916 bytes @ 1.27 log @Update to version 1.3.5. Fixes build failures related to libtasn1. - Error messages are now translated using GNU Gettext. - The function gnutls_x509_crt_to_xml now return an internal error. This means that the code to convert X.509 certificates to XML format does not work any more. The reason is that the function called libtasn1 internal functions. It seems unclean for libtasn1 to export the APIs needed here. Instead it would be better to implement XML support inside libtasn1 properly. If you need this functionality strongly, please consider looking into implementing this suggested approach instead. As a workaround, you may also modify lib/x509/xml.c (change '#if 1' to '#if 0') and build using --with-included-libtasn1. - Doc fixes to explain that gnutls_record_send can block. - gnutls-cli can now recognize services and port numbers with the -p option. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.26 2006/03/04 23:45:07 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.3.5.tar.bz2) = 21fa619515cd9997c9d84bd3b0555e86a0a1d44f RMD160 (gnutls-1.3.5.tar.bz2) = 18c5e760336d162d23707997d773ccd2ba0e8e07 Size (gnutls-1.3.5.tar.bz2) = 3256630 bytes @ 1.26 log @Fix build with libtasn1-0.3.0, and depend on it. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.25 2006/02/10 12:39:25 drochner Exp $ d3 3 a5 4 SHA1 (gnutls-1.3.4.tar.bz2) = f412262ab6299f6e4603c3f524551ae0357ff983 RMD160 (gnutls-1.3.4.tar.bz2) = 9f51b9a2eb54122d770cf4a6a48e620f271953cb Size (gnutls-1.3.4.tar.bz2) = 3199801 bytes SHA1 (patch-aa) = bc00be2f70c6cc2fa7358ebc3f3ac15d627305ca @ 1.25 log @update libtasn1 to 0.2.18 and gnutls to 1.3.4, fixes possible DOS (crash by invalid DER input) "GNUTLS-SA-2006-1" @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.24 2006/01/20 21:14:04 adam Exp $ d6 1 @ 1.24 log @Changes 1.3.3: ** New API to access the TLS master secret. When possible, you should use the TLS PRF functions instead. ** Improved handling when multiple libraries use GnuTLS at the same time. Now gnutls_global_init() can be called multiple times, and gnutls_global_deinit() will only deallocate the structure when it has been called as many times as gnutls_global_init() was called. ** Added a self test of TLS resume functionality. ** Fix crash in TLS resume code, caused by TLS/IA changes. ** Add 'const' keywords in various places, from Frediano ZIGLIO. ** The code was indented again, including the external header files. ** API and ABI modifications: New functions to retrieve the master secret value: gnutls_session_get_master_secret Add a 'const' keyword to existing API: gnutls_x509_crq_get_challenge_password @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.23 2005/12/31 00:02:58 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.3.3.tar.bz2) = 65e255278632646afc48b284fbe03ddef996551b RMD160 (gnutls-1.3.3.tar.bz2) = 2e3f1bc8b9b19da1f428884ba15f84e7cb936f07 Size (gnutls-1.3.3.tar.bz2) = 3180572 bytes @ 1.23 log @Update to 1.3.2: * Version 1.3.2 (released 2005-12-15) ** GnuTLS now support TLS Inner application (TLS/IA). This is per draft-funk-tls-inner-application-extension-01. This functionality is added to libgnutls-extra, so it is licensed under the GNU General Public License. ** New APIs to access the TLS Pseudo-Random-Function (PRF). The PRF is used by some protocols building on TLS, such as EAP-PEAP and EAP-TTLS. One function to access the raw PRF and one to access the PRF seeded with the client/server random fields are provided. Suggested by Jouni Malinen . ** New APIs to acceess the client and server random fields in a session. These fields can be useful by protocols using TLS. Note that these fields are typically used as input to the TLS PRF, and if this is your intended use, you should use the TLS PRF API that use the client/server random field directly. Suggested by Jouni Malinen . ** Internal type cleanups. The uint8, uint16, uint32 types have been replaced by uint8_t, uint16_t, uint32_t. Gnulib is used to guarantee the presence of correct types on platforms that lack them. The uint type have been replaced by unsigned. ** API and ABI modifications: New functions to invoke the TLS Pseudo-Random-Function (PRF): gnutls_prf gnutls_prf_raw New functions to retrieve the session's client and server random values: gnutls_session_get_server_random gnutls_session_get_client_random New function, to perform TLS/IA handshake: gnutls_ia_handshake New function to decide whether to do a TLS/IA handshake: gnutls_ia_handshake_p New functions to allocate a TLS/IA credential: