pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/gnutls gnutls: updated to 3.7.3
details: https://anonhg.NetBSD.org/pkgsrc/rev/d0527013615f
branches: trunk
changeset: 372116:d0527013615f
user: adam <adam%pkgsrc.org@localhost>
date: Wed Jan 19 21:11:11 2022 +0000
description:
gnutls: updated to 3.7.3
Version 3.7.3 (released 2022-01-17)
** libgnutls: The allowlisting configuration mode has been added to the system-wide
settings. In this mode, all the algorithms are initially marked as insecure
or disabled, while the applications can re-enable them either through the
[overrides] section of the configuration file or the new API.
** The build infrastructure no longer depends on GNU AutoGen for generating
command-line option handling, template file parsing in certtool, and
documentation generation. This change also removes run-time or
bundled dependency on the libopts library, and requires Python 3.6 or later
to regenerate the distribution tarball.
Note that this brings in known backward incompatibility in command-line
tools, such as long options are now case sensitive, while previously they
were treated in a case insensitive manner: for example --RSA is no longer a
valid option of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
used as a gnutls_privkey_t. The code was originally written for the
OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
** libgnutls: The library now transparently enables Linux KTLS
(kernel TLS) when the feature is compiled in with --enable-ktls configuration
option. If the KTLS initialization fails it automatically falls back
to the user space implementation.
** certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension. New API functions are also provided to
access and manipulate the extension values.
** certtool: The certtool command can now generate, manipulate, and evaluate
x25519 and x448 public keys, private keys, and certificates.
** libgnutls: Disabling a hashing algorithm through "insecure-hash"
configuration directive now also disables TLS ciphersuites that use it as a
PRF algorithm.
** libgnutls: PKCS#12 files are now created with modern algorithms by default.
Previously certtool used PKCS12-3DES-SHA1 for key derivation and
HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with
PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
default PBKDF2 iteration count has been increased to 600000.
** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
conform with the latest TC-26 requirements.
** libgnutls: The library now provides a means to report the status of approved
cryptographic operations. To adhere to the FIPS140-3 IG 2.4.C., this
complements the existing mechanism to prohibit the use of unapproved
algorithms by making the library unusable state.
** gnutls-cli: The gnutls-cli command now provides a --list-config option to
print the library configuration.
** libgnutls: Fixed possible race condition in
gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
among multiple threads. [GNUTLS-SA-2022-01-17, CVSS: low]
** API and ABI modifications:
GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
gnutls_ecc_curve_set_enabled: Added.
gnutls_sign_set_secure: Added.
gnutls_sign_set_secure_for_certs: Added.
gnutls_digest_set_secure: Added.
gnutls_protocol_set_enabled: Added.
gnutls_fips140_context_init: New function
gnutls_fips140_context_deinit: New function
gnutls_fips140_push_context: New function
gnutls_fips140_pop_context: New function
gnutls_fips140_get_operation_state: New function
gnutls_fips140_operation_state_t: New enum
gnutls_transport_is_ktls_enabled: New function
gnutls_get_library_configuration: New function
diffstat:
security/gnutls/Makefile | 18 +----
security/gnutls/PLIST | 47 ++++-------
security/gnutls/distinfo | 13 +--
security/gnutls/patches/patch-src_libopts_autoopts_options.h | 15 ---
security/gnutls/patches/patch-src_libopts_compat_compat.h | 15 ---
security/gnutls/patches/patch-src_libopts_libopts.c | 15 ---
security/gnutls/patches/patch-src_libopts_makeshell.c | 33 --------
security/gnutls/patches/patch-src_libopts_proto.h | 26 ------
8 files changed, 25 insertions(+), 157 deletions(-)
diffs (truncated from 310 to 300 lines):
diff -r 6ebc5ac020b2 -r d0527013615f security/gnutls/Makefile
--- a/security/gnutls/Makefile Wed Jan 19 21:11:09 2022 +0000
+++ b/security/gnutls/Makefile Wed Jan 19 21:11:11 2022 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.226 2022/01/03 12:36:53 wiz Exp $
+# $NetBSD: Makefile,v 1.227 2022/01/19 21:11:11 adam Exp $
-DISTNAME= gnutls-3.7.2
-PKGREVISION= 2
+DISTNAME= gnutls-3.7.3
CATEGORIES= security devel
MASTER_SITES= https://www.gnupg.org/ftp/gcrypt/gnutls/v${PKGVERSION_NOREV:R}/
EXTRACT_SUFX= .tar.xz
@@ -53,14 +52,6 @@
MAKE_ENV+= RM=${RM:Q}
MAKE_ENV+= TZ=UTC
-SUBST_CLASSES+= shell
-SUBST_SED.shell+= -e 's,define POSIX_SHELL .*,define POSIX_SHELL "'${TOOLS_PATH.bash}'",'
-SUBST_STAGE.shell= post-configure
-SUBST_FILES.shell+= config.h
-SUBST_MESSAGE.shell= Fixing path to bash.
