./security/gnutls, GNU Transport Layer Security library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 3.5.12, Package name: gnutls-3.5.12, Maintainer: pkgsrc-users

GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL
3.0 protocols. The library does not include any patented algorithms and is
available under the GNU Lesser GPL license.

Important features of the GnuTLS library include:
- Thread safety
- Support for both TLS 1.0 and SSL 3.0 protocols
- Support for both X.509 and OpenPGP certificates
- Support for basic parsing and verification of certificates
- Support for SRP for TLS authentication
- Support for TLS Extension mechanism
- Support for TLS Compression Methods

Additionally GnuTLS provides an emulation API for the widely used OpenSSL
library, to ease integration with existing applications.

Required to run:
[archivers/lzo] [security/libtasn1] [devel/gmp] [devel/libcfg+] [devel/autogen] [security/nettle] [textproc/libunistring]

Required to build:

Master sites:

SHA1: 9f453686bc6b1e6ebc04197158a2bc123c0272df
RMD160: ffdd1b7af9376cee94e81fefd929ee6a41cd8fcb
Filesize: 7043.605 KB

Version history: (Expand)

CVS history: (Expand)

   2017-05-18 09:54:26 by Havard Eidnes | Files touched by this commit (3) | Package updated
Log message:
Update to GnuTLS 3.5.12.

Pkgsrc changes:
Adapt PLIST.

Upstream changes:

* Version 3.5.12 (released 2017-05-11)

** libgnutls: enabled TCP Fast open for MacOSX. Patch by Tim Ruehsen.

** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses
   against DNS fields of certificate (CN or DNSname). The previous behavior
   was to tolerate some misconfigured servers, but that was non-standard
   and skipped any IP constraints present in higher level certificates.

** libgnutls: when converting to IDNA2008, fallback to IDNA2003
   (i.e., transitional encoding) if the domain cannot be converted.
   That provides maximum compatibility with browsers like firefox
   that perform the same conversion.

** libgnutls: fix issue in RSA-PSK client callback which resulted
   in no username being sent to the peer. Patch by Nicolas Dufresne.

** libgnutls: fix regression causing stapled extensions in trust modules not
   to be considered.

** certtool: introduced the email_protection_key option.  This
   option was introduced in documentation for certtool without an
   implementation of it.  It is a shortcut for option 'key_purpose_oid

** certtool: made printing of key ID and key PIN consistent between
   certificates, public keys, and private keys. That is the private
   key printing now uses the same format as the rest.

** gnutls-cli: introduced the --sni-hostname option. This allows overriding the
   hostname advertised to the peer.

** API and ABI modifications:
No changes since last version.

* Version 3.5.11 (released 2017-04-07)

** gnutls.pc: do not include libtool options into Libs.private.

** libgnutls: Fixed issue when rehandshaking without a client certificate in
   a session which initially used one. Reported by Frantisek Sumsal.

** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
   certificate parsing. Issues found using oss-fuzz project and were fixed
   by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/is … ail?id=737
   https://bugs.chromium.org/p/oss-fuzz/is … ail?id=824

** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
   That allows PKCS#11 operations such as signing to be performed with the
   same object from multiple threads.

** libgnutls: Added support for MacOSX key chain for obtaining
   trust store's root CA certificates. That is,
   gnutls_x509_trust_list_add_system_trust() and
   gnutls_certificate_set_x509_system_trust() will load the certificates
   from the key chain. That also means that we no longer check for a
   default trust store file in configure when building on MacOSX (unless
   explicitly asked to).  Patch by David Caldwell.

** libgnutls: when disabling OpenPGP authentication, the resulting library
   is ABI compatible (with openpgp related functions being stubs that fail
   on invocation).

** API and ABI modifications:
No changes since last version.

* Version 3.5.10 (released 2017-03-06)

** gnutls.pc: do not include libidn2 in Requires.private. The
   libidn2 versions available do not include libidn2.pc, thus the
   inclusion was causing pkg-config issues. Instead we include
   -lidn2 in Libs.private when compile against libidn2.

