Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_164262667155330"
MIME-Version: 1.0
Date: Wed, 19 Jan 2022 21:11:11 +0000
From: "Adam Ciarcinski" <adam@netbsd.org>
Subject: CVS commit: pkgsrc/security/gnutls
To: pkgsrc-changes@NetBSD.org
Reply-To: adam@netbsd.org
Message-Id: <20220119211111.95BFCFB24@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_164262667155330
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	adam
Date:		Wed Jan 19 21:11:11 UTC 2022

Modified Files:
	pkgsrc/security/gnutls: Makefile PLIST distinfo
Removed Files:
	pkgsrc/security/gnutls/patches: patch-src_libopts_autoopts_options.h
	    patch-src_libopts_compat_compat.h patch-src_libopts_libopts.c
	    patch-src_libopts_makeshell.c patch-src_libopts_proto.h

Log Message:
gnutls: updated to 3.7.3

Version 3.7.3 (released 2022-01-17)

** libgnutls: The allowlisting configuration mode has been added to the system-wide
   settings. In this mode, all the algorithms are initially marked as insecure
   or disabled, while the applications can re-enable them either through the
   [overrides] section of the configuration file or the new API.

** The build infrastructure no longer depends on GNU AutoGen for generating
   command-line option handling, template file parsing in certtool, and
   documentation generation. This change also removes run-time or
   bundled dependency on the libopts library, and requires Python 3.6 or later
   to regenerate the distribution tarball.

   Note that this brings in known backward incompatibility in command-line
   tools, such as long options are now case sensitive, while previously they
   were treated in a case insensitive manner: for example --RSA is no longer a
   valid option of certtool. The existing scripts using GnuTLS tools may need
   adjustment for this change.

** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
   used as a gnutls_privkey_t. The code was originally written for the
   OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
   tpm2tss-genkey tool from tpm2-tss-engine:
   https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
   or the tpm2_encodeobject tool from unreleased tpm2-tools.

** libgnutls: The library now transparently enables Linux KTLS
   (kernel TLS) when the feature is compiled in with --enable-ktls configuration
   option. If the KTLS initialization fails it automatically falls back
   to the user space implementation.

** certtool: The certtool command can now read the Certificate Transparency
   (RFC 6962) SCT extension.  New API functions are also provided to
   access and manipulate the extension values.

** certtool: The certtool command can now generate, manipulate, and evaluate
   x25519 and x448 public keys, private keys, and certificates.

** libgnutls: Disabling a hashing algorithm through "insecure-hash"
   configuration directive now also disables TLS ciphersuites that use it as a
   PRF algorithm.

** libgnutls: PKCS#12 files are now created with modern algorithms by default.
   Previously certtool used PKCS12-3DES-SHA1 for key derivation and
   HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
   PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
   default PBKDF2 iteration count has been increased to 600000.

** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
   HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
   conform with the latest TC-26 requirements.

** libgnutls: The library now provides a means to report the status of approved
   cryptographic operations. To adhere to the FIPS140-3 IG 2.4.C., this
   complements the existing mechanism to prohibit the use of unapproved
   algorithms by making the library unusable state.

** gnutls-cli: The gnutls-cli command now provides a --list-config option to
   print the library configuration.

** libgnutls: Fixed possible race condition in
   gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
   among multiple threads. [GNUTLS-SA-2022-01-17, CVSS: low]

** API and ABI modifications:
GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
gnutls_ecc_curve_set_enabled: Added.
gnutls_sign_set_secure: Added.
gnutls_sign_set_secure_for_certs: Added.
gnutls_digest_set_secure: Added.
gnutls_protocol_set_enabled: Added.
gnutls_fips140_context_init: New function
gnutls_fips140_context_deinit: New function
gnutls_fips140_push_context: New function
gnutls_fips140_pop_context: New function
gnutls_fips140_get_operation_state: New function
gnutls_fips140_operation_state_t: New enum
gnutls_transport_is_ktls_enabled: New function
gnutls_get_library_configuration: New function


