./security/gnutls, GNU Transport Layer Security library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 3.6.5, Package name: gnutls-3.6.5, Maintainer: pkgsrc-users

GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL
3.0 protocols. The library does not include any patented algorithms and is
available under the GNU Lesser GPL license.

Important features of the GnuTLS library include:
- Thread safety
- Support for both TLS 1.0 and SSL 3.0 protocols
- Support for both X.509 and OpenPGP certificates
- Support for basic parsing and verification of certificates
- Support for SRP for TLS authentication
- Support for TLS Extension mechanism
- Support for TLS Compression Methods

Additionally GnuTLS provides an emulation API for the widely used OpenSSL
library, to ease integration with existing applications.


Required to run:
[archivers/lzo] [security/libtasn1] [devel/gmp] [devel/libcfg+] [security/nettle] [security/p11-kit] [textproc/libunistring]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: 749fcaba23f63b523ec2ad262caeca6f1e62fc6f
RMD160: a7194f821deb3b1cd9efa7be8382bf893e317a8e
Filesize: 8000.867 KB

Version history: (Expand)


CVS history: (Expand)


   2018-12-09 21:12:41 by Leonardo Taccari | Files touched by this commit (4) | Package updated
Log message:
gnutls: Update security/gnutls to 3.6.5

pkgsrc changes:
- Remove comments regarding bash and tests (bash was added
  unconditionally due REPLACE_BASH usages)

Changes:
3.6.5
-----
** libgnutls: Provide the option of transparent re-handshake/reauthentication
   when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
** libgnutls: The priority functions will ignore and not enable TLS1.3 if
   requested with legacy TLS versions enabled but not TLS1.2. That is because
   if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled)
   servers which do not support TLS1.3 will negotiate TLS1.2 which will be
   rejected by the client as disabled (#621).
** libgnutls: Change RSA decryption to use a new side-channel silent function.
   This addresses a security issue where memory access patterns as well as timing
   on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
   attacks. Side-channel resistant code is slower due to the need to mask
   access and timings. When used in TLS the new functions cause RSA based
   handshakes to be between 13% and 28% slower on average (Numbers are indicative,
   the tests where performed on a relatively modern Intel CPU, results vary
   depending on the CPU and architecture used). This change makes nettle 3.4.1
   the minimum requirement of gnutls (#630). [CVSS: medium]
** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
   in the priority string. It is only accepted as legacy option and is ignored.
** libgnutls: Added support for EdDSA under PKCS#11 (#417)
** libgnutls: Added support for AES-CFB8 cipher (#357)
** libgnutls: Added support for AES-CMAC MAC (#351)
** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB \ 
ciphers
   have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
   S-BOXes). They are fixed now.
** libgnutls: Added support for GOST key unmasking and unwrapped GOST private
   keys parsing, as specified in R 50.1.112-2016.
** gnutls-serv: It applies the default settings when no --priority option is given,
   using gnutls_set_default_priority().
** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin
   option (#561)
** certtool: Add parameter --no-text that prevents certtool from outputting
   text before PEM-encoded private key, public key, certificate, CRL or CSR.

** API and ABI modifications:
GNUTLS_AUTO_REAUTH: Added
GNUTLS_CIPHER_AES_128_CFB8: Added
GNUTLS_CIPHER_AES_192_CFB8: Added
GNUTLS_CIPHER_AES_256_CFB8: Added
GNUTLS_MAC_AES_CMAC_128: Added
GNUTLS_MAC_AES_CMAC_256: Added
gnutls_record_get_max_early_data_size: Added
gnutls_record_send_early_data: Added
gnutls_record_recv_early_data: Added
gnutls_db_check_entry_expire_time: Added
gnutls_anti_replay_set_add_function: Added
gnutls_anti_replay_init: Added
gnutls_anti_replay_deinit: Added
gnutls_anti_replay_set_window: Added
gnutls_anti_replay_enable: Added
gnutls_privkey_decrypt_data2: Added
   2018-11-09 19:03:45 by Nia Alarie | Files touched by this commit (4) | Package updated
Log message:
gnutls: update to 3.6.4.

* Version 3.6.4 (released 2018-09-24)

** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.

** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
   gnutls_certificate_set_retrieve_function() which could not handle the case where
   no certificates were returned, or the callbacks were set to NULL (see #528).

** libgnutls: gnutls_handshake() on server returns early on handshake when no
   certificate is presented by client and the gnutls_init() flag \ 
GNUTLS_ENABLE_EARLY_START
   is specified.

** libgnutls: Added session ticket key rotation on server side with TOTP.
   The key set with gnutls_session_ticket_enable_server() is used as a
   master key to generate time-based keys for tickets. The rotation
   relates to the gnutls_db_set_cache_expiration() period.

** libgnutls: The 'record size limit' extension is added and preferred to the
   'max record size' extension when possible.

** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
   This addresses the problem where the CA certificate doesn't have a subject key
   identifier whereas the end certificates have an authority key identifier (#569)

** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
   gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
   and export GOST parameters in the "native" little endian format \ 
used for these
   curves. This is an intentional incompatible change with 3.6.3.

** libgnutls: Added support for seperately negotiating client and server \ 
certificate types
   as defined in RFC7250. This mechanism must be explicitly enabled via the
   GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().

** gnutls-cli: enable CRL validation on startup (#564)

** API and ABI modifications:
GNUTLS_ENABLE_EARLY_START: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Added
GNUTLS_TL_FAIL_ON_INVALID_CRL: Added
GNUTLS_CERTIFICATE_VERIFY_CRLS: Added
gnutls_ctype_target_t: New enumeration
gnutls_record_set_max_early_data_size: Added
gnutls_certificate_type_get2: Added
gnutls_priority_certificate_type_list2: Added
gnutls_ffdhe_6144_group_prime: Added
gnutls_ffdhe_6144_group_generator: Added
gnutls_ffdhe_6144_key_bits: Added
   2018-09-27 20:32:35 by Tobias Nygren | Files touched by this commit (1)
Log message:
gnutls: be explicit about --without-idn
   2018-09-21 16:20:12 by Thomas Klausner | Files touched by this commit (1)
Log message:
gnutls: add another REPLACE_BASH so the tests all run through
   2018-08-22 11:48:07 by Thomas Klausner | Files touched by this commit (3558)
Log message:
Recursive bump for perl5-5.28.0
   2018-08-20 08:01:26 by Thomas Klausner | Files touched by this commit (1) | Package updated
Log message:
gnutls: Fix path to bash in installed files.

Bump PKGREVISION.
   2018-08-19 11:16:01 by Thomas Klausner | Files touched by this commit (1)
Log message:
gnutls: remove obsolete configure argument
   2018-08-19 08:28:39 by Thomas Klausner | Files touched by this commit (1)
Log message:
gnutls: build-depend on bash for the tests.

Replace interpreter in more shell scripts. Gets tests further along.