** libgnutls: optimized access to subject alternative names (SANs)
   in parsed certificates. The previous implementation assumed a
   small number of SANs in a certificate, with repeated calls to
   ASN.1 decoding of the extension without any intermediate caching.
   That caused delays in certificates with a long list of names in
   functions such as gnutls_x509_crt_check_hostname().  With the
   current code, the SANs are parsed once on certificate import.
   Resolves gitlab issue #165.

** libgnutls: Addressed integer overflow resulting to invalid memory
   write in OpenPGP certificate parsing. Issue found using oss-fuzz
   project:  https://bugs.chromium.org/p/oss-fuzz/is … ail?id=420

** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP
   certificate parsing. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/is … ail?id=391

** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
   to private key parser. No longer allow OpenPGP certificates (public keys)
   to contain private key sub-packets. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/is … ail?id=354
   https://bugs.chromium.org/p/oss-fuzz/is … ail?id=360 [GNUTLS-SA-2017-3B]

** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
   could lead in out-of-memory condition. Issue found using oss-fuzz project,
   and was fixed by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/is … ail?id=392 [GNUTLS-SA-2017-3C]

** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
   when printing certificate information.

** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
   flags can be set from the gnutls_certificate_verify_flags enumeration.
   This allows the functions to pass the same flags available for certificates
   to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or

** libgnutls: gnutls_store_commitment() can accept flag
   GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
   in applications which use SHA1 for example, after SHA1 is deprecated.

** certtool: No longer ignore the 'add_critical_extension' template option if
   the 'add_extension' option is not present.

** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
   starttls-proto command. Patch by Robert Scheck.

** API and ABI modifications:
No changes since last version.
   2017-04-10 12:43:49 by Jonathan Perkin | Files touched by this commit (2)
Log message:
Avoid unsupported xgetbv instruction on older Darwin assemblers.
   2017-02-26 10:19:56 by Adam Ciarcinski | Files touched by this commit (3)
Log message:
* Version 3.5.9 (released 2017-02-12)

** libgnutls: Removed any references to OpenPGP functionality in documentation,
   and marked all functions in openpgp.h as deprecated. That functionality
   is considered deprecated and should not be used for other reason than
   backwards compatibility.

** libgnutls: Improve detection of AVX support. In certain cases when
   when the instruction was available on the host, but not on a VM running
   gnutls, detection could fail causing illegal instruction usage.

** libgnutls: Added support for IDNA2008 for internationalized DNS names.
   If gnutls is compiled using libidn2 (the latest version is recommended),
   it will support IDNA2008 instead of the now obsolete IDNA2003 standard.
   Resolves gitlab issue 150. Based on patch by Tim Ruehsen.

** p11tool: re-use ID from corresponding objects when writing certificates.
   That is, when writing a certificate which has a corresponding public key,
   or private key in the token, ensure that we use the same ID for the

** API and ABI modifications:
gnutls_idna_map: Added
gnutls_idna_reverse_map: Added
   2017-01-11 18:06:52 by Thomas Klausner | Files touched by this commit (1)
Log message:
Add libunistring to bl3.mk, it's linked into libgnutls{,xx}.so.

PR 51830
   2017-01-10 17:23:50 by Thomas Klausner | Files touched by this commit (4) | Package updated
Log message:
Updated gnutls to 3.5.8.

* Version 3.5.8 (released 2016-01-09)

** libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
   functions will not leave the verification profiles field to an
   undefined state. The last call will take precedence.

** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
   by PKCS#8 decryption functions when an invalid key is provided. This
   addresses regression on decrypting certain PKCS#8 keys.

** libgnutls: Introduced option to override the default priority string
   used by the library. The intention is to allow support of system-wide
   priority strings (as set with --with-system-priority-file). The
   configure option is --with-default-priority-string.

** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
   This prevents crashes when decrypting malformed PKCS#8 keys.

** libgnutls: Fix crash on the loading of malformed private keys with certain
   parameters set to zero.

** libgnutls: Fix double free in certificate information printing. If the PKIX
   extension proxy was set with a policy language set but no policy specified,
   that could lead to a double free.

** libgnutls: Addressed memory leaks in client and server side error paths
   (issues found using oss-fuzz project)

** libgnutls: Addressed memory leaks in X.509 certificate printing error paths
   (issues found using oss-fuzz project)

** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
   parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)

** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
   (issues found using oss-fuzz project)

** API and ABI modifications:
No changes since last version.

* Version 3.5.7 (released 2016-12-8)

** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128
   and SECURE256 priority strings.

** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly
   operate with OIDs which have elements that exceed 2^32.

** libgnutls: The DN decoding functions output the traditional DN format
   rather than the strict RFC4514 compliant textual DN. This reverts the
   3.5.6 introduced change, and allows applications which depended on the
   previous format to continue to function. Introduced new functions which
   output the strict format by default, and can revert to the old one using
   a flag.

** libgnutls: Improved TPM key handling. Check authorization requirements
   prior to using a key and fix issue on loop for PIN input. Patches by
   James Bottomley.

** libgnutls: In all functions accepting UTF-8 passwords, ensure that
   passwords are normalized according to RFC7613. When invalid UTF-8
   passwords are detected, they are only tolerated for decryption.
   This introduces a libunistring dependency on GnuTLS. A version of
   libunistring is included in the library for the platforms that do
   not ship it; it can be used with the '--with-included-unistring'
   option to configure script.

** libgnutls: When setting a subject alternative name in a certificate
   which is in UTF-8 format, it will transparently be converted to IDNA form
   prior to storing.

** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print()
   will print the SHA256 key-ID instead of a certificate fingerprint.

** libgnutls: enhance the PKCS#7 verification capabilities. In the case
   signers that are not discoverable using the trust list or input, use
   the stored list as pool to generate a trusted chain to the signer.

** libgnutls: Improved MTU calculation precision for the CBC ciphersuites
   under DTLS.

** libgnutls: [added missing news entry since 3.5.0]
   No longer tolerate certificate key usage violations for
   TLS signature verification, and decryption. That is GnuTLS will fail
   to connect to servers which incorrectly use a restricted to signing certificate
   for decryption, or vice-versa. This reverts the lax behavior introduced
   in 3.1.0, due to several such broken servers being available. The %COMPAT
   priority keyword can be used to work-around connecting on these servers.

** certtool: When exporting a CRQ in DER format ensure no text data are
   intermixed. Patch by Dmitry Eremin-Solenikov.

** certtool: Include the SHA-256 variant of key ID in --certificate-info

** p11tool: Introduced the --initialize-pin and --initialize-so-pin

** API and ABI modifications:
gnutls_utf8_password_normalize: Added
gnutls_ocsp_resp_get_responder2: Added
gnutls_x509_crt_get_issuer_dn3: Added
gnutls_x509_crt_get_dn3: Added
gnutls_x509_rdn_get2: Added
gnutls_x509_dn_get_str2: Added
gnutls_x509_crl_get_issuer_dn3: Added
gnutls_x509_crq_get_dn3: Added

* Version 3.5.6 (released 2016-11-04)

** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
   (pre-rfc5652) structures with arbitrary encapsulated content.

** libgnutls: Introduced a function group to set known DH parameters
   using groups from RFC7919.

** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
   Now the generated textual DN is in reverse order according to RFC4514,
   and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
   set the expected DN (reverse of the provided string).

