head 1.7; access; symbols pkgsrc-2017Q2:1.6.0.18 pkgsrc-2017Q2-base:1.6 pkgsrc-2017Q1:1.6.0.16 pkgsrc-2017Q1-base:1.6 pkgsrc-2016Q4:1.6.0.14 pkgsrc-2016Q4-base:1.6 pkgsrc-2016Q3:1.6.0.12 pkgsrc-2016Q3-base:1.6 pkgsrc-2016Q2:1.6.0.10 pkgsrc-2016Q2-base:1.6 pkgsrc-2016Q1:1.6.0.8 pkgsrc-2016Q1-base:1.6 pkgsrc-2015Q4:1.6.0.6 pkgsrc-2015Q4-base:1.6 pkgsrc-2015Q3:1.6.0.4 pkgsrc-2015Q3-base:1.6 pkgsrc-2015Q2:1.6.0.2 pkgsrc-2015Q2-base:1.6 pkgsrc-2015Q1:1.5.0.10 pkgsrc-2015Q1-base:1.5 pkgsrc-2014Q4:1.5.0.8 pkgsrc-2014Q4-base:1.5 pkgsrc-2014Q3:1.5.0.6 pkgsrc-2014Q3-base:1.5 pkgsrc-2014Q2:1.5.0.4 pkgsrc-2014Q2-base:1.5 pkgsrc-2014Q1:1.5.0.2 pkgsrc-2014Q1-base:1.5 pkgsrc-2013Q4:1.4.0.12 pkgsrc-2013Q4-base:1.4 pkgsrc-2013Q3:1.4.0.10 pkgsrc-2013Q3-base:1.4 pkgsrc-2013Q2:1.4.0.8 pkgsrc-2013Q2-base:1.4 pkgsrc-2013Q1:1.4.0.6 pkgsrc-2013Q1-base:1.4 pkgsrc-2012Q4:1.4.0.4 pkgsrc-2012Q4-base:1.4 pkgsrc-2012Q3:1.4.0.2 pkgsrc-2012Q3-base:1.4 pkgsrc-2012Q2:1.3.0.10 pkgsrc-2012Q2-base:1.3 pkgsrc-2012Q1:1.3.0.8 pkgsrc-2012Q1-base:1.3 pkgsrc-2011Q4:1.3.0.6 pkgsrc-2011Q4-base:1.3 pkgsrc-2011Q3:1.3.0.4 pkgsrc-2011Q3-base:1.3 pkgsrc-2011Q2:1.3.0.2 pkgsrc-2011Q2-base:1.3 pkgsrc-2011Q1:1.2.0.32 pkgsrc-2011Q1-base:1.2 pkgsrc-2010Q4:1.2.0.30 pkgsrc-2010Q4-base:1.2 pkgsrc-2010Q3:1.2.0.28 pkgsrc-2010Q3-base:1.2 pkgsrc-2010Q2:1.2.0.26 pkgsrc-2010Q2-base:1.2 pkgsrc-2010Q1:1.2.0.24 pkgsrc-2010Q1-base:1.2 pkgsrc-2009Q4:1.2.0.22 pkgsrc-2009Q4-base:1.2 pkgsrc-2009Q3:1.2.0.20 pkgsrc-2009Q3-base:1.2 pkgsrc-2009Q2:1.2.0.18 pkgsrc-2009Q2-base:1.2 pkgsrc-2009Q1:1.2.0.16 pkgsrc-2009Q1-base:1.2 pkgsrc-2008Q4:1.2.0.14 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.12 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.10 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.8 pkgsrc-2008Q2-base:1.2 cwrapper:1.2.0.6 pkgsrc-2008Q1:1.2.0.4 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.2 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.1.0.2 pkgsrc-2007Q3-base:1.1; locks; strict; comment @# @; 1.7 date 2017.09.06.13.41.26; author wiz; state dead; branches; next 1.6; commitid PEeJenCtPACqL86A; 1.6 date 2015.06.01.21.50.22; author spz; state Exp; branches; next 1.5; commitid Ra90IWxW89m24Mny; 1.5 date 2014.02.10.12.01.20; author tron; state Exp; branches; next 1.4; commitid gJkzaIUqxMRo7yox; 1.4 date 2012.07.02.18.53.03; author drochner; state Exp; branches; next 1.3; 1.3 date 2011.04.26.10.35.30; author adam; state Exp; branches; next 1.2; 1.2 date 2007.10.23.11.43.57; author wiz; state Exp; branches; next 1.1; 1.1 date 2007.09.05.21.51.22; author drochner; state Exp; branches; next ; desc @@ 1.7 log @Updated gnutls to 3.6.0. * Version 3.6.0 (released 2017-08-21) ** libgnutls: tlsfuzzer is part of the CI testsuite. This is a TLS testing and fuzzying toolkit, allowing for corner case testing, and ensuring that the behavior of the library will not change across releases. https://github.com/tomato42/tlsfuzzer ** libgnutls: Introduced a lock-free random generator which operates per-thread and eliminates random-generator related bottlenecks in multi-threaded operation. Resolves gitlab issue #141. http://nmav.gnutls.org/2017/03/improving-by-simplifying-gnutls-prng.html ** libgnutls: Replaced the Salsa20 random generator with one based on CHACHA. The goal is to reduce code needed in cache (CHACHA is also used for TLS), and the number of primitives used by the library. That does not affect the AES-DRBG random generator used in FIPS140-2 mode. ** libgnutls: Added support for RSA-PSS key type as well as signatures in certificates, and TLS key exchange. Contributed by Daiki Ueno. RSA-PSS signatures can be generated by RSA-PSS keys and normal RSA keys, but not vice-versa. The feature includes: * RSA-PSS key generation and key handling (in PKCS#8 form) * RSA-PSS key generation and key handling from PKCS#11 (with CKM_RSA_PKCS_PSS mech) * Handling of RSA-PSS subjectPublicKeyInfo parameters, when present in either the private key or certificate. * RSA-PSS signing and verification of PKIX certificates * RSA-PSS signing and verification of TLS 1.2 handshake * RSA-PSS signing and verification of PKCS#7 structures * RSA-PSS and RSA key combinations for TLS credentials. That is, when multiple keys are supplied, RSA-PSS keys are preferred over RSA for RSA-PSS TLS signatures, to contain risks of cross-protocol attacks between the algorithms. * RSA-PSS key conversion to RSA PKCS#1 form (certtool --to-rsa) Note that RSA-PSS signatures with SHA1 are (intentionally) not supported. ** libgnutls: Added support for Ed25519 signing in certificates and TLS key exchange following draft-ietf-tls-rfc4492bis-17. The feature includes: * Ed25519 key generation and key handling (in PKCS#8 form) * Ed25519 signing and verification of PKIX certificates * Ed25519 signing and verification of TLS 1.2 handshake * Ed25519 signing and verification of PKCS#7 structures ** libgnutls: Enabled X25519 key exchange by default, following draft-ietf-tls-rfc4492bis-17. ** libgnutls: Added support for Diffie-Hellman group negotiation following RFC7919. That makes the DH parameters negotiation more robust and less prone to errors due to insecure parameters. Servers are no longer required to specific explicit DH parameters, though if they do these parameters will be used. Group selection