Received: by mail.netbsd.org (Postfix, from userid 605) id A5A8084D40; Sun, 9 Feb 2020 13:56:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2BE6584D36 for ; Sun, 9 Feb 2020 13:56:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 4_Dlkro3B49R for ; Sun, 9 Feb 2020 13:56:28 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 61B2F84CE8 for ; Sun, 9 Feb 2020 13:56:28 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 56202FBF4; Sun, 9 Feb 2020 13:56:28 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1581256588230170" MIME-Version: 1.0 Date: Sun, 9 Feb 2020 13:56:28 +0000 From: "Thomas Klausner" Subject: CVS commit: pkgsrc/security/gnutls To: pkgsrc-changes@NetBSD.org Reply-To: wiz@netbsd.org X-Mailer: log_accum Message-Id: <20200209135628.56202FBF4@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1581256588230170 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: wiz Date: Sun Feb 9 13:56:28 UTC 2020 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Log Message: gnutls: update to 3.6.12. * Version 3.6.12 (released 2020-02-01) ** libgnutls: Introduced TLS session flag (gnutls_session_get_flags()) to identify sessions that client request OCSP status request (#829). ** libgnutls: Added support for X448 key exchange (RFC 7748) and Ed448 signature algorithm (RFC 8032) under TLS (#86). ** libgnutls: Added the default-priority-string option to system configuration; it allows overriding the compiled-in default-priority-string. ** libgnutls: Added support for GOST CNT_IMIT ciphersuite (as defined by draft-smyshlyaev-tls12-gost-suites-07). By default this ciphersuite is disabled. It can be enabled by adding +GOST to priority string. In the future this priority string may enable other GOST ciphersuites as well. Note, that server will fail to negotiate GOST ciphersuites if TLS 1.3 is enabled both on a server and a client. It is recommended for now to disable TLS 1.3 in setups where GOST ciphersuites are enabled on GnuTLS-based servers. ** libgnutls: added priority shortcuts for different GOST categories like CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL, GROUP-GOST-ALL. ** libgnutls: Reject certificates with invalid time fields. That is we reject certificates with invalid characters in Time fields, or invalid time formatting To continue accepting the invalid form compile with --disable-strict-der-time (#207, #870). ** libgnutls: Reject certificates which contain duplicate extensions. We were previously printing warnings when printing such a certificate, but that is not always sufficient to flag such certificates as invalid. Instead we now refuse to import them (#887). ** libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877). ** libgnutls: The min-verification-profile from system configuration applies for all certificate verifications, not only under TLS. The configuration can be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. ** libgnutls: The stapled OCSP certificate verification adheres to the convention used throughout the library of setting the 'GNUTLS_CERT_INVALID' flag. ** libgnutls: On client side only send OCSP staples if they have been requested by the server, and on server side always advertise that we support OCSP stapling (#876). ** libgnutls: Introduced the gnutls_ocsp_req_const_t which is compatible with gnutls_ocsp_req_t but const. ** certtool: Added the --verify-profile option to set a certificate verification profile. Use '--verify-profile low' for certificate verification to apply the 'NORMAL' verification profile. ** certtool: The add_extension template option is considered even when generating a certificate from a