** libgnutls: Introduced time and constraints checks in the end certificate
   in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()

** libgnutls: Set limits on the maximum number of alerts handled. That is,
   applications using gnutls could be tricked into an busy loop if the
   peer sends continuously alert messages. Applications which set a maximum
   handshake time (via gnutls_handshake_set_timeout) will eventually recover
   but others may remain in a busy loops indefinitely. This is related but
   not identical to CVE-2016-8610, due to the difference in alert handling
   of the libraries (gnutls delegates that handling to applications).

** libgnutls: Reverted the change which made the gnutls_certificate_set_*key*
   functions return an index (introduced in 3.5.5), to avoid affecting programs
   which explicitly check success of the function as equality to zero. In order
   for these functions to return an index an explicit call to \ 
   with the GNUTLS_CERTIFICATE_API_V2 flag is now required.

** libgnutls: Reverted the behavior of sending a status request extension even
   without a response (introduced in 3.5.5). That is, we no longer reply to a
   client's hello with a status request, with a status request extension. Although
   that behavior is legal, it creates incompatibility issues with releases in
   the gnutls 3.3.x branch.

** libgnutls: Delayed the initialization of the random generator at
   the first call of gnutls_rnd(). This allows applications to load
   on systems which getrandom() would block, without blocking until
   real random data are needed.

** certtool: --get-dh-params will output parameters from the RFC7919

** p11tool: improvements in --initialize option.

** API and ABI modifications:
gnutls_pkcs7_get_embedded_data_oid: Added
gnutls_anon_set_server_known_dh_params: Added
gnutls_certificate_set_known_dh_params: Added
gnutls_psk_set_server_known_dh_params: Added
gnutls_x509_crt_check_key_purpose: Added

* Version 3.5.5 (released 2016-10-09)

** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file()
   to allow importing multiple OCSP request files, one for each chain

** libgnutls: The gnutls_certificate_set_key* functions return an
   index of the added chain. That index can be used either with
   gnutls_certificate_set_ocsp_status_request_file(), or with
   gnutls_certificate_get_crt_raw() and friends.

** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations
   for the aarch64 architecture. Uses Andy Polyakov's assembly code.

** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key()
   failures due to key mismatch. This prevents leaks or double freeing
   on such failures.

** libgnutls: Increased the maximum size of the handshake message hash.
   This will allow the library to cope better with larger packets, as
   the ones offered by current TLS 1.3 drafts.

** libgnutls: Allow to use client certificates despite them containing
   disallowed algorithms for a session. That allows for example a client
   to use DSA-SHA1 due to his old DSA certificate, without requiring him
   to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).

** libgnutls: Reverted AESNI code on x86 to earlier version as the
   latest version was creating position depending code. Added checks
   in the CI to detect position depending code early.

** guile: Update code to the I/O port API of Guile >= 2.1.4
   This makes sure the GnuTLS bindings will work with the forthcoming 2.2
   stable series of Guile, of which 2.1 is a preview.

** API and ABI modifications:
gnutls_certificate_set_ocsp_status_request_function2: Added
gnutls_session_ext_register: Added
gnutls_session_supplemental_register: Added
   2017-01-07 19:49:16 by Maya Rashish | Files touched by this commit (1)
Log message:
gnutls: don't redefine max_align_t on FreeBSD. It incorrectly fails the
configure test because the type in stddef.h is guarded by a c11 macro
(most likely).

Force the configure test to pass.

From David Shao in PR pkg/51793 (originally from FreeBSD ports).
   2016-09-20 10:40:15 by Thomas Klausner | Files touched by this commit (1) | Package updated
Log message:
Use libopts from autoopts package instead of local copy.
(Only changes bin/*, not lib). Fixes build when autoopts already is installed

Disable valgrind explicitly.

Addresses issues reported by Ricard Palo.

   2016-09-19 17:32:47 by Thomas Klausner | Files touched by this commit (3)
Log message:
Add upstream patch so one test passes.
Replace bash binary path in more shell scripts so more tests work.

Result: no failing tests. Yay!