can be done via priority strings. The introduced strings are GROUP-ALL, GROUP-FFDHE2048, GROUP-FFDHE3072, GROUP-FFDHE4096 and GROUP-FFDHE8192, as well as the corresponding to curves groups. Note that the 6144 group from RFC7919 is not supported. ** libgnutls: Introduced various sanity checks on certificate import. Refuse to import certificates which have fractional seconds in Time fields, X.509v1 certificates which have the unique identifiers set, and certificates with illegal version numbers. All of these are prohibited by RFC5280. ** libgnutls: Introduced gnutls_x509_crt_set_flags(). This function can set flags in the crt structure. The only flag supported at the moment is GNUTLS_X509_CRT_FLAG_IGNORE_SANITY which skips the certificate sanity checks on import. ** libgnutls: PKIX certificates with unknown critical extensions are rejected on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS. This behavior can be overriden by providing the flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS to verification functions. Resolves gitlab issue #177. ** libgnutls: Refuse to generate a certificate with an illegal version, or an illegal serial number. That is, gnutls_x509_crt_set_version() and gnutls_x509_crt_set_serial(), will fail on input considered to be invalid in RFC5280. ** libgnutls: Calls to gnutls_record_send() and gnutls_record_recv() prior to handshake being complete are now refused. Addresses gitlab issue #158. ** libgnutls: Added support for PKCS#12 files with no salt (zero length) in their password encoding, and PKCS#12 files using SHA384 and SHA512 as MAC. ** libgnutls: Exported functions to encode and decode DSA and ECDSA r,s values. ** libgnutls: Added new callback setting function to gnutls_privkey_t for external keys. The new function (gnutls_privkey_import_ext4), allows signing in addition to previous algorithms (RSA PKCS#1 1.5, DSA, ECDSA), with RSA-PSS and Ed25519 keys. ** libgnutls: Introduced the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string options. These allows enabling all broken and SHA1-based signature algorithms in certificate verification, respectively. ** libgnutls: 3DES-CBC is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+3DES-CBC". ** libgnutls: SHA1 was marked as insecure for signing certificates. Verification of certificates signed with SHA1 is now considered insecure and will fail, unless flags intended to enable broken algorithms are set. Other uses of SHA1 are still allowed. This can be reverted on compile time with the configure flag --enable-sha1-support. ** libgnutls: RIPEMD160 was marked as insecure for certificate signatures. Verification of certificates signed with RIPEMD160 hash algorithm is now considered insecure and will fail, unless flags intended to enable broken algorithms are set. ** libgnutls: No longer enable SECP192R1 and SECP224R1 by default on TLS handshakes. These curves were rarely used for that purpose, provide no advantage over x25519 and were deprecated by TLS 1.3. ** libgnutls: Removed support for DEFLATE, or any other compression method. ** libgnutls: OpenPGP authentication was removed; the resulting library is ABI compatible, with the openpgp related functions being stubs that fail on invocation. ** libgnutls: Removed support for libidn (i.e., IDNA2003); gnutls can now be compiled only with libidn2 which provides IDNA2008. ** certtool: The option '--load-ca-certificate' can now accept PKCS#11 URLs in addition to files. ** certtool: The option '--load-crl' can now be used when generating PKCS#12 files (i.e., in conjunction with '--to-p12' option). ** certtool: Keys with provable RSA and DSA parameters are now only read and exported from PKCS#8 form, following draft-mavrogiannopoulos-pkcs8-validated-parameters-00.txt. This removes support for the previous a non-standard key format. ** certtool: Added support for generating, printing and handling RSA-PSS and Ed25519 keys and certificates. ** certtool: the parameters --rsa, --dsa and --ecdsa to --generate-privkey are now deprecated, replaced by the --key-type option. ** p11tool: The --generate-rsa, --generate-ecc and --generate-dsa options were replaced by the --generate-privkey option. ** psktool: Generate 256-bit keys by default. ** gnutls-server: Increase request buffer size to 16kb, and added the --alpn and --alpn-fatal options, allowing testing of ALPN negotiation. ** API and ABI modifications: gnutls_encode_rs_value: Added gnutls_decode_rs_value: Added gnutls_base64_encode2: Added gnutls_base64_decode2: Added gnutls_x509_crt_set_flags: Added gnutls_x509_crt_check_ip: Added gnutls_x509_ext_import_inhibit_anypolicy: Added gnutls_x509_ext_export_inhibit_anypolicy: Added gnutls_x509_crt_get_inhibit_anypolicy: Added gnutls_x509_crt_set_inhibit_anypolicy: Added gnutls_pubkey_export_rsa_raw2: Added gnutls_pubkey_export_dsa_raw2: Added gnutls_pubkey_export_ecc_raw2: Added gnutls_privkey_export_rsa_raw2: Added gnutls_privkey_export_dsa_raw2: Added gnutls_privkey_export_ecc_raw2: Added gnutls_x509_spki_init: Added gnutls_x509_spki_deinit: Added gnutls_x509_spki_get_pk_algorithm: Added gnutls_x509_spki_set_pk_algorithm: Added gnutls_x509_spki_get_digest_algorithm: Added gnutls_x509_spki_set_digest_algorithm: Added gnutls_x509_spki_get_salt_size: Added