---
- branch: MAIN
  date: Wed Jan 19 21:11:11 UTC 2022
  files:
  - new: '1.227'
    old: '1.226'
    path: pkgsrc/security/gnutls/Makefile
    pathrev: pkgsrc/security/gnutls/Makefile@1.227
    type: modified
  - new: '1.74'
    old: '1.73'
    path: pkgsrc/security/gnutls/PLIST
    pathrev: pkgsrc/security/gnutls/PLIST@1.74
    type: modified
  - new: '1.151'
    old: '1.150'
    path: pkgsrc/security/gnutls/distinfo
    pathrev: pkgsrc/security/gnutls/distinfo@1.151
    type: modified
  - new: '0'
    old: '1.3'
    path: pkgsrc/security/gnutls/patches/patch-src_libopts_autoopts_options.h
    pathrev: pkgsrc/security/gnutls/patches/patch-src_libopts_autoopts_options.h@0
    type: deleted
  - new: '0'
    old: '1.3'
    path: pkgsrc/security/gnutls/patches/patch-src_libopts_compat_compat.h
    pathrev: pkgsrc/security/gnutls/patches/patch-src_libopts_compat_compat.h@0
    type: deleted
  - new: '0'
    old: '1.3'
    path: pkgsrc/security/gnutls/patches/patch-src_libopts_makeshell.c
    pathrev: pkgsrc/security/gnutls/patches/patch-src_libopts_makeshell.c@0
    type: deleted
  - new: '0'
    old: '1.3'
    path: pkgsrc/security/gnutls/patches/patch-src_libopts_proto.h
    pathrev: pkgsrc/security/gnutls/patches/patch-src_libopts_proto.h@0
    type: deleted
  - new: '0'
    old: '1.2'
    path: pkgsrc/security/gnutls/patches/patch-src_libopts_libopts.c
    pathrev: pkgsrc/security/gnutls/patches/patch-src_libopts_libopts.c@0
    type: deleted
  id: 20220119T211111Z.bf27d7446b4b5ffdb65efbdf97c049d1cf84132c
  log: |
    gnutls: updated to 3.7.3

    Version 3.7.3 (released 2022-01-17)

    ** libgnutls: The allowlisting configuration mode has been added to the system-wide
       settings. In this mode, all the algorithms are initially marked as insecure
       or disabled, while the applications can re-enable them either through the
       [overrides] section of the configuration file or the new API.

    ** The build infrastructure no longer depends on GNU AutoGen for generating
       command-line option handling, template file parsing in certtool, and
       documentation generation. This change also removes run-time or
       bundled dependency on the libopts library, and requires Python 3.6 or later
       to regenerate the distribution tarball.

       Note that this brings in known backward incompatibility in command-line
       tools, such as long options are now case sensitive, while previously they
       were treated in a case insensitive manner: for example --RSA is no longer a
       valid option of certtool. The existing scripts using GnuTLS tools may need
       adjustment for this change.

    ** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
       used as a gnutls_privkey_t. The code was originally written for the
       OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
       tpm2tss-genkey tool from tpm2-tss-engine:
       https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
       or the tpm2_encodeobject tool from unreleased tpm2-tools.

    ** libgnutls: The library now transparently enables Linux KTLS
       (kernel TLS) when the feature is compiled in with --enable-ktls configuration
       option. If the KTLS initialization fails it automatically falls back
       to the user space implementation.

    ** certtool: The certtool command can now read the Certificate Transparency
       (RFC 6962) SCT extension.  New API functions are also provided to
       access and manipulate the extension values.

    ** certtool: The certtool command can now generate, manipulate, and evaluate
       x25519 and x448 public keys, private keys, and certificates.

    ** libgnutls: Disabling a hashing algorithm through "insecure-hash"
       configuration directive now also disables TLS ciphersuites that use it as a
       PRF algorithm.

    ** libgnutls: PKCS#12 files are now created with modern algorithms by default.
       Previously certtool used PKCS12-3DES-SHA1 for key derivation and
       HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
       PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
       default PBKDF2 iteration count has been increased to 600000.

    ** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
       HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
       conform with the latest TC-26 requirements.

    ** libgnutls: The library now provides a means to report the status of approved
       cryptographic operations. To adhere to the FIPS140-3 IG 2.4.C., this
       complements the existing mechanism to prohibit the use of unapproved
       algorithms by making the library unusable state.

    ** gnutls-cli: The gnutls-cli command now provides a --list-config option to
       print the library configuration.

    ** libgnutls: Fixed possible race condition in
       gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
       among multiple threads. [GNUTLS-SA-2022-01-17, CVSS: low]

    ** API and ABI modifications:
    GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
    GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
    gnutls_ecc_curve_set_enabled: Added.
    gnutls_sign_set_secure: Added.
    gnutls_sign_set_secure_for_certs: Added.
    gnutls_digest_set_secure: Added.
    gnutls_protocol_set_enabled: Added.
    gnutls_fips140_context_init: New function
    gnutls_fips140_context_deinit: New function
    gnutls_fips140_push_context: New function
    gnutls_fips140_pop_context: New function
    gnutls_fips140_get_operation_state: New function
    gnutls_fips140_operation_state_t: New enum
    gnutls_transport_is_ktls_enabled: New function
    gnutls_get_library_configuration: New function
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/gnutls'
  unixtime: '1642626671'
  user: adam