gnutls_ia_allocate_client_credentials gnutls_ia_free_client_credentials gnutls_ia_allocate_server_credentials gnutls_ia_free_server_credentials New functions to handle the AVP callback: gnutls_ia_set_client_avp_function gnutls_ia_set_client_avp_ptr gnutls_ia_get_client_avp_ptr gnutls_ia_set_server_avp_function gnutls_ia_set_server_avp_ptr gnutls_ia_get_server_avp_ptr New functions, to toggle TLS/IA application phases: gnutls_ia_require_inner_phase New function to mix session keys with inner secret: gnutls_ia_permute_inner_secret Low-level API (used internally by gnutls_ia_handshake): gnutls_ia_endphase_send gnutls_ia_send gnutls_ia_recv New functions that can be used after successful TLS/IA negotiation: gnutls_ia_generate_challenge gnutls_ia_extract_inner_secret Enum type with TLS/IA modes: gnutls_ia_mode_t Enum type with TLS/IA packet types: gnutls_ia_apptype_t Enum values for TLS/IA alerts: GNUTLS_A_INNER_APPLICATION_FAILURE GNUTLS_A_INNER_APPLICATION_VERIFICATION New error codes, to signal when an application phase has finished: GNUTLS_E_WARNING_IA_IPHF_RECEIVED GNUTLS_E_WARNING_IA_FPHF_RECEIVED New error code to signal TLS/IA verify failure: GNUTLS_E_IA_VERIFY_FAILED * Version 1.3.1 (released 2005-12-08) ** Support for DHE-PSK cipher suites has been added. This method offers perfect forward secrecy. ** Fix gnutls-cli STARTTLS hang when SIGINT is sent too quickly, thanks to Otto Maddox and Nozomu Ando . ** Corrected a bug in certtool for 64 bit machines. Reported by Max Kellermann . ** New function to set a X.509 private key and certificate pairs, and/or CRLs, from an PKCS#12 file, suggested by Emile van Bergen . The integrity of the PKCS#12 file is protected through a password based MAC; public-key based signatures for integrity protection are not supported. PKCS#12 bags may be encrypted using password derived symmetric keys, public-key based encryption is not supported. The PKCS#8 keys may be encrypted using passwords. The API use the same password for all operations. We believe that any more flexibility create too much complexity that would hurt overall security, but may add more PKCS#12 related APIs if real-world experience indicate otherwise. ** gnutls_x509_privkey_import_pkcs8 now accept unencrypted PEM PKCS#8 keys, reported by Emile van Bergen . This will enable "certtool -k -8" to parse those keys. ** Certtool now generate keys in unencrypted PKCS#8 format for empty passwords. Use "certtool -p -8" and press press enter at the prompt. Earlier, certtool would have encrypted the key using an empty password. ** Certtool now accept --password for --key-info and encrypted PKCS#8 keys. Earlier it would have prompted the user for it, even if --password was supplied. ** Added self test of PKCS#8 parsing. Unencrypted and encrypted (pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHAAnd40BitRC2-CBC) formats are tested. The test is in tests/pkcs8. ** API and ABI modifications: New function to set X.509 credentials from a PKCS#12 file: gnutls_certificate_set_x509_simple_pkcs12_file New gnutls_kx_algorithm_t enum type: GNUTLS_KX_DHE_PSK New API to return session data (better data types than gnutls_session_get_data): gnutls_session_get_data2 New API to set PSK Diffie-Hellman parameters: gnutls_psk_set_server_dh_params * Version 1.3.0 (2005-11-15) ** Support for TLS Pre-Shared Key (TLS-PSK) ciphersuites have been added. This add several new APIs, see below. Read the updated manual for more information. A new self test "pskself" has been added, that will test this functionality. ** The session resumption data are now system independent. ** The code has been re-indented to conform to the GNU coding style. ** Removed the RIPEMD ciphersuites. ** Added a discussion of the internals of gnutls in manual. ** Fixes for Tru64 UNIX 4.0D that lack MAP_FAILED, from Albert Chin. ** Remove trailing comma in enums, for IBM C v6, from Albert Chin. ** Make sure config.h is included first in a few files, from Albert Chin. ** Don't use C++ comments ("//") as they are invalid, from Albert Chin. ** Don't install SRP programs and man pages if --disable-srp-authentication, from Albert Chin. ** API and ABI modifications: New gnutls_kx_algorithm_t key exchange type: GNUTLS_KX_PSK New gnutls_credentials_type_t credential type: GNUTLS_CRD_PSK New credential types: gnutls_psk_server_credentials_t gnutls_psk_client_credentials_t New functions to allocate PSK credentials: gnutls_psk_allocate_client_credentials gnutls_psk_free_client_credentials gnutls_psk_free_server_credentials gnutls_psk_allocate_server_credentials New enum