To generate a diff of this commit:
cvs rdiff -u -r1.226 -r1.227 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.73 -r1.74 pkgsrc/security/gnutls/PLIST
cvs rdiff -u -r1.150 -r1.151 pkgsrc/security/gnutls/distinfo
cvs rdiff -u -r1.3 -r0 \
    pkgsrc/security/gnutls/patches/patch-src_libopts_autoopts_options.h \
    pkgsrc/security/gnutls/patches/patch-src_libopts_compat_compat.h \
    pkgsrc/security/gnutls/patches/patch-src_libopts_makeshell.c \
    pkgsrc/security/gnutls/patches/patch-src_libopts_proto.h
cvs rdiff -u -r1.2 -r0 \
    pkgsrc/security/gnutls/patches/patch-src_libopts_libopts.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_164262667155330
Content-Disposition: inline
Content-Length: 8191
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/gnutls/Makefile
diff -u pkgsrc/security/gnutls/Makefile:1.226 pkgsrc/security/gnutls/Makefile:1.227
--- pkgsrc/security/gnutls/Makefile:1.226	Mon Jan  3 12:36:53 2022
+++ pkgsrc/security/gnutls/Makefile	Wed Jan 19 21:11:11 2022
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.226 2022/01/03 12:36:53 wiz Exp $
+# $NetBSD: Makefile,v 1.227 2022/01/19 21:11:11 adam Exp $
 
-DISTNAME=	gnutls-3.7.2
-PKGREVISION=	2
+DISTNAME=	gnutls-3.7.3
 CATEGORIES=	security devel
 MASTER_SITES=	https://www.gnupg.org/ftp/gcrypt/gnutls/v${PKGVERSION_NOREV:R}/
 EXTRACT_SUFX=	.tar.xz
@@ -53,14 +52,6 @@ PKGCONFIG_OVERRIDE+=	libdane/gnutls-dane
 MAKE_ENV+=		RM=${RM:Q}
 MAKE_ENV+=		TZ=UTC
 
-SUBST_CLASSES+=		shell
-SUBST_SED.shell+=	-e 's,define POSIX_SHELL .*,define POSIX_SHELL "'${TOOLS_PATH.bash}'",'
-SUBST_STAGE.shell=	post-configure
-SUBST_FILES.shell+=	config.h
-SUBST_MESSAGE.shell=	Fixing path to bash.
-
-EGDIR=		${PREFIX}/share/examples/gnutls
-
 INSTALLATION_DIRS=	${EGDIR} include/gnutls
 
 .include "../../mk/bsd.prefs.mk"
@@ -96,9 +87,6 @@ CONFIGURE_ARGS+=	--disable-hardware-acce
 CONFIGURE_ARGS.SunOS+=	--disable-tests
 .endif
 
-post-install:
-	cd ${WRKSRC}/doc/examples && ${INSTALL_DATA} *.c ${DESTDIR}${EGDIR}
-
 .include "../../converters/libiconv/buildlink3.mk"
 .include "../../devel/gettext-lib/buildlink3.mk"
 BUILDLINK_API_DEPENDS.gmp+=		gmp>=5.0
@@ -108,8 +96,6 @@ BUILDLINK_API_DEPENDS.gmp+=		gmp>=5.0
 # gnutls will add a Requires.private for it in its .pc file
 CHECK_BUILTIN.zlib:=yes
 .include "../../devel/zlib/buildlink3.mk"
-# guile is useful for selftests, but bindings should be separate pkgs
-#.include "../../lang/guile20/buildlink3.mk"
 BUILDLINK_API_DEPENDS.libtasn1+=	libtasn1>=4.9
 .include "../../security/libtasn1/buildlink3.mk"
 BUILDLINK_API_DEPENDS.nettle+=		nettle>=3.6