gnutls_x509_spki_set_salt_size: Added gnutls_x509_crt_set_spki: Added gnutls_x509_crt_get_spki: Added gnutls_x509_privkey_get_spki: Added gnutls_x509_privkey_set_spki: Added gnutls_x509_crq_get_spki: Added gnutls_x509_crq_set_spki: Added gnutls_pubkey_set_spki: Added gnutls_pubkey_get_spki: Added gnutls_privkey_set_spki: Added gnutls_privkey_get_spki: Added gnutls_privkey_import_ext4: Added GNUTLS_EXPORT_FLAG_NO_LZ: Added GNUTLS_DT_IP_ADDRESS: Added GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Added GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: Added GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Added GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES: Added GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: Added GNUTLS_SFLAGS_RFC7919: Added @ text @$NetBSD: patch-ae,v 1.6 2015/06/01 21:50:22 spz Exp $ Fix build. --- guile/src/core.c.orig 2015-03-23 07:19:23.000000000 +0000 +++ guile/src/core.c @@@@ -28,7 +28,7 @@@@ #include #include -#include +#include #include "enums.h" #include "smobs.h" @ 1.6 log @update to gnutls 3.3.15 patch refresh grace of mkpatches upstream notable changes list since the 3.2 to 3.3 branch point (excerpt of the NEWS file): * Version 3.3.15 (released 2015-05-03) ** libgnutls: gnutls_certificate_get_ours: will return the certificate even if a callback was used to send it. ** libgnutls: Fix for MD5 downgrade in TLS 1.2 signatures. Reported by Karthikeyan Bhargavan [GNUTLS-SA-2015-2]. ** libgnutls: Check for invalid length in the X.509 version field. Without the check certificates with invalid length would be detected as having an arbitrary version. Reported by Hanno Böck. ** API and ABI modifications: No changes since last version. * Version 3.3.14 (released 2015-03-30) ** libgnutls: When retrieving OCTET STRINGS from PKCS #12 ContentInfo structures use BER to decode them (requires libtasn1 4.3). That allows to decode some more complex structures. ** libgnutls: When an end-certificate with no name is present and there are CA name constraints, don't reject the certificate. This follows RFC5280 advice closely. Reported by Fotis Loukos. ** libgnutls: Fixed handling of supplemental data with types > 255. Patch by Thierry Quemerais. ** libgnutls: Fixed double free in the parsing of CRL distribution points certificate extension. Reported by Robert Święcki. ** libgnutls: Fixed a two-byte stack overflow in DTLS 0.9 protocol. That protocol is not enabled by default (used by openconnect VPN). ** libgnutls: The maximum user data send size is set to be the same for block and non-block ciphersuites. This addresses a regression with wine: https://bugs.winehq.org/show_bug.cgi?id=37500 ** libgnutls: When generating PKCS #11 keys, set CKA_ID, CKA_SIGN, and CKA_DECRYPT when needed. ** libgnutls: Allow names with zero size to be set using gnutls_server_name_set(). That will disable the Server Name Indication. Resolves issue with wine: https://gitlab.com/gnutls/gnutls/issues/2 ** API and ABI modifications: No changes since last version. * Version 3.3.13 (released 2015-02-25) ** libgnutls: Enable AESNI in GCM on x86 ** libgnutls: Fixes in DTLS message handling ** libgnutls: Check certificate algorithm consistency, i.e., check whether the signatureAlgorithm field matches the signature field inside TBSCertificate. ** gnutls-cli: Fixes in OCSP verification. ** API and ABI modifications: No changes since last version. * Version 3.3.12 (released 2015-01-17) ** libgnutls: When negotiating TLS use the lowest enabled version in the client hello, rather than the lowest supported. In addition, do not use SSL 3.0 as a version in the TLS record layer, unless SSL 3.0 is the only protocol supported. That addresses issues with servers that immediately drop the connection when the encounter SSL 3.0 as the record version number. See: http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html ** libgnutls: Corrected encoding and decoding of ANSI X9.62 parameters. ** libgnutls: Handle zero length plaintext for VIA PadLock functions. This solves a potential crash on AES encryption for small size plaintext. Patch by Matthias-Christian Ott. ** libgnutls: In DTLS don't combine multiple packets which exceed MTU. Reported by Andreas Schultz. https://savannah.gnu.org/support/?108715 ** libgnutls: In DTLS decode all handshake packets present in a record packet, in a single pass. Reported by Andreas Schultz. https://savannah.gnu.org/support/?108712 ** libgnutls: When importing a CA file with a PKCS #11 URL, simply import the certificates, if the URL specifies objects, rather than treating it as trust module. ** libgnutls: When importing a PKCS #11 URL and we know the type of object we are importing, don't require the object type in the URL. ** libgnutls: fixed openpgp authentication when gnutls_certificate_set_retrieve_function2 was used by the server. ** guile: Fix compilation on MinGW. Previously only the static version of the 'guile-gnutls-v-2' library would be built, preventing dynamic loading from Guile. ** guile: Fix harmless warning during compilation of gnutls.scm Initially reported at . ** certtool: --pubkey-info will also attempt to load a public key from stdin. ** gnutls-cli: Added --starttls-proto option. That allows to specify a protocol for starttls negotiation. ** API and ABI