-
-EGDIR= ${PREFIX}/share/examples/gnutls
-
INSTALLATION_DIRS= ${EGDIR} include/gnutls
.include "../../mk/bsd.prefs.mk"
@@ -96,9 +87,6 @@
CONFIGURE_ARGS.SunOS+= --disable-tests
.endif
-post-install:
- cd ${WRKSRC}/doc/examples && ${INSTALL_DATA} *.c ${DESTDIR}${EGDIR}
-
.include "../../converters/libiconv/buildlink3.mk"
.include "../../devel/gettext-lib/buildlink3.mk"
BUILDLINK_API_DEPENDS.gmp+= gmp>=5.0
@@ -108,8 +96,6 @@
# gnutls will add a Requires.private for it in its .pc file
CHECK_BUILTIN.zlib:=yes
.include "../../devel/zlib/buildlink3.mk"
-# guile is useful for selftests, but bindings should be separate pkgs
-#.include "../../lang/guile20/buildlink3.mk"
BUILDLINK_API_DEPENDS.libtasn1+= libtasn1>=4.9
.include "../../security/libtasn1/buildlink3.mk"
BUILDLINK_API_DEPENDS.nettle+= nettle>=3.6
diff -r 6ebc5ac020b2 -r d0527013615f security/gnutls/PLIST
--- a/security/gnutls/PLIST Wed Jan 19 21:11:09 2022 +0000
+++ b/security/gnutls/PLIST Wed Jan 19 21:11:11 2022 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.73 2021/05/31 11:08:45 wiz Exp $
+@comment $NetBSD: PLIST,v 1.74 2022/01/19 21:11:11 adam Exp $
bin/certtool
bin/gnutls-cli
bin/gnutls-cli-debug
@@ -238,6 +238,7 @@
man/man3/gnutls_digest_get_name.3
man/man3/gnutls_digest_get_oid.3
man/man3/gnutls_digest_list.3
+man/man3/gnutls_digest_set_secure.3
man/man3/gnutls_dtls_cookie_send.3
man/man3/gnutls_dtls_cookie_verify.3
man/man3/gnutls_dtls_get_data_mtu.3
@@ -256,6 +257,7 @@
man/man3/gnutls_ecc_curve_get_pk.3
man/man3/gnutls_ecc_curve_get_size.3
man/man3/gnutls_ecc_curve_list.3
+man/man3/gnutls_ecc_curve_set_enabled.3
man/man3/gnutls_encode_ber_digest_info.3
man/man3/gnutls_encode_gost_rs_value.3
man/man3/gnutls_encode_rs_value.3
@@ -270,8 +272,14 @@
man/man3/gnutls_ext_register.3
man/man3/gnutls_ext_set_data.3
man/man3/gnutls_fingerprint.3
+man/man3/gnutls_fips140_context_deinit.3
+man/man3/gnutls_fips140_context_init.3
+man/man3/gnutls_fips140_get_operation_state.3
man/man3/gnutls_fips140_mode_enabled.3
+man/man3/gnutls_fips140_pop_context.3
+man/man3/gnutls_fips140_push_context.3
man/man3/gnutls_fips140_set_mode.3
+man/man3/gnutls_get_library_config.3
man/man3/gnutls_get_system_config_file.3
man/man3/gnutls_global_deinit.3
man/man3/gnutls_global_init.3
@@ -616,6 +624,7 @@
man/man3/gnutls_protocol_get_name.3
man/man3/gnutls_protocol_get_version.3
man/man3/gnutls_protocol_list.3
+man/man3/gnutls_protocol_set_enabled.3
man/man3/gnutls_psk_allocate_client_credentials.3
man/man3/gnutls_psk_allocate_server_credentials.3
man/man3/gnutls_psk_client_get_hint.3
@@ -763,6 +772,8 @@