type for PSK key flags: gnutls_psk_key_flags New function prototypes for credential callback: gnutls_psk_client_credentials_function gnutls_psk_server_credentials_function New function to set PSK username and key: gnutls_psk_set_client_credentials New function to set PSK passwd file: gnutls_psk_set_server_credentials_file New function to extract PSK user in server: gnutls_psk_server_get_username New functions to set PSK callback: gnutls_psk_set_server_credentials_function gnutls_psk_set_client_credentials_function Use size_t instead of int for output size parameter: gnutls_srp_base64_encode gnutls_srp_base64_decode @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.22 2005/11/14 18:17:49 wiz Exp $ d3 4 a6 4 SHA1 (gnutls-1.3.2.tar.bz2) = f0bc87bb29591b710d63699896cb26f539a47e6b RMD160 (gnutls-1.3.2.tar.bz2) = 0b482d2fd835fb48b223bf5c9ef0c7fdae4f0b4f Size (gnutls-1.3.2.tar.bz2) = 3173209 bytes SHA1 (patch-ab) = df9d588891ff88c41f297fa595d618c31dc8ef97 @ 1.22 log @Update to 1.2.9: * Version 1.2.9 (2005-11-07) - Documentation was updated and improved. - RSA-MD2 is now supported for verifying digital signatures. - Due to cryptographic advances, verifying untrusted X.509 certificates signed with RSA-MD2 or RSA-MD5 will now fail with a GNUTLS_CERT_INSECURE_ALGORITHM verification output. For applications that must remain interoperable, you can use the GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 or GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 flags when verifying certificates. Naturally, this is not recommended default behaviour for applications. To enable the broken algorithms, call gnutls_certificate_set_verify_flags with the proper flag, to change the verification mode used by gnutls_certificate_verify_peers2. - Make it possible to send empty data through gnutls_record_send, to align with the send(2) API. - Some changes in the certificate receiving part of handshake to prevent some possible errors with non-blocking servers. - Added numeric version symbols to permit simple CPP-based feature tests, suggested by Daniel Stenberg . - The (experimental) low-level crypto alternative to libgcrypt used earlier (Nettle) has been replaced with crypto code from gnulib. This leads to easier re-use of these components in other projects, leading to more review and simpler maintenance. The new configure parameter --with-builtin-crypto replace the old --with-nettle, and must be used if you wish to enable this functionality. See README under "Experimental" for more information. Internally, GnuTLS has been updated to use the new "Generic Crypto" API in gl/gc.h. The API is similar to the old crypto/gc.h, because the gnulib code were based on GnuTLS's gc.h. - Fix compiler warning in the "anonself" self test. - API and ABI modifications: gnutls_x509_crt_list_verify: Added 'const' to prototype in . This doesn't reflect a change in behaviour, so we don't break backwards compatibility. GNUTLS_MAC_MD2: New gnutls_mac_algorithm_t value. GNUTLS_DIG_MD2: New gnutls_digest_algorithm_t value. GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5: New gnutls_certificate_verify_flags values. Use when calling gnutls_x509_crt_list_verify, gnutls_x509_crt_verify, or gnutls_certificate_set_verify_flags. GNUTLS_CERT_INSECURE_ALGORITHM: New gnutls_certificate_status_t value, used when broken signature algorithms is used (currently RSA-MD2/MD5). LIBGNUTLS_VERSION_MAJOR, LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, LIBGNUTLS_VERSION_NUMBER: New CPP symbols, indicating the GnuTLS version number, can be used for feature existence tests. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.21 2005/10/20 00:43:32 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.2.9.tar.bz2) = 7229d094de83cabd572fcaab806ab3afc6b58959 RMD160 (gnutls-1.2.9.tar.bz2) = 4df467450ee2a3eaa509fb1f58dde41b81fcbb81 Size (gnutls-1.2.9.tar.bz2) = 2720067 bytes @ 1.22.2.1 log @Pullup ticket 1125 - requested by Matthias Drochner security updates for libtasn1 and gnutls Revisions pulled up: - pkgsrc/security/libtasn1/Makefile 1.20 - pkgsrc/security/libtasn1/distinfo 1.11 Gnutls updated via patch. Module Name: pkgsrc Committed By: drochner Date: Fri Feb 10 12:39:25 UTC 2006 Modified Files: pkgsrc/security/gnutls: Makefile distinfo pkgsrc/security/libtasn1: Makefile distinfo Log Message: update libtasn1 to 0.2.18 and gnutls to 1.2.10 fixes possible DOS (crash by invalid DER input) "GNUTLS-SA-2006-1" @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.22 2005/11/14 18:17:49 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.2.10.tar.bz2) = 