modifications: No changes since last version. * Version 3.3.11 (released 2014-12-11) ** libgnutls: Corrected regression introduced in 3.3.9 related to session renegotiation. Reported by Dan Winship. ** libgnutls: Corrected parsing issue with OCSP responses. ** API and ABI modifications: No changes since last version. * Version 3.3.10 (released 2014-11-10) ** libgnutls: Refuse to import v1 or v2 certificates that contain extensions. ** libgnutls: Fixes in usage of PKCS #11 token callback ** libgnutls: Fixed bug in gnutls_x509_trust_list_get_issuer() when used with a PKCS #11 trust module and without the GNUTLS_TL_GET_COPY flag. Reported by David Woodhouse. ** libgnutls: Removed superfluous random generator refresh on every call of gnutls_deinit(). That reduces load and usage of /dev/urandom. ** libgnutls: Corrected issue in export of ECC parameters to X9.63 format. Reported by Sean Burford [GNUTLS-SA-2014-5]. ** libgnutls: When gnutls_global_init() is called for a second time, it will check whether the /dev/urandom fd kept is still open and matches the original one. That behavior works around issues with servers that close all file descriptors. ** libgnutls: Corrected behavior with PKCS #11 objects that are marked as CKA_ALWAYS_AUTHENTICATE. ** certtool: The default cipher for PKCS #12 structures is 3des-pkcs12. That option is more compatible than AES or RC4. ** API and ABI modifications: No changes since last version. * Version 3.3.9 (released 2014-10-13) ** libgnutls: Fixes in the transparent import of PKCS #11 certificates. Reported by Joseph Peruski. ** libgnutls: Fixed issue with unexpected non-fatal errors resetting the handshake's hash buffer, in applications using the heartbeat extension or DTLS. Reported by Joeri de Ruiter. ** libgnutls: When both a trust module and additional CAs are present account the latter as well; reported by David Woodhouse. ** libgnutls: added GNUTLS_TL_GET_COPY flag for gnutls_x509_trust_list_get_issuer(). That allows the function to be used in a thread safe way when PKCS #11 trust modules are in use. ** libgnutls: fix issue in DTLS retransmission when session tickets were in use; reported by Manuel Pégourié-Gonnard. ** libgnutls-dane: Do not require the CA on a ca match to be direct CA. ** libgnutls: Prevent abort() in library if getrusage() fails. Try to detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. ** guile: new 'set-session-server-name!' procedure; see the manual for details. ** certtool: The authority key identifier will be set in a certificate only if the CA's subject key identifier is set. ** API and ABI modifications: No changes since last version. * Version 3.3.8 (released 2014-09-18) ** libgnutls: Updates in the name constraints checks. No name constraints will be checked for intermediate certificates. As our support for name constraints is limited to e-mail addresses in DNS names, it is pointless to check them on intermediate certificates. ** libgnutls: Fixed issues in PKCS #11 object listing. Previously multiple object listing would fail completely if a single object could not be exported. ** libgnutls: Improved the performance of PKCS #11 object listing/retrieving, by retrieving them in large batches. Report and suggestion by David Woodhouse. ** libgnutls: Fixed issue with certificates being sanitized by gnutls prior to signature verification. That resulted to certain non-DER compliant modifications of valid certificates, being corrected by libtasn1's parser and restructured as the original. Issue found and reported by Antti Karjalainen and Matti Kamunen from Codenomicon. ** libgnutls: Fixes in gnutls_x509_crt_set_dn() and friends to properly handle strings with embedded spaces and escaped commas. ** libgnutls: when comparing a CA certificate with the trusted list compare the name and key only instead of the whole certificate. That is to handle cases where a CA certificate was superceded by a different one with the same name and the same key. ** libgnutls: when verifying a certificate against a p11-kit trusted module, use the attached extensions in the module to override the CA's extensions (that requires p11-kit 0.20.7). ** libgnutls: In DTLS prevent sending zero-size fragments in certain cases of MTU split. Reported by Manuel Pégourié-Gonnard. ** libgnutls: Added gnutls_x509_trust_list_verify_crt2() which allows verifying using a hostname and a purpose (extended key usage). That enhances PKCS #11 trust module verification, as it can now check the purpose when this function is used. ** libgnutls: Corrected gnutls_x509_crl_verify() which would always report a CRL signature as invalid. Reported by Armin Burgmeier. ** libgnutls: added option --disable-padlock to allow disabling the padlock CPU acceleration. ** p11tool: when listing tokens, list their type as well. ** p11tool: when listing objects from a trust module print any attached extensions on certificates. ** API and ABI modifications: gnutls_x509_crq_get_extension_by_oid2: Added gnutls_x509_crt_get_extension_by_oid2: Added gnutls_x509_trust_list_verify_crt2: Added gnutls_x509_ext_print: Added gnutls_x509_ext_deinit: Added gnutls_x509_othername_to_virtual: Added gnutls_pkcs11_obj_get_exts: Added * Version 3.3.7 (released 2014-08-24) ** libgnutls: Added function to export the public key of a PKCS #11 private key. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: Explicitly set the exponent in PKCS #11 key generation. That improves compatibility with certain PKCS #11 modules. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: When generating a PKCS #11 private key allow setting the WRAP/UNWRAP flags. Contributed by Wolfgang Meyer zu Bergsten. ** libgnutls: gnutls_pkcs11_privkey_t will always hold an open session to the key. ** libgnutls: bundle replacements of inet_pton and inet_aton if not available. ** libgnutls: initialize parameters variable on PKCS #8 decryption. ** libgnutls: gnutls_pkcs12_verify_mac() will not fail in other than SHA1 algorithms. ** libgnutls: gnutls_x509_crt_check_hostname() will follow the RFC6125 requirement of checking the Common Name (CN) part of DN only if there is a single CN present in the certificate. ** libgnutls: The environment variable GNUTLS_FORCE_FIPS_MODE can be used to force the FIPS mode, when set to 1. ** libgnutls: In DTLS ignore only errors that relate to unexpected packets and decryption failures. ** p11tool: Added --info parameter. ** certtool: Added --mark-wrap parameter. ** danetool: --check will attempt to retrieve the server's certificate chain and verify against it. ** danetool/gnutls-cli-debug: Added --app-proto parameters which can be used to enforce starttls (currently only SMTP and IMAP) on the connection. ** danetool: Added openssl linking exception, to allow linking with libunbound. ** API and ABI modifications: GNUTLS_PKCS11_OBJ_ATTR_MATCH: Added gnutls_pkcs11_privkey_export_pubkey: Added gnutls_pkcs11_obj_flags_get_str: Added gnutls_pkcs11_obj_get_flags: Added * Version 3.3.6 (released 2014-07-23) ** libgnutls: Use inet_ntop to print IP addresses when available ** libgnutls: gnutls_x509_crt_check_hostname and friends will also check IP addresses, and match documented behavior. Reported by David Woodhouse. ** libgnutls: DSA key generation in FIPS140-2 mode doesn't allow 1024 bit parameters. ** libgnutls: fixed issue in gnutls_pkcs11_reinit() which prevented tokens being usable after a reinitialization. ** libgnutls: fixed PKCS #11 private key operations after a fork. ** libgnutls: fixed PKCS #11 ECDSA key generation. ** libgnutls: The GNUTLS_CPUID_OVERRIDE environment variable can be used to explicitly enable/disable the use of certain CPU capabilities. Note that CPU detection cannot be overriden, i.e., VIA options cannot be enabled on an Intel CPU. The currently available options are: 0x1: Disable all run-time detected optimizations 0x2: Enable AES-NI 0x4: Enable SSSE3 0x8: Enable PCLMUL 0x100000: Enable VIA padlock 0x200000: Enable VIA PHE 0x400000: Enable VIA PHE SHA512 ** libdane: added dane_query_to_raw_tlsa(); patch by Simon Arlott. ** p11tool: use GNUTLS_SO_PIN to read the security officer's PIN if set. ** p11tool: ask for label when one isn't provided. ** p11tool: added --batch parameter to disable any interactivity. ** p11tool: will not implicitly enable so-login for certain types of objects. That avoids issues with tokens that require different login types. ** certtool/p11tool: Added the --curve parameter which allows to explicitly specify the curve to use. ** API and ABI modifications: gnutls_certificate_set_x509_trust_dir: Added gnutls_x509_trust_list_add_trust_dir: Added * Version 3.3.5 (released 2014-06-26) ** libgnutls: Added gnutls_record_recv_packet() and gnutls_packet_deinit(). These functions provide a variant of gnutls_record_recv() that avoids the final memcpy of data. ** libgnutls: gnutls_x509_crl_iter_crt_serial() was added as a faster variant of gnutls_x509_crl_get_crt_serial() when coping with very large structures. ** libgnutls: When the decoding of a printable DN element fails, then treat it as unknown and print its hex value rather than failing. That works around an issue in a TURKTRST root certificate which improperly encodes the X520countryName element. ** libgnutls: gnutls_x509_trust_list_add_trust_file() will return the number of certificates present in a PKCS #11 token when loading it. ** libgnutls: Allow the post client hello callback to put the handshake on hold, by returning GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED. ** certtool: option --to-p12 will now consider --load-ca-certificate ** certtol: Added option to specify the PKCS #12 friendly name on command line. ** p11tool: Allow marking a certificate copied to a token as a CA. ** API and ABI modifications: GNUTLS_PKCS11_OBJ_FLAG_MARK_CA: Added gnutls_x509_crl_iter_deinit: Added gnutls_x509_crl_iter_crt_serial: Added gnutls_record_recv_packet: Added gnutls_packet_deinit: Added gnutls_packet_get: Added * Version 3.3.4 (released 2014-05-31) ** libgnutls: Updated Andy Polyakov's assembly code. That prevents a crash on certain CPUs. ** API and ABI modifications: No changes since last version. * Version 3.3.3 (released 2014-05-30) ** libgnutls: Eliminated memory corruption issue in Server Hello parsing. Issue reported by Joonas Kuorilehto of Codenomicon. ** libgnutls: gnutls_global_set_mutex() was modified to operate with the new initialization process. ** libgnutls: Increased the maximum certificate size buffer in the PKCS #11 subsystem. ** libgnutls: Check the return code of getpwuid_r() instead of relying on the result