man/man3/gnutls_sign_is_secure.3
man/man3/gnutls_sign_is_secure2.3
man/man3/gnutls_sign_list.3
+man/man3/gnutls_sign_set_secure.3
+man/man3/gnutls_sign_set_secure_for_certs.3
man/man3/gnutls_sign_supports_pk_algorithm.3
man/man3/gnutls_srp_allocate_client_credentials.3
man/man3/gnutls_srp_allocate_server_credentials.3
@@ -819,6 +830,7 @@
man/man3/gnutls_transport_get_int2.3
man/man3/gnutls_transport_get_ptr.3
man/man3/gnutls_transport_get_ptr2.3
+man/man3/gnutls_transport_is_ktls_enabled.3
man/man3/gnutls_transport_set_errno.3
man/man3/gnutls_transport_set_errno_function.3
man/man3/gnutls_transport_set_fastopen.3
@@ -1075,6 +1087,8 @@
man/man3/gnutls_x509_crt_sign2.3
man/man3/gnutls_x509_crt_verify.3
man/man3/gnutls_x509_crt_verify_data2.3
+man/man3/gnutls_x509_ct_sct_get.3
+man/man3/gnutls_x509_ct_sct_get_version.3
man/man3/gnutls_x509_dn_deinit.3
man/man3/gnutls_x509_dn_export.3
man/man3/gnutls_x509_dn_export2.3
@@ -1086,6 +1100,10 @@
man/man3/gnutls_x509_dn_oid_known.3
man/man3/gnutls_x509_dn_oid_name.3
man/man3/gnutls_x509_dn_set_str.3
+man/man3/gnutls_x509_ext_ct_export_scts.3
+man/man3/gnutls_x509_ext_ct_import_scts.3
+man/man3/gnutls_x509_ext_ct_scts_deinit.3
+man/man3/gnutls_x509_ext_ct_scts_init.3
man/man3/gnutls_x509_ext_deinit.3
man/man3/gnutls_x509_ext_export_aia.3
man/man3/gnutls_x509_ext_export_authority_key_id.3
@@ -1217,33 +1235,6 @@
share/doc/gnutls/gnutls-modauth.png
share/doc/gnutls/gnutls-x509.png
share/doc/gnutls/pkcs11-vision.png
-share/examples/gnutls/ex-alert.c
-share/examples/gnutls/ex-cert-select-pkcs11.c
-share/examples/gnutls/ex-cert-select.c
-share/examples/gnutls/ex-client-anon.c
-share/examples/gnutls/ex-client-dtls.c
-share/examples/gnutls/ex-client-psk.c
-share/examples/gnutls/ex-client-resume.c
-share/examples/gnutls/ex-client-srp.c
-share/examples/gnutls/ex-client-x509-3.1.c
-share/examples/gnutls/ex-client-x509.c
-share/examples/gnutls/ex-crq.c
-share/examples/gnutls/ex-ocsp-client.c
-share/examples/gnutls/ex-pkcs11-list.c
-share/examples/gnutls/ex-pkcs12.c
-share/examples/gnutls/ex-serv-anon.c
-share/examples/gnutls/ex-serv-dtls.c
-share/examples/gnutls/ex-serv-psk.c
-share/examples/gnutls/ex-serv-srp.c
-share/examples/gnutls/ex-serv-x509.c
-share/examples/gnutls/ex-session-info.c
-share/examples/gnutls/ex-verify-ssh.c
-share/examples/gnutls/ex-verify.c
-share/examples/gnutls/ex-x509-info.c
-share/examples/gnutls/print-ciphersuites.c
-share/examples/gnutls/tcp.c
-share/examples/gnutls/udp.c
-share/examples/gnutls/verify.c
share/locale/cs/LC_MESSAGES/gnutls.mo
share/locale/de/LC_MESSAGES/gnutls.mo