18140bebae006e019deb77962836bcd775256aab RMD160 (gnutls-1.2.10.tar.bz2) = 33b0d4e5955b06611141ac2d1e8889b42675cc98 Size (gnutls-1.2.10.tar.bz2) = 2737849 bytes @ 1.21 log @Update to 1.2.8: * Version 1.2.8 (2005-10-07) - Libgcrypt 1.2.2 is required to fix a bug for forking GnuTLS servers. - Don't install the auxilliary libexamples library used by the examples in doc/examples/ on "make install", report and tiny patch from Thomas Klausner - If you pass a X.509 CA or PGP trust database to the command line tool, it will now abort the connection if the server certificate validation fails. Use the parameter --insecure to continue even after certificate validation failures. Inspired from discussion with Alexander Kotelnikov - The test for socklen_t has been moved to gnulib. - Link failures for duplicate or missing "program_name" symbol has been fixed, patch from Martin Lambers - The command line tool and the examples no longer uses mmap or bzero, to make them more portable, patch from Martin Lambers - Made the PKCS #12 API handle null passwords. Based on patch by Anton Altaparmakov - The GTK-DOC manual should build with current released tools. (But a copy of the output is included, so the tools are not required.) - API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.20 2005/09/30 13:11:34 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.2.8.tar.bz2) = b49c86de7c10946bf440ea146f89a31474297872 RMD160 (gnutls-1.2.8.tar.bz2) = efd431cffe74a4cf539d6dbb272ae158b71e0710 Size (gnutls-1.2.8.tar.bz2) = 2527436 bytes @ 1.20 log @Update to 1.2.7: * Version 1.2.7 (2005-09-09) - The GNUTLS and GNUTLS-EXTRA libraries are now built with versioned symbols. - Certtool now complains when reading out-of-range X.509 serial numbers, suggested by Fran - Certtool now uses the readline library (when available) when reading X.509 serial numbers. - Fixed build problems in getpass on uClibc and Mingw32 platforms. - Fixed compile warning regarding socklen_t on Mingw32, reported by Martin Lambers - Fixed examples in doc/examples/, suggested by Fran - Gnulib is now used for the core library, enabling future code cleanups. - The gnutls-cli tool now use gnutls_certificate_verify_peers2, suggested by Daniel Stenberg - Doc fixes for gnutls_transport_set_push and gnutls_transport_set_pull. - Minilibtasn1 is now 0.2.17 (removed optional use of C99 macros). - Disable zlib support if zlib.h is not present. - A number of internal cleanups. - API and ABI modifications: No changes since last version. pkgsrc change: do not install libexamples (looks like a bug) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.19 2005/08/30 14:29:00 adam Exp $ d3 4 a6 6 SHA1 (gnutls-1.2.7.tar.bz2) = c1a583052a16521363d0dab5615bfc547f291fca RMD160 (gnutls-1.2.7.tar.bz2) = d41db9a202cac17d71f6eb1b9546970bd8d091cc Size (gnutls-1.2.7.tar.bz2) = 2525612 bytes SHA1 (patch-aa) = a5b5c3fd69cf37cf3da31c6303499bc361dd0826 SHA1 (patch-ab) = 91673a4ae323d002f75aed63d4a41e1c42f866ad SHA1 (patch-ac) = 772702e006ffb30913584a050581b4512fac3cb3 @ 1.19 log @Changes 1.2.6: - MiniLZO updated to version 2.01 and moved to separate directory. - Collision between system LZO header files and MiniLZO header file fixed. - Will now test for liblzo functionality in liblzo2 too. - Minilibtasn1 is now 0.2.14 (no code changes). - Some code changes to avoid GTK-DOC warnings. - API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.18 2005/07/14 19:19:43 wiz Exp $ d3 6 a8 4 SHA1 (gnutls-1.2.6.tar.bz2) = b9bba9447e3863236d153720ae875da2b29b1309 RMD160 (gnutls-1.2.6.tar.bz2) = 53b3aa0b040a6c0407880c3792733d7cc429390d Size (gnutls-1.2.6.tar.bz2) = 2469124 bytes SHA1 (patch-ab) = 2ff5b153c8bf6954777dd079d9e5b0351b39db31 @ 1.18 log @Update to 1.2.5: * Version 1.2.5 (2005-07-03) - More builddir != srcdir fixes, reported by Mike Castle - Fixed off-by-one bug in the size parameter of gnutls_x509_crt_get*_dn, reported by Adam Langley - Corrected some stuff in minilzo detection. Pointed out by Sergey Lipnevich. - MiniLZO updated to version 2.00. - gnutls_x509_crt_list_import now accept a DER formatted CRL. - API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.17 2005/05/31 17:48:30 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.2.5.tar.bz2) = d7db76d3e4580758f97eb1ecfdf7d5786ce52cd1 RMD160 (gnutls-1.2.5.tar.bz2) = 5b09b6ba4e169884aa47df551b845564a34a8389 Size (gnutls-1.2.5.tar.bz2) = 2466208 bytes @ 1.17 log @Update to 1.2.4: * Version 1.2.4 (2005-05-28) - Corrected some bugs that could affect 64 bit systems. - Some corrections in the header files to include the prototype of memmem properly (affected 64 bit systems). Report and patch by Yoann Vandoorselaere . - Introduced the --fix-key option to certtool, which can be used to regenerate the (optional) parameters in a private key. It should be used together with --key-info. - Corrected a bug in certificate chain verification that could lead to marking a trusted chain as non trusted, if the last certificate in the chain was a self signed one. - Gnulib portability files were updated. - License were updated to reflect new FSF address. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.16 2005/05/02 12:59:24 wiz Exp $ d3 4 a6 4 SHA1 (gnutls-1.2.4.tar.bz2) = f54c9fe5aa11b3e4cb2109d29cf38d98d11c72dc RMD160 (gnutls-1.2.4.tar.bz2) = 6c7258414d8f36dbeae5d67cf501be2d3c3c0996 Size (gnutls-1.2.4.tar.bz2) = 2446316 bytes SHA1 (patch-ab) = a3327de3052375acd569ee8541c90e2555e73f2d @ 1.16 log @Update to 1.2.3: * Version 1.2.3 - Corrected bug in record packet parsing that could lead to a denial of service attack. - Corrected bug in RSA key export. Previously exported keys can be fixed using certtool. Use certtool -k outfile - API and ABI modifications: gnutls_x509_privkey_fix(): Add. * Version 1.2.2 (2005-04-25) - gnutls_error_to_alert() now considers GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET. - Fixed error in session resuming that could cause a crash in a session. - Fixed pkcs12 friendly name and local key identifier decoding. - Internal cleanups, removed duplicate typedef/struct definitions, and made source code include external include file, to check function prototypes during compile time. - API and ABI modifications: No changes since last version. At least not intentional, but due to the include header changes, there may be inadvertant changes, please let us know if you find any. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.15 2005/04/08 15:50:41 wiz Exp $ d3 3 a5 3 SHA1 (gnutls-1.2.3.tar.bz2) = 78e1b92a9d818479faca9042d446eed61770fb17 RMD160 (gnutls-1.2.3.tar.bz2) = 8e796bcd3f303f52f6c2c9dad18814a467b550eb Size (gnutls-1.2.3.tar.bz2) = 2446437 bytes @ 1.15 log @Update to 1.2.1: * Version 1.2.1 (2005-04-04) - gnutls_bye() will no longer fail when RDWR is used and application data are available for reading. - Added more strict checks for the SRP parameters (g,n), when they are not in the included list. - Added warning to certtool when MD5 is being used for digital signatures. - Optimizations ("-O2 -finline-functions") are not enabled by default, instead the standard autoconf defaults are used. Use `./configure CFLAGS="-O2 -finline-functions"' to get the old optimizations. - Added the option --get-dh-params to certtool, in order to get the included in the library primes and generators. - Improved the semantics of GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, to allow only trusted Version 1 CAs and introduced GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT which has the old semantics. - Nettle self tests now build properly, reported by Pierre - Eliminated some memory leaks in DHE and RSA-EXPORT cipher suites. Reported by Yoann Vandoorselaere - Added the functions: gnutls_x509_crt_list_import(), gnutls_x509_crq_get_attribute_by_oid(), gnutls_x509_crq_set_attribute_by_oid() and gnutls_x509_crt_set_extension_by_oid(). - If the library has been compiled with features disabled, a warning is issued during the compilation of any program. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.14 2005/04/03 04:50:21 minskim Exp $ d3 3 a5 4 SHA1 (gnutls-1.2.1.tar.bz2) = 6445383421a06b9db3fa83bf6802677e809f2440 RMD160 (gnutls-1.2.1.tar.bz2) = fa02b6b342adf07d47e7dad1ede1d7a49560e59d Size (gnutls-1.2.1.tar.bz2) = 2436304 bytes SHA1 (patch-aa) = 3b4adf0b6acde5a56c0a7f3003a0a1e90bfbd672 @ 1.14 log @Avoid calling makeinfo because the distfile contains pre-built .info files. This makes the package build on platforms without makeinfo. Patch provided by Darrin B. Jewell in PR pkg/29869. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.13 2005/02/24 13:10:06 agc Exp $ d3 3 a5 3 SHA1 (gnutls-1.2.0.tar.bz2) = 618d502fc872530b726e791a818af5a95ee39d00 RMD160 (gnutls-1.2.0.tar.bz2) = 1f03385047112721173f116821dc92680d60b687 Size (gnutls-1.2.0.tar.bz2) = 2417909 bytes @ 1.13 log @Add RMD160 digests. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2005/02/19 00:14:23 wiz Exp $ d7 1 @ 1.13.2.1 log @Pullup ticket 418 - requested by Min Sik Kim portability fix for gnutls Revisions pulled up: - pkgsrc/security/gnutls/distinfo 1.14 - pkgsrc/security/gnutls/patches/patch-ab 1.1 Module Name: pkgsrc Committed By: minskim Date: Sun Apr 3 04:50:21 UTC 2005 Modified Files: pkgsrc/security/gnutls: distinfo Added Files: pkgsrc/security/gnutls/patches: patch-ab Log Message: Avoid calling makeinfo because the distfile contains pre-built .info files. This makes the package build on platforms without makeinfo. Patch provided by Darrin B. Jewell in PR pkg/29869. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.14 2005/04/03 04:50:21 minskim Exp $ a6 1 SHA1 (patch-ab) = a3327de3052375acd569ee8541c90e2555e73f2d @ 1.13.2.2 log @Pullup ticket 479 - requested by Thomas Klausner security update for gnutls Revisions pulled up: - pkgsrc/security/gnutls/Makefile 1.26, 1.28 - pkgsrc/security/gnutls/PLIST 1.13-1.14 - pkgsrc/security/gnutls/buildlink3.mk 1.8 - pkgsrc/security/gnutls/distinfo 1.15-1.16 - pkgsrc/security/gnutls/patches/patch-aa removed Module Name: pkgsrc Committed By: wiz Date: Fri Apr 8 15:50:41 UTC 2005 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Removed Files: pkgsrc/security/gnutls/patches: patch-aa Log Message: Update to 1.2.1: * Version 1.2.1 (2005-04-04) - gnutls_bye() will no longer fail when RDWR is used and application data are available for reading. - Added more strict checks for the SRP parameters (g,n), when they are not in the included list. - Added warning to certtool when MD5 is being used for digital signatures. - Optimizations ("-O2 -finline-functions") are not enabled by default, instead the standard autoconf defaults are used. Use `./configure CFLAGS="-O2 -finline-functions"' to get the old optimizations. - Added the option --get-dh-params to certtool, in order to get the included in the library primes and generators. - Improved the semantics of GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, to allow only trusted Version 1 CAs and introduced GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT which has the old semantics. - Nettle self tests now build properly, reported by Pierre - Eliminated some memory leaks in DHE and RSA-EXPORT cipher suites. Reported by Yoann Vandoorselaere - Added the functions: gnutls_x509_crt_list_import(), gnutls_x509_crq_get_attribute_by_oid(), gnutls_x509_crq_set_attribute_by_oid() and gnutls_x509_crt_set_extension_by_oid(). - If the library has been compiled with features disabled, a warning is issued during the compilation of any program. --- Module Name: pkgsrc Committed By: wiz Date: Mon May 2 12:59:24 UTC 2005 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Log Message: Update to 1.2.3: * Version 1.2.3 - Corrected bug in record packet parsing that could lead to a denial of service attack. - Corrected bug in RSA key export. Previously exported keys can be fixed using certtool. Use certtool -k outfile - API and ABI modifications: gnutls_x509_privkey_fix(): Add. * Version 1.2.2 (2005-04-25) - gnutls_error_to_alert() now considers GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET. - Fixed error in session resuming that could cause a crash in a session. - Fixed pkcs12 friendly name and local key identifier decoding. - Internal cleanups, removed duplicate typedef/struct definitions, and made source code include external include file, to check function prototypes during compile time. - API and ABI modifications: No changes since last version. At least not intentional, but due to the include header changes, there may be inadvertant changes, please let us know if you find any. --- Module Name: pkgsrc Committed By: salo Date: Mon May 2 19:48:37 UTC 2005 Modified Files: pkgsrc/security/gnutls: buildlink3.mk Log Message: Bump BUILDLINK_RECOMMENDED after latest security update. (hi wiz!) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.16 2005/05/02 12:59:24 wiz Exp $ d3 4 a6 3 SHA1 (gnutls-1.2.3.tar.bz2) = 78e1b92a9d818479faca9042d446eed61770fb17 RMD160 (gnutls-1.2.3.tar.bz2) = 8e796bcd3f303f52f6c2c9dad18814a467b550eb Size (gnutls-1.2.3.tar.bz2) = 2446437 bytes @ 1.12 log @Update to 1.2.0. From the release announcement: We are pleased to announce the availability of GnuTLS 1.2.0! This release is the result of the 23 development releases made on the development branch (1.1.x). Major changes compared to the 1.0 branch include: * Moved SRP password authentication from the GnuTLS-extra library (licensed under GPL) to the core library (licensed under LGPL). * The API has been cleaned up, and data types now use a '_t' suffix. * Fixes to handle denial of service problem when verifying long certificate chains. * The manual has been converted to Texinfo and is consequently available in many formats, see: * A reference API manual has been added, and is available in HTML and DevHelp formats, thanks to GTK-DOC, see: The 1.2.0 version is intended to be stable, and to be a drop-in replacement of the stable 1.0.x branch. We encourage developers to move to the 1.2 branch as soon as possible, since we will now spend less time improving version 1.0.x. We are not planning to open a 1.3 development branch soon, because there are no plans to start work on any major new feature today. Instead, we will continue to carefully improve the quality of this release over time. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2004/11/28 12:59:10 recht Exp $ d4 1 @ 1.11 log @update to gnutls-1.0.23 Noteworthy changes since the last release: - Replace GNU LD version script with Libtool -export-symbols-regex, from Joe Orton . - Copy libtasn1 has been updated to version 0.2.11. - Corrected the write of CRL distribution points. - It is now possible to generate PKCS#12 structures without private keys using "certtool --to-p12", suggested by Fabian Fagerholm . @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2004/11/08 19:34:46 jmmv Exp $ d3 3 a5 3 SHA1 (gnutls-1.0.23.tar.gz) = 4fa06b07263ba8fb5fe31482374629d20c2e4aa6 Size (gnutls-1.0.23.tar.gz) = 1630814 bytes SHA1 (patch-aa) = 1d8a1b8345fa66adb35c7a3c6c05f7ecf61f4620 @ 1.10 log @Update to 1.0.22: Version 1.0.22 (28/10/2004) - Print DN of certificates with unknown characters in them, but in hexform only. - Corrected bug in _gnutls_x509_get_dn_oid(), and returns the actual OID. - Added second precision to the X.509 parsing functions. - Add parameter --la-file to libgnutls-config and libgnutls-extra-config, tiny patch contributed by Joe Orton . - Add pkg-config meta files, suggested by Stéphane LOEUILLET . - Fix memory initializaion bug in gnutls_certificate_set_x509_trust, tiny patch by Aleix Conchillo Flaque . - Fix certtool --password for PKCS #12, back ported from 1.1.x branch. - Fix library order in libgnutls*-config --libs output, to permit static linking, reported by Yoann Vandoorselaere . Version 1.0.21 (07/10/2004) - Fix memory leak in gnutls_certificate_verify_peers and gnutls_certificate_free_credentials, report and patch by Simon Posnjak . - Fix crash in `certtool --to-p12 --load-privkey foo', i.e. exporting a key and no certificate to PKCS#12. - Fix objdir != srcdir builds, reported by "Gerrit P. Haase" . - Avoid redefining getpass if system already has it, reported by Yoann Vandoorselaere . - Add new example "ex-rfc2818" for certificate verification, from Nikos. - Known bug: the library require snprintf. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2004/08/27 13:16:16 drochner Exp $ d3 3 a5 3 SHA1 (gnutls-1.0.22.tar.gz) = d7ced2f236e79ad7657272581b0e0d26ec712072 Size (gnutls-1.0.22.tar.gz) = 1623541 bytes SHA1 (patch-aa) = c0731bf36ace47b5bb489c243cd557668d7d4955 @ 1.9 log @update to 1.0.20 changes: -bugfixes -adds some limits to the verification functions to avoid denial of service attacks -selftests added @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2004/05/22 10:09:53 adam Exp $ d3 2 a4 2 SHA1 (gnutls-1.0.20.tar.gz) = ef2ea2a444b2d2004a8a8ebc7770e70802b20e9a Size (gnutls-1.0.20.tar.gz) = 1614092 bytes @ 1.8 log @Changes 1.0.13: - Some complilation fixes. - Added the --xml parameter to the certtool utility. Changes 1.0.12: - Corrected bug in OpenPGP key loading using a callback. - Renamed gnutls-srpcrypt to srptool - Allow handshake requests by the client. * Things backported from the development branch: - Added support for authority key identifier and the extended key usage X.509 extension fields. The certtoool was updated to support them. - Added batch support to certtool. Now it can use templates. - The RC2 cipher is no more included. The one in libgcrypt is now used. Changes 1.0.11: - Added gnutls_sign_algorithm_get_name() and gnutls_pk_algorithm_get_name() - Corrected bug in TLS renegotiation. Changes 1.0.10: - Corrected bug in RSA parameters handling which could cause unexpected crashes. - Corrected bug in SSL 3.0 authentication. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2004/03/01 15:14:45 jmmv Exp $ d3 2 a4 2 SHA1 (gnutls-1.0.13.tar.gz) = f2a3c319a9fecc8fc27230174cb194171112fe12 Size (gnutls-1.0.13.tar.gz) = 1465802 bytes @ 1.7 log @Update to 1.0.8. Changes since 1.0.6: Version 1.0.8 (28/02/2004) - Corrected bug in mutual certificate authentication in SSL 3.0. - Several other minor bugfixes. Version 1.0.7 (25/02/2004) - Implemented TLS 1.1 (and also obsoleted the TLS 1.0 CBC protection hack). - Some updates in the documentation. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2004/01/12 22:57:38 xtraeme Exp $ d3 3 a5 2 SHA1 (gnutls-1.0.8.tar.gz) = 567b1948b34ecc44d93e110036747a2718087e72 Size (gnutls-1.0.8.tar.gz) = 1407598 bytes @ 1.6 log @Update to 1.0.4 Version 1.0.4 (04/01/2004) - Changed handshake behaviour to send the lowest TLS version when an unsupported version was advertized. The current behaviour is to send the maximum version we support. - certtool no longer asks the password in unencrypted private keys. - The source is now compiled to use the reentrant libc functions. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2003/12/22 23:08:04 jmmv Exp $ d3 2 a4 2 SHA1 (gnutls-1.0.4.tar.gz) = 66aa85e36cf462983c33c274707af4b63cd6f92b Size (gnutls-1.0.4.tar.gz) = 1379419 bytes @ 1.5 log @Update to 1.0.3: - Corrected bug in gnutls_bye() which made it return an error code of INVALID_REQUEST instead of success. - Corrected a bug in the GNUTLS_KEY key usage definitions. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2003/12/21 10:17:30 xtraeme Exp $ d3 2 a4 2 SHA1 (gnutls-1.0.3.tar.gz) = ae5114d105b15f618a5bc68386901b57566f8f2e Size (gnutls-1.0.3.tar.gz) = 1366830 bytes @ 1.4 log @Update to 1.0.2, this also closes PR pkg/23766. Changes: o Corrected a bug in the RSA key generation. This was generating unusable RSA keys. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2003/12/18 06:04:10 xtraeme Exp $ d3 2 a4 2 SHA1 (gnutls-1.0.2.tar.gz) = fbbf73346df3801db7b34599a757fda45647a080 Size (gnutls-1.0.2.tar.gz) = 1366730 bytes @ 1.3 log @Update to 1.0.1 from Min Sik Kim PR pkg/23754. Changes since 1.0.0: - Some minor fixes in the makefiles. They now include CFLAGS from libgcrypt or opencdk if installed in a non standard directory. - Fixed the SRP detection test in gnutls-cli-debug. - Added gnutls_rsa_params_export_pkcs1() and gnutls_rsa_params_import_pkcs1(). @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2003/12/06 00:52:21 xtraeme Exp $ d3 2 a4 2 SHA1 (gnutls-1.0.1.tar.gz) = 19bc722c3b043699895c2b7fd64a5c52ac8faeeb Size (gnutls-1.0.1.tar.gz) = 1366637 bytes @ 1.2 log @Updated to 1.0.0, provided by Min Sik Kim PR pkg/23661. Changes: - Exported the static SRP group parameters. - Some fixes in the certificate authenticated SRP ciphersuites. - Improved the support for draft-ietf-tls-srp-05. The two-phase handshake is now fully supported without any interaction with the application layer (except for a callback). - Some fixes in the openpgp authentication. - Removed the Twofish cipher. - The openssl compatibility layer was moved to gnutls-openssl library instead of being included in the gnutls-extra library. - Added the RIPEMD ciphersuites defined in draft-ietf-tls-openpgp-keys-04. - Building with openpgp support is now mandatory. - gnutls4 compatibility header is no longer included by default in gnutls.h. - gnutls8 function usage yelds a deprecation warning in gcc3. - gnutls_x509_*_set_dn_by_oid() and gnutls_x509_*_get_*_dn_by_oid() functions have a raw_flag parameter added. - The certtool utility can now generate PKCS #12 structures without specifying a certificate. - Added capability to read CRLs to certtool. - Corrected some functions which return GNUTLS_E_SHORT_MEMORY_BUFFER to properly set the required buffer size. - Corrected a bug in libgcrypt detection. And more... @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1.1.1 2003/05/14 03:46:44 salo Exp $ d3 2 a4 2 SHA1 (gnutls-1.0.0.tar.gz) = 8ce5b31b264878489608347ab89426b6f98edb4f Size (gnutls-1.0.0.tar.gz) = 1360099 bytes @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD$ d3 2 a4 2 SHA1 (gnutls-0.8.7.tar.gz) = db3ec6a15a453778c8638de46109283fba7d53af Size (gnutls-0.8.7.tar.gz) = 998594 bytes @ 1.1.1.1 log @Import of gnutls-0.8.7: GNU Transport Layer Security library. GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL 3.0 protocols. The library does not include any patented algorithms and is available under the GNU Lesser GPL license. Important features of the GnuTLS library include: - Thread safety - Support for both TLS 1.0 and SSL 3.0 protocols - Support for both X.509 and OpenPGP certificates - Support for basic parsing and verification of certificates - Support for SRP for TLS authentication - Support for TLS Extension mechanism - Support for TLS Compression Methods Additionaly GnuTLS provides an emulation API for the widely used OpenSSL library, to ease integration with existing applications. Package provided by Juan RP via pkgsrc-wip with modifications by me. @ text @@