value. That avoids issue in certain systems, when using tofu authentication and the home path cannot be determined. Issue reported by Viktor Dukhovni. ** libgnutls-dane: Improved dane_verify_session_crt(), which now attempts to create a full chain. This addresses points from https://savannah.gnu.org/support/index.php?108552 ** gnutls-cli: --dane will only check the end certificate if PKIX validation has been disabled. ** gnutls-cli: --benchmark-soft-ciphers has been removed. That option cannot be emulated with the implicit initialization of gnutls. ** certtool: Allow multiple organizations and organizational unit names to be specified in a template. ** certtool: Warn when invalid configuration options are set to a template. ** ocsptool: Include path in ocsp request. This resolves #108582 (https://savannah.gnu.org/support/?108582), reported by Matt McCutchen. ** API and ABI modifications: gnutls_credentials_get: Added * Version 3.3.2 (released 2014-05-06) ** libgnutls: Added the 'very weak' certificate verification profile that corresponds to 64-bit security level. ** libgnutls: Corrected file descriptor leak on random generator initialization. ** libgnutls: Corrected file descriptor leak on PSK password file reading. Issue identified using the Codenomicon TLS test suite. ** libgnutls: Avoid deinitialization if initialization has failed. ** libgnutls: null-terminate othername alternative names. ** libgnutls: gnutls_x509_trust_list_get_issuer() will operate correctly on a PKCS #11 trust list. ** libgnutls: Several small bug fixes identified using valgrind and the Codenomicon TLS test suite. ** libgnutls-dane: Accept a certificate using DANE if there is at least one entry that matches the certificate. Patch by simon [at] arlott.org. ** libgnutls-guile: Fixed compilation issue. ** certtool: Allow exporting a CRL on DER format. ** certtool: The ECDSA keys generated by default use the SECP256R1 curve which is supported more widely than the previously used SECP224R1. ** API and ABI modifications: GNUTLS_PROFILE_VERY_WEAK: Added * Version 3.3.1 (released 2014-04-19) ** libgnutls: Enforce more strict checks to heartbeat messages concerning padding and payload. Suggested by Peter Dettman. ** libgnutls: Allow decoding PKCS #8 files with ECC parameters from openssl. ** libgnutls: Several small bug fixes found by coverity. ** libgnutls: The conditionally available self-test functions were moved to self-test.h. ** libgnutls: Fixed issue with the check of incoming data when two different recv and send pointers have been specified. Reported and investigated by JMRecio. ** libgnutls: Fixed issue in the RSA-PSK key exchange, which would result to illegal memory access if a server hint was provided. Reported by André Klitzing. ** libgnutls: Fixed client memory leak in the PSK key exchange, if a server hint was provided. ** libgnutls: Corrected the *get_*_othername_oid() functions. ** API and ABI modifications: No changes since last version. * Version 3.3.0 (released 2014-04-10) ** libgnutls: The initialization of the library was moved to a constructor. That is, gnutls_global_init() is no longer required unless linking with a static library or a system that does not support library constructors. ** libgnutls: static libraries are not built by default. ** libgnutls: PKCS #11 initialization is delayed to first usage. That avoids long delays in gnutls initialization due to broken PKCS #11 modules. ** libgnutls: The PKCS #11 subsystem is re-initialized "automatically" on the first PKCS #11 API call after a fork. ** libgnutls: certificate verification profiles were introduced that can be specified as flags to verification functions. They are enumerations in gnutls_certificate_verification_profiles_t and can be converted to flags for use in a verification function using GNUTLS_PROFILE_TO_VFLAGS(). ** libgnutls: Added the ability to read system-specific initial keywords, if they are prefixed with '@@'. That allows a compile-time specified configuration file to be used to read pre-configured priority strings from. That can be used to impose system specific policies. ** libgnutls: Increased the default security level of priority strings (NORMAL and PFS strings require at minimum a 1008 DH prime), and set a verification profile by default. The LEGACY keyword is introduced to set the old defaults. ** libgnutls: Added support for the name constraints PKIX extension. Currently only DNS names and e-mails are supported (no URIs, IPs or DNs). ** libgnutls: Security parameter SEC_PARAM_NORMAL was renamed to SEC_PARAM_MEDIUM to avoid confusion with the priority string NORMAL. ** libgnutls: Added new API in x509-ext.h to handle X.509 extensions. This API handles the X.509 extensions in isolation, allowing to parse similarly formatted extensions stored in other structures. ** libgnutls: When generating DSA keys the macro GNUTLS_SUBGROUP_TO_BITS can be used to specify a particular subgroup as the number of bits in gnutls_privkey_generate; e.g., GNUTLS_SUBGROUP_TO_BITS(2048, 256). ** libgnutls: DH parameter generation is now delegated to nettle. That unfortunately has the side-effect that DH parameters longer than 3072 bits, cannot be generated (not without a nettle update). ** libgnutls: Separated nonce RNG from the main RNG. The