Index: pkgsrc/security/gnutls/PLIST
diff -u pkgsrc/security/gnutls/PLIST:1.73 pkgsrc/security/gnutls/PLIST:1.74
--- pkgsrc/security/gnutls/PLIST:1.73	Mon May 31 11:08:45 2021
+++ pkgsrc/security/gnutls/PLIST	Wed Jan 19 21:11:11 2022
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.73 2021/05/31 11:08:45 wiz Exp $
+@comment $NetBSD: PLIST,v 1.74 2022/01/19 21:11:11 adam Exp $
 bin/certtool
 bin/gnutls-cli
 bin/gnutls-cli-debug
@@ -238,6 +238,7 @@ man/man3/gnutls_digest_get_id.3
 man/man3/gnutls_digest_get_name.3
 man/man3/gnutls_digest_get_oid.3
 man/man3/gnutls_digest_list.3
+man/man3/gnutls_digest_set_secure.3
 man/man3/gnutls_dtls_cookie_send.3
 man/man3/gnutls_dtls_cookie_verify.3
 man/man3/gnutls_dtls_get_data_mtu.3
@@ -256,6 +257,7 @@ man/man3/gnutls_ecc_curve_get_oid.3
 man/man3/gnutls_ecc_curve_get_pk.3
 man/man3/gnutls_ecc_curve_get_size.3
 man/man3/gnutls_ecc_curve_list.3
+man/man3/gnutls_ecc_curve_set_enabled.3
 man/man3/gnutls_encode_ber_digest_info.3
 man/man3/gnutls_encode_gost_rs_value.3
 man/man3/gnutls_encode_rs_value.3
@@ -270,8 +272,14 @@ man/man3/gnutls_ext_raw_parse.3
 man/man3/gnutls_ext_register.3
 man/man3/gnutls_ext_set_data.3
 man/man3/gnutls_fingerprint.3
+man/man3/gnutls_fips140_context_deinit.3
+man/man3/gnutls_fips140_context_init.3
+man/man3/gnutls_fips140_get_operation_state.3
 man/man3/gnutls_fips140_mode_enabled.3
+man/man3/gnutls_fips140_pop_context.3
+man/man3/gnutls_fips140_push_context.3
 man/man3/gnutls_fips140_set_mode.3
+man/man3/gnutls_get_library_config.3
 man/man3/gnutls_get_system_config_file.3
 man/man3/gnutls_global_deinit.3
 man/man3/gnutls_global_init.3
@@ -616,6 +624,7 @@ man/man3/gnutls_protocol_get_id.3
 man/man3/gnutls_protocol_get_name.3
 man/man3/gnutls_protocol_get_version.3
 man/man3/gnutls_protocol_list.3
+man/man3/gnutls_protocol_set_enabled.3
 man/man3/gnutls_psk_allocate_client_credentials.3
 man/man3/gnutls_psk_allocate_server_credentials.3
 man/man3/gnutls_psk_client_get_hint.3
@@ -763,6 +772,8 @@ man/man3/gnutls_sign_get_pk_algorithm.3
 man/man3/gnutls_sign_is_secure.3
 man/man3/gnutls_sign_is_secure2.3
 man/man3/gnutls_sign_list.3
+man/man3/gnutls_sign_set_secure.3
+man/man3/gnutls_sign_set_secure_for_certs.3
 man/man3/gnutls_sign_supports_pk_algorithm.3
 man/man3/gnutls_srp_allocate_client_credentials.3
 man/man3/gnutls_srp_allocate_server_credentials.3
@@ -819,6 +830,7 @@ man/man3/gnutls_transport_get_int.3
 man/man3/gnutls_transport_get_int2.3
 man/man3/gnutls_transport_get_ptr.3
 man/man3/gnutls_transport_get_ptr2.3
+man/man3/gnutls_transport_is_ktls_enabled.3
 man/man3/gnutls_transport_set_errno.3
 man/man3/gnutls_transport_set_errno_function.3
 man/man3/gnutls_transport_set_fastopen.3
@@ -1075,6 +1087,8 @@ man/man3/gnutls_x509_crt_sign.3
 man/man3/gnutls_x509_crt_sign2.3
 man/man3/gnutls_x509_crt_verify.3
 man/man3/gnutls_x509_crt_verify_data2.3
+man/man3/gnutls_x509_ct_sct_get.3
+man/man3/gnutls_x509_ct_sct_get_version.3
 man/man3/gnutls_x509_dn_deinit.3
 man/man3/gnutls_x509_dn_export.3
 man/man3/gnutls_x509_dn_export2.3
@@ -1086,6 +1100,10 @@ man/man3/gnutls_x509_dn_init.3
 man/man3/gnutls_x509_dn_oid_known.3
 man/man3/gnutls_x509_dn_oid_name.3
 man/man3/gnutls_x509_dn_set_str.3
+man/man3/gnutls_x509_ext_ct_export_scts.3
+man/man3/gnutls_x509_ext_ct_import_scts.3
+man/man3/gnutls_x509_ext_ct_scts_deinit.3
+man/man3/gnutls_x509_ext_ct_scts_init.3
 man/man3/gnutls_x509_ext_deinit.3
 man/man3/gnutls_x509_ext_export_aia.3
 man/man3/gnutls_x509_ext_export_authority_key_id.3
@@ -1217,33 +1235,6 @@ share/doc/gnutls/gnutls-logo.png
 share/doc/gnutls/gnutls-modauth.png
 share/doc/gnutls/gnutls-x509.png
 share/doc/gnutls/pkcs11-vision.png
-share/examples/gnutls/ex-alert.c
-share/examples/gnutls/ex-cert-select-pkcs11.c
-share/examples/gnutls/ex-cert-select.c
-share/examples/gnutls/ex-client-anon.c
-share/examples/gnutls/ex-client-dtls.c
-share/examples/gnutls/ex-client-psk.c
-share/examples/gnutls/ex-client-resume.c
-share/examples/gnutls/ex-client-srp.c
-share/examples/gnutls/ex-client-x509-3.1.c
-share/examples/gnutls/ex-client-x509.c
-share/examples/gnutls/ex-crq.c
-share/examples/gnutls/ex-ocsp-client.c
-share/examples/gnutls/ex-pkcs11-list.c
-share/examples/gnutls/ex-pkcs12.c
-share/examples/gnutls/ex-serv-anon.c
-share/examples/gnutls/ex-serv-dtls.c
-share/examples/gnutls/ex-serv-psk.c
-share/examples/gnutls/ex-serv-srp.c
-share/examples/gnutls/ex-serv-x509.c
-share/examples/gnutls/ex-session-info.c
-share/examples/gnutls/ex-verify-ssh.c
-share/examples/gnutls/ex-verify.c
-share/examples/gnutls/ex-x509-info.c
-share/examples/gnutls/print-ciphersuites.c
-share/examples/gnutls/tcp.c
-share/examples/gnutls/udp.c
-share/examples/gnutls/verify.c
 share/locale/cs/LC_MESSAGES/gnutls.mo
 share/locale/de/LC_MESSAGES/gnutls.mo
 share/locale/eo/LC_MESSAGES/gnutls.mo