share/locale/eo/LC_MESSAGES/gnutls.mo
diff -r 6ebc5ac020b2 -r d0527013615f security/gnutls/distinfo
--- a/security/gnutls/distinfo Wed Jan 19 21:11:09 2022 +0000
+++ b/security/gnutls/distinfo Wed Jan 19 21:11:11 2022 +0000
@@ -1,12 +1,7 @@
-$NetBSD: distinfo,v 1.150 2021/10/26 11:17:06 nia Exp $
+$NetBSD: distinfo,v 1.151 2022/01/19 21:11:11 adam Exp $
-BLAKE2s (gnutls-3.7.2.tar.xz) = 16c4ae925fa13ec1ef7f0009cda4227cfe6a8945d10486da9ab6208099e949b9
-SHA512 (gnutls-3.7.2.tar.xz) = 5d01d561a05379da71e4847e30ba13c2abe09f7a5c4359fd539d8bd19abad0ce87120f82ee7b6264e787bd3edbc5ae16beffa892983cbc3d59f11a1811c10329
-Size (gnutls-3.7.2.tar.xz) = 6091508 bytes
+BLAKE2s (gnutls-3.7.3.tar.xz) = b3c209d629dc0d9d8927532511d3337b336328f6fb8a7b855bc110f9796d65bb
+SHA512 (gnutls-3.7.3.tar.xz) = 3ace744affe23e284342658d6d2d2de49dd50065489cbc8be18fc7d38187253e5268ca54027ce5cd517056c249ac039a7481e4548cec04325de37ae85617d077
+Size (gnutls-3.7.3.tar.xz) = 6119292 bytes
SHA1 (patch-configure) = 3653f74914f874aa369f62c8b267a46fd6b78eaa
SHA1 (patch-lib_system_certs.c) = fba74b2834a36d66bddcd7d3405d0c91c1b14efc
-SHA1 (patch-src_libopts_autoopts_options.h) = ebeeafc834bce3b6b3f938e360b089e165ee4f9e
-SHA1 (patch-src_libopts_compat_compat.h) = 6e88b5e73a56c296f356aa5ce7e6048e1bcff450
-SHA1 (patch-src_libopts_libopts.c) = 6e2453a886aa4be0a17dfbdb8a23ef9d7a0f62f8
-SHA1 (patch-src_libopts_makeshell.c) = 1b08ab63e6e382bd471699530e5d8bff075b3f24
-SHA1 (patch-src_libopts_proto.h) = 7601830e5ff45632ae337a387548f9ed5e591c4f
diff -r 6ebc5ac020b2 -r d0527013615f security/gnutls/patches/patch-src_libopts_autoopts_options.h
--- a/security/gnutls/patches/patch-src_libopts_autoopts_options.h Wed Jan 19 21:11:09 2022 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-$NetBSD: patch-src_libopts_autoopts_options.h,v 1.3 2019/12/06 14:00:08 nia Exp $
-
-Workaround for older OSX.
-
---- src/libopts/autoopts/options.h.orig 2019-12-01 21:25:38.000000000 +0000
-+++ src/libopts/autoopts/options.h
-@@ -62,7 +62,7 @@
- # include <sysexits.h>
- # endif /* HAVE_SYSEXITS_H */
-
--# if defined(HAVE_STDBOOL_H)
-+# if defined(HAVE_STDBOOL_H) || defined(__APPLE__)
- # include <stdbool.h>
- # elif ! defined(bool)
- typedef enum { false = 0, true = 1 } _Bool;
diff -r 6ebc5ac020b2 -r d0527013615f security/gnutls/patches/patch-src_libopts_compat_compat.h
--- a/security/gnutls/patches/patch-src_libopts_compat_compat.h Wed Jan 19 21:11:09 2022 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-$NetBSD: patch-src_libopts_compat_compat.h,v 1.3 2019/12/06 14:00:08 nia Exp $
-
-Workaround for older OSX.
