./security/gnutls, GNU Transport Layer Security library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 3.6.9nb1, Package name: gnutls-3.6.9nb1, Maintainer: pkgsrc-users

GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL
3.0 protocols. The library does not include any patented algorithms and is
available under the GNU Lesser GPL license.

Important features of the GnuTLS library include:
- Thread safety
- Support for both TLS 1.0 and SSL 3.0 protocols
- Support for both X.509 and OpenPGP certificates
- Support for basic parsing and verification of certificates
- Support for SRP for TLS authentication
- Support for TLS Extension mechanism
- Support for TLS Compression Methods

Additionally GnuTLS provides an emulation API for the widely used OpenSSL
library, to ease integration with existing applications.


Required to run:
[archivers/lzo] [security/libtasn1] [devel/gmp] [devel/libcfg+] [security/mozilla-rootcerts] [security/nettle] [security/p11-kit] [textproc/libunistring]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: 4a12757b129562ae92a01ca890ed282050595296
RMD160: 2771adabb5342b24fbebcb69b324924ee2b56513
Filesize: 5638.602 KB

Version history: (Expand)


CVS history: (Expand)


   2019-09-18 21:00:13 by Tobias Nygren | Files touched by this commit (1)
Log message:
gnutls: fix PLIST
   2019-09-18 17:27:05 by ng0 | Files touched by this commit (3)
Log message:
security/gnutls: Add ability to link against libunbound for DANE support.
   2019-09-16 19:01:46 by Niclas Rosenvik | Files touched by this commit (4)
Log message:
Fix compilation of gnutls with compilers missing __get_cpuid_count

Fix compilation of gnutls with compilers missing __get_cpuid_count.
Taken from upstream and fixed in version 3.6.10 .
Fixes compilation on NetBSD 8 without setting GCC_REQD.
   2019-09-16 02:28:48 by Nia Alarie | Files touched by this commit (3) | Package updated
Log message:
gnutls: Update to 3.6.9

* Version 3.6.9 (released 2019-07-25)

** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy
   of digest or MAC context. Copying contexts for externally-registered digest \ 
and MAC
   contexts is unupported (#787).

** Marked the crypto implementation override APIs as deprecated. These APIs are \ 
rarely
   used, are for a niche use case, but have significant side effects, such as \ 
preventing
   any internal re-organization and extension of the internal cipher API. The \ 
APIs remain
   functional though a compiler warning will be issued, and a future minor \ 
version update
   may transform them to a no-op while keeping ABI compatibility (#789).

** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781).

** libgnutls: gnutls_privkey_sign_hash2 now accepts the \ 
GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
   flag as documented. This makes it a complete replacement of \ 
gnutls_privkey_sign_hash().

** libgnutls: Added support for Generalname registeredID.

** The priority configuration was enhanced to allow more elaborate
   system-wide configuration of the library (#587).
   The following changes were included:
    - The file is read as an ini file with '#' indicating a comment.
    - The section "[priorities]" or global follows the existing \ 
semantics of
      the configuration file, and allows to specify system-wide priority strings
      which are accessed with the '@' prefix.
    - The section "[overrides]" is added with the parameters \ 
"insecure-hash",
      "insecure-sig", "insecure-sig-for-cert", \ 
"disabled-curve",
      "disabled-version", "min-verification-profile", \ 
"tls-disabled-cipher",
      "tls-disabled-mac", "tls-disabled-group", \ 
"tls-disabled-kx", which prohibit
      specific algorithms or options globally. Existing algorithms in the
      library can be marked as disabled and insecure, but no hard-coded
      insecure algorithm can be marked as secure (so that the configuration
      cannot be abused to make the system vulnerable).
    - Unknown sections or options are skipped with a debug message, unless
      the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is
      set to 1.

** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE
    - 0x20: Enable SHA_NI instruction set

** API and ABI modifications:
gnutls_crypto_register_cipher: Deprecated
gnutls_crypto_register_aead_cipher: Deprecated
gnutls_crypto_register_digest: Deprecated
gnutls_crypto_register_mac: Deprecated
gnutls_get_system_config_file: Added
gnutls_hash_copy: Added
gnutls_hmac_copy: Added
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
GNUTLS_SAN_REGISTERED_ID: Added
   2019-08-15 17:46:15 by Sevan Janiyan | Files touched by this commit (2)
Log message:
Build fix for OS X Tiger via Macports
   2019-08-11 15:25:21 by Thomas Klausner | Files touched by this commit (3557) | Package updated
Log message:
Bump PKGREVISIONs for perl 5.30.0
   2019-07-21 00:46:59 by Thomas Klausner | Files touched by this commit (595)
Log message:
*: recursive bump for nettle 3.5.1
   2019-07-11 16:53:36 by Sevan Janiyan | Files touched by this commit (3) | Package updated
Log message:
Update to v3.6.8

Changes
=======

* Version 3.6.8 (released 2019-05-28)

** libgnutls: Added gnutls_prf_early() function to retrieve early keying
   material (#329)

** libgnutls: Added support for AES-XTS cipher (#354)

** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in
   512 bit addition)

** libgnutls: During Diffie-Hellman operations in TLS, verify that the peer's
   public key is on the right subgroup (y^q=1 mod p), when q is available (under
   TLS 1.3 and under earlier versions when RFC7919 parameters are used).

** libgnutls: the gnutls_srp_set_server_credentials_function can now be used
   with the 8192 parameters as well (#995).

** libgnutls: Fixed bug preventing the use of gnutls_pubkey_verify_data2() and
   gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN flag (#754)

** libgnutls: The priority string option %ALLOW_SMALL_RECORDS was added to allow
   clients to communicate with the server advertising smaller limits than 512

** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent
   hostname/domain crafting via IDNA conversion (#720)

** certtool: allow the digital signature key usage flag in CA certificates.
   Previously certtool would ignore this flag for CA certificates even if
   specified (#767)

** gnutls-cli/serv: added the --keymatexport and --keymatexportsize options.
   These allow testing the RFC5705 using these tools.

** API and ABI modifications:
gnutls_prf_early: Added
gnutls_record_set_max_recv_size: Added
gnutls_dh_params_import_raw3: Added
gnutls_ffdhe_2048_group_q: Added
gnutls_ffdhe_3072_group_q: Added
gnutls_ffdhe_4096_group_q: Added
gnutls_ffdhe_6144_group_q: Added
gnutls_ffdhe_8192_group_q: Added