Index: pkgsrc/security/gnutls/distinfo
diff -u pkgsrc/security/gnutls/distinfo:1.150 pkgsrc/security/gnutls/distinfo:1.151
--- pkgsrc/security/gnutls/distinfo:1.150	Tue Oct 26 11:17:06 2021
+++ pkgsrc/security/gnutls/distinfo	Wed Jan 19 21:11:11 2022
@@ -1,12 +1,7 @@
-$NetBSD: distinfo,v 1.150 2021/10/26 11:17:06 nia Exp $
+$NetBSD: distinfo,v 1.151 2022/01/19 21:11:11 adam Exp $
 
-BLAKE2s (gnutls-3.7.2.tar.xz) = 16c4ae925fa13ec1ef7f0009cda4227cfe6a8945d10486da9ab6208099e949b9
-SHA512 (gnutls-3.7.2.tar.xz) = 5d01d561a05379da71e4847e30ba13c2abe09f7a5c4359fd539d8bd19abad0ce87120f82ee7b6264e787bd3edbc5ae16beffa892983cbc3d59f11a1811c10329
-Size (gnutls-3.7.2.tar.xz) = 6091508 bytes
+BLAKE2s (gnutls-3.7.3.tar.xz) = b3c209d629dc0d9d8927532511d3337b336328f6fb8a7b855bc110f9796d65bb
+SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077
+Size (gnutls-3.7.3.tar.xz) = 6119292 bytes
 SHA1 (patch-configure) = 3653f74914f874aa369f62c8b267a46fd6b78eaa
 SHA1 (patch-lib_system_certs.c) = fba74b2834a36d66bddcd7d3405d0c91c1b14efc
-SHA1 (patch-src_libopts_autoopts_options.h) = ebeeafc834bce3b6b3f938e360b089e165ee4f9e
-SHA1 (patch-src_libopts_compat_compat.h) = 6e88b5e73a56c296f356aa5ce7e6048e1bcff450
-SHA1 (patch-src_libopts_libopts.c) = 6e2453a886aa4be0a17dfbdb8a23ef9d7a0f62f8
-SHA1 (patch-src_libopts_makeshell.c) = 1b08ab63e6e382bd471699530e5d8bff075b3f24
-SHA1 (patch-src_libopts_proto.h) = 7601830e5ff45632ae337a387548f9ed5e591c4f


--_----------=_164262667155330--