-
---- src/libopts/compat/compat.h.orig 2019-12-01 21:25:38.000000000 +0000
-+++ src/libopts/compat/compat.h
-@@ -182,7 +182,7 @@
- # include <unistd.h>
- #endif
-
--#if defined(HAVE_STDBOOL_H)
-+#if defined(HAVE_STDBOOL_H) || defined(__APPLE__)
- # include <stdbool.h>
- #elif ! defined(bool)
- typedef enum { false = 0, true = 1 } _Bool;
diff -r 6ebc5ac020b2 -r d0527013615f security/gnutls/patches/patch-src_libopts_libopts.c
--- a/security/gnutls/patches/patch-src_libopts_libopts.c Wed Jan 19 21:11:09 2022 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-$NetBSD: patch-src_libopts_libopts.c,v 1.2 2019/12/06 14:00:08 nia Exp $
-
-Workaround broken gettext.h conflicting with native implementation of
-message contexts in NetBSD.
-
---- src/libopts/libopts.c.orig 2019-12-01 21:25:38.000000000 +0000
-+++ src/libopts/libopts.c
-@@ -1,3 +1,7 @@
-+#include <config.h>
-+#if ENABLE_NLS
-+#include <gettext.h>
-+#endif
- #define AUTOOPTS_INTERNAL 1
- #include "autoopts/project.h"
-
diff -r 6ebc5ac020b2 -r d0527013615f security/gnutls/patches/patch-src_libopts_makeshell.c
--- a/security/gnutls/patches/patch-src_libopts_makeshell.c Wed Jan 19 21:11:09 2022 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,33 +0,0 @@
-$NetBSD: patch-src_libopts_makeshell.c,v 1.3 2019/12/06 14:00:08 nia Exp $
-
-Avoid stdnoreturn.h.
-
---- src/libopts/makeshell.c.orig 2019-12-01 21:25:38.000000000 +0000
-+++ src/libopts/makeshell.c
-@@ -35,7 +35,7 @@
- #define UPPER(_c) (toupper(to_uchar(_c)))
- #define LOWER(_c) (tolower(to_uchar(_c)))
-
--noreturn static void
-+static void
- option_exits(int exit_code)
- {
- if (print_exit)
-@@ -43,7 +43,7 @@ option_exits(int exit_code)
- exit(exit_code);
- }
-
--noreturn static void
-+static void
- ao_bug(char const * msg)
- {
- fprintf(stderr, zao_bug_msg, msg);
-@@ -57,7 +57,7 @@ fserr_warn(char const * prog, char const
- op, fname);
- }
-
--noreturn static void
-+static void
- fserr_exit(char const * prog, char const * op, char const * fname)
- {
- fserr_warn(prog, op, fname);
diff -r 6ebc5ac020b2 -r d0527013615f security/gnutls/patches/patch-src_libopts_proto.h
--- a/security/gnutls/patches/patch-src_libopts_proto.h Wed Jan 19 21:11:09 2022 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-$NetBSD: patch-src_libopts_proto.h,v 1.3 2019/12/06 14:00:08 nia Exp $
-
-Avoid stdnoreturn.h.
-
---- src/libopts/proto.h.orig 2019-12-01 21:25:38.000000000 +0000
-+++ src/libopts/proto.h
-@@ -247,16 +247,16 @@ load_opt_line(tOptions * opts, tOptState
- /*
- * Static declarations from makeshell.c
- */
--noreturn static void
-+static void
- option_exits(int exit_code);
-
--noreturn static void
-+static void
Home |
Main Index |
Thread Index |
Old Index