certificate request. ** API and ABI modifications: GNUTLS_SFLAGS_CLI_REQUESTED_OCSP: Added GNUTLS_SFLAGS_SERV_REQUESTED_OCSP: Added gnutls_ocsp_req_const_t: Added To generate a diff of this commit: cvs rdiff -u -r1.205 -r1.206 pkgsrc/security/gnutls/Makefile cvs rdiff -u -r1.68 -r1.69 pkgsrc/security/gnutls/PLIST cvs rdiff -u -r1.141 -r1.142 pkgsrc/security/gnutls/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1581256588230170 Content-Disposition: inline Content-Length: 3078 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/security/gnutls/Makefile diff -u pkgsrc/security/gnutls/Makefile:1.205 pkgsrc/security/gnutls/Makefile:1.206 --- pkgsrc/security/gnutls/Makefile:1.205 Sat Jan 18 21:50:37 2020 +++ pkgsrc/security/gnutls/Makefile Sun Feb 9 13:56:28 2020 @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.205 2020/01/18 21:50:37 jperkin Exp $ +# $NetBSD: Makefile,v 1.206 2020/02/09 13:56:28 wiz Exp $ -DISTNAME= gnutls-3.6.11.1 -PKGREVISION= 1 +DISTNAME= gnutls-3.6.12 CATEGORIES= security devel MASTER_SITES= https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/ EXTRACT_SUFX= .tar.xz Index: pkgsrc/security/gnutls/PLIST diff -u pkgsrc/security/gnutls/PLIST:1.68 pkgsrc/security/gnutls/PLIST:1.69 --- pkgsrc/security/gnutls/PLIST:1.68 Fri Oct 4 17:25:53 2019 +++ pkgsrc/security/gnutls/PLIST Sun Feb 9 13:56:28 2020 @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.68 2019/10/04 17:25:53 nia Exp $ +@comment $NetBSD: PLIST,v 1.69 2020/02/09 13:56:28 wiz Exp $ bin/certtool bin/gnutls-cli bin/gnutls-cli-debug @@ -162,6 +162,8 @@ man/man3/gnutls_certificate_type_get2.3 man/man3/gnutls_certificate_type_get_id.3 man/man3/gnutls_certificate_type_get_name.3 man/man3/gnutls_certificate_type_list.3 +man/man3/gnutls_certificate_verification_profile_get_id.3 +man/man3/gnutls_certificate_verification_profile_get_name.3 man/man3/gnutls_certificate_verification_status_print.3 man/man3/gnutls_certificate_verify_peers.3 man/man3/gnutls_certificate_verify_peers2.3 @@ -312,6 +314,7 @@ man/man3/gnutls_hmac.3 man/man3/gnutls_hmac_copy.3 man/man3/gnutls_hmac_deinit.3 man/man3/gnutls_hmac_fast.3 +man/man3/gnutls_hmac_get_key_size.3 man/man3/gnutls_hmac_get_len.3 man/man3/gnutls_hmac_init.3 man/man3/gnutls_hmac_output.3 Index: pkgsrc/security/gnutls/distinfo diff -u pkgsrc/security/gnutls/distinfo:1.141 pkgsrc/security/gnutls/distinfo:1.142 --- pkgsrc/security/gnutls/distinfo:1.141 Fri Dec 6 14:00:08 2019 +++ pkgsrc/security/gnutls/distinfo Sun Feb 9 13:56:28 2020 @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.141 2019/12/06 14:00:08 nia Exp $ +$NetBSD: distinfo,v 1.142 2020/02/09 13:56:28 wiz Exp $ -SHA1 (gnutls-3.6.11.1.tar.xz) = 2205863fefa0e070cbf2a6961bfa90c854286287 -RMD160 (gnutls-3.6.11.1.tar.xz) = a5182c63cc9e79c929c8cc098f36d55fd70789c8 -SHA512 (gnutls-3.6.11.1.tar.xz) = 55fbbf0ebc824fbc91ccd08d1708452c5b1c12af75e332f29414540eb2f81337fa605a693ce9f34319a927e9d71177e6e7ffea5c6747792d341fb740f68c9489 -Size (gnutls-3.6.11.1.tar.xz) = 5902328 bytes +SHA1 (gnutls-3.6.12.tar.xz) = fa498b4d026e3ddfa74aa79adac27bfcd14e8b76 +RMD160 (gnutls-3.6.12.tar.xz) = f76e05c4a5f6c15277259b874bca475089c02630 +SHA512 (gnutls-3.6.12.tar.xz) = e1031fd1239d8b0f056a6b736e4c72c9268fb635f273527f310771c608b841cad7b6631401382ec3040d9b539180bf421882bf43427ad3549a5787d2864c2fa5 +Size (gnutls-3.6.12.tar.xz) = 5942064 bytes SHA1 (patch-lib_system_certs.c) = fba74b2834a36d66bddcd7d3405d0c91c1b14efc SHA1 (patch-src_libopts_autoopts_options.h) = ebeeafc834bce3b6b3f938e360b089e165ee4f9e SHA1 (patch-src_libopts_compat_compat.h) = 6e88b5e73a56c296f356aa5ce7e6048e1bcff450 --_----------=_1581256588230170--