nonce random number generator is based on salsa20/12. ** libgnutls: The buffer alignment provided to crypto backend is enforced to be 16-byte aligned, when compiled with cryptodev support. That allows certain cryptodev drivers to operate more efficiently. ** libgnutls: Return error when a public/private key pair that doesn't match is set into a credentials structure. ** libgnutls: Depend on p11-kit 0.20.0 or later. ** libgnutls: The new padding (%NEW_PADDING) experimental TLS extension has been removed. It was not approved by IETF. ** libgnutls: The experimental xssl library is removed from the gnutls distribution. ** libgnutls: Reduced the number of gnulib modules used in the main library. ** libgnutls: Added priority string %DISABLE_WILDCARDS. ** libgnutls: Added the more extensible verification function gnutls_certificate_verify_peers(), that allows checking, in addition to a peer's DNS hostname, for the key purpose of the end certificate (via PKIX extended key usage). ** certtool: Timestamps for serial numbers were increased to 8 bytes, and in batch mode to 12 (appended with 4 random bytes). ** certtool: When no CRL number is provided (or value set to -1), then a time-based number will be used, similarly to the serial generation number in certificates. ** certtool: Print the SHA256 fingerprint of a certificate in addition to SHA1. ** libgnutls: Added --enable-fips140-mode configuration option (unsupported). That option enables (when running on FIPS140-enabled system): o RSA, DSA and DH key generation as in FIPS-186-4 (using provable primes) o The DRBG-CTR-AES256 deterministic random generator from SP800-90A. o Self-tests on initialization on ciphers/MACs, public key algorithms and the random generator. o HMAC-SHA256 verification of the library on load. o MD5 is included for TLS purposes but cannot be used by the high level hashing functions. o All ciphers except AES are disabled. o All MACs and hashes except GCM and SHA are disabled (e.g., HMAC-MD5). o All keys (temporal and long term) are zeroized after use. o Security levels are adjusted to the FIPS140-2 recommendations (rather than ECRYPT). ** API and ABI modifications: GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS: Added gnutls_certificate_verify_peers: Added gnutls_privkey_generate: Added gnutls_pkcs11_crt_is_known: Added gnutls_fips140_mode_enabled: Added gnutls_sec_param_to_symmetric_bits: Added gnutls_pubkey_export_ecc_x962: Added (replaces gnutls_pubkey_get_pk_ecc_x962) gnutls_pubkey_export_ecc_raw: Added (replaces gnutls_pubkey_get_pk_ecc_raw) gnutls_pubkey_export_dsa_raw: Added (replaces gnutls_pubkey_get_pk_dsa_raw) gnutls_pubkey_export_rsa_raw: Added (replaces gnutls_pubkey_get_pk_rsa_raw) gnutls_pubkey_verify_params: Added gnutls_privkey_export_ecc_raw: Added gnutls_privkey_export_dsa_raw: Added gnutls_privkey_export_rsa_raw: Added gnutls_privkey_import_ecc_raw: Added gnutls_privkey_import_dsa_raw: Added gnutls_privkey_import_rsa_raw: Added gnutls_privkey_verify_params: Added gnutls_x509_crt_check_hostname2: Added gnutls_openpgp_crt_check_hostname2: Added gnutls_x509_name_constraints_init: Added gnutls_x509_name_constraints_deinit: Added gnutls_x509_crt_get_name_constraints: Added gnutls_x509_name_constraints_add_permitted: Added gnutls_x509_name_constraints_add_excluded: Added gnutls_x509_crt_set_name_constraints: Added gnutls_x509_name_constraints_get_permitted: Added gnutls_x509_name_constraints_get_excluded: Added gnutls_x509_name_constraints_check: Added gnutls_x509_name_constraints_check_crt: Added gnutls_x509_crl_get_extension_data2: Added gnutls_x509_crt_get_extension_data2: Added gnutls_x509_crq_get_extension_data2: Added gnutls_subject_alt_names_init: Added gnutls_subject_alt_names_deinit: Added gnutls_subject_alt_names_get: Added gnutls_subject_alt_names_set: Added gnutls_x509_ext_import_subject_alt_names: Added gnutls_x509_ext_export_subject_alt_names: Added gnutls_x509_crl_dist_points_init: Added gnutls_x509_crl_dist_points_deinit: Added gnutls_x509_crl_dist_points_get: Added gnutls_x509_crl_dist_points_set: Added gnutls_x509_ext_import_crl_dist_points: Added gnutls_x509_ext_export_crl_dist_points: Added gnutls_x509_ext_import_name_constraints: Added gnutls_x509_ext_export_name_constraints: Added gnutls_x509_aia_init: Added gnutls_x509_aia_deinit: Added gnutls_x509_aia_get: Added gnutls_x509_aia_set: Added gnutls_x509_ext_import_aia: Added gnutls_x509_ext_export_aia: Added gnutls_x509_ext_import_subject_key_id: Added gnutls_x509_ext_export_subject_key_id: Added gnutls_x509_ext_export_authority_key_id: Added gnutls_x509_ext_import_authority_key_id: Added gnutls_x509_aki_init: Added gnutls_x509_aki_get_id: Added gnutls_x509_aki_get_cert_issuer: Added gnutls_x509_aki_set_id: Added gnutls_x509_aki_set_cert_issuer: Added gnutls_x509_aki_deinit: Added gnutls_x509_ext_import_private_key_usage_period: Added gnutls_x509_ext_export_private_key_usage_period: Added gnutls_x509_ext_import_basic_constraints: Added gnutls_x509_ext_export_basic_constraints: Added gnutls_x509_ext_import_key_usage: Added gnutls_x509_ext_export_key_usage: Added gnutls_x509_ext_import_proxy: Added gnutls_x509_ext_export_proxy: Added gnutls_x509_policies_init: Added gnutls_x509_policies_deinit: Added gnutls_x509_policies_get: Added gnutls_x509_policies_set: Added gnutls_x509_ext_import_policies: Added gnutls_x509_ext_export_policies: Added gnutls_x509_key_purpose_init: Added gnutls_x509_key_purpose_deinit: Added gnutls_x509_key_purpose_set: Added gnutls_x509_key_purpose_get: Added gnutls_x509_ext_import_key_purposes: Added gnutls_x509_ext_export_key_purposes: Added gnutls_digest_self_test: Added (conditionally) gnutls_mac_self_test: Added (conditionally) gnutls_pk_self_test: Added (conditionally) gnutls_cipher_self_test: Added (conditionally) gnutls_global_set_mem_functions: Deprecated @ text @d1 1 a1 1 $NetBSD: patch-ae,v 1.5 2014/02/10 12:01:20 tron Exp $ @ 1.5 log @Add patch from GnuTLS repository to fix build of assembler routines under Mac OS X. Crucial hint provided by Nikos Mavrogiannopoulos. @ text @d1 1 a1 1 $NetBSD: patch-ae,v 1.4 2012/07/02 18:53:03 drochner Exp $ d5 1 a5 1 --- guile/src/core.c.orig 2012-04-12 20:05:11.000000000 +0000 @ 1.4 log @update to 3.0,20 This switches to the new stable release branch. @ text @d1 3 a3 1 $NetBSD$ @ 1.3 log @Changes 2.12.3: * libgnutls: Several minor bugfixes. * libgnutls: Restored HMAC-MD5 for compatibility. Although considered weak, several sites require it for connection. It is enabled for "NORMAL" and "PERFORMANCE" priority strings. * libgnutls: depend on libdl. * libgnutls: gnutls_transport_set_global_errno() was deprecated. Use your system's errno fascility or gnutls_transport_set_errno(). * gnutls-cli: Correction with usage of select to check for pending data in gnutls sessions. It now uses gnutls_record_check_pending(). * tests: More fixes and updates for win32. Patches by LRN. * libgnutls: Several files unnecessarily included ; this has been fixed. ** API and ABI modifications: gnutls_transport_set_global_errno: DEPRECATED Changes 2.12.2: * libgnutls: Several updates and fixes for win32. Patches by LRN. * libgnutls: Several bug and memory leak fixes. * srptool: Accepts the -d option to enable debugging. * libgnutls: Corrected bug in gnutls_srp_verifier() that prevented the allocation of a verifier. Reported by Andrew Wiseman. Changes 2.12.1: * certtool: Generated certificate request with stricter permissions. * libgnutls: Bug fixes in opencdk code. Reported by Vitaly Kruglikov. * libgnutls: Corrected windows system_errno() function prototype. * libgnutls: C++ compatibility fix for compat.h. Reported by Mark Brand. * libgnutls: Fix size of gnutls_openpgp_keyid_t by using the GNUTLS_OPENPGP_KEYID_SIZE definition. Reported by Andreas Metzler. @ text @d1 1 a1 1 $NetBSD: patch-ae,v 1.2 2007/10/23 11:43:57 wiz Exp $ d3 1 a3 1 --- guile/src/core.c.orig 2007-09-27 11:17:17.000000000 +0000 d5 2 a6 2 @@@@ -27,7 +27,7 @@@@ #include @ 1.2 log @Update to 2.0.2: * Version 2.0.2 (released 2007-10-17) ** TLS authorization support removed. This technique may be patented in the future, and it is not of crucial importance for the Internet community. After deliberation we have concluded that the best thing we can do in this situation is to encourage society not to adopt this technique. We have decided to lead the way with our own actions. ** certtool: Fixed data corruption when using --outder. ** Fix configure-time Guile detection. ** API and ABI modifications: GNUTLS_SUPPLEMENTAL_USER_MAPPING_DATA: ADDED. To avoid that the gnutls_supplemental_data_format_type_t enum type becomes empty. * Version 2.0.1 (released 2007-09-20) ** New directory doc/credentials/ with test credentials. This collects the test credentials from the web page and from src/. The script gnutls-http-serv has also been moved to that directory. ** Update SRP extension type and cipher suite with official IANA values. This breaks backwards compatibility with SRP in older versions of GnuTLS, but this is intentional to speed up the adoption of the official values. The old values we used were incorrect. ** Guile: Fix `x509-certificate-dn-oid' ** API and ABI modifications: No changes since last version. @ text @d1 1 a1 1 $NetBSD: patch-ae,v 1.1 2007/09/05 21:51:22 drochner Exp $ d5 1 a5 1 @@@@ -22,7 +22,7 @@@@ @ 1.1 log @update to 2.0.0 While an update to a .0 version is somehow risky, it finishes the unfortunate state that the pkgsrc gnutls didn't work with the pkgsrc opencdk, which I wouldn't like to go into the next stable branch. Release candidates have worked for me, and there is some time left before the Q3 branch, so I'm confident. changes: * Support for external RSA/DSA signing for TLS client authentication -many X.509 enhancements Support for Supplemental handshakes messages (RFC 4680) * Support for TLS authorization extension (draft-housley-tls-authz-extns-07) * Improve logic of gnutls_set_default_priority() * New APIs to enumerate supported algorithms in the library * Certtool can export more than one certificate to PKCS#12 * Several message translation improvements * Improved manual * Many bugfixes and minor improvements @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- guile/src/core.c.orig 2007-09-04 18:11:37.000000000 +0200 a13 10 @@@@ -2380,7 +2380,8 @@@@ SCM_DEFINE (scm_gnutls_x509_certificate_ if (c_oid_actual_len < c_oid_len) \ c_oid = scm_realloc (c_oid, c_oid_actual_len); \ \ - result = scm_take_locale_string (c_oid); \ + result = scm_take_locale_stringn (c_oid, \ + c_oid_actual_len); \ } \ \ return result; @