Log message:
gnutls: fix PLIST

Log message:
security/gnutls: Add ability to link against libunbound for DANE support.

Log message:
Fix compilation of gnutls with compilers missing __get_cpuid_count

Fix compilation of gnutls with compilers missing __get_cpuid_count.
Taken from upstream and fixed in version 3.6.10 .
Fixes compilation on NetBSD 8 without setting GCC_REQD.

Log message:
gnutls: Update to 3.6.9

* Version 3.6.9 (released 2019-07-25)

** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy
   of digest or MAC context. Copying contexts for externally-registered digest \ 
and MAC
   contexts is unupported (#787).

** Marked the crypto implementation override APIs as deprecated. These APIs are \ 
rarely
   used, are for a niche use case, but have significant side effects, such as \ 
preventing
   any internal re-organization and extension of the internal cipher API. The \ 
APIs remain
   functional though a compiler warning will be issued, and a future minor \ 
version update
   may transform them to a no-op while keeping ABI compatibility (#789).

** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781).

** libgnutls: gnutls_privkey_sign_hash2 now accepts the \ 
GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
   flag as documented. This makes it a complete replacement of \ 
gnutls_privkey_sign_hash().

** libgnutls: Added support for Generalname registeredID.

** The priority configuration was enhanced to allow more elaborate
   system-wide configuration of the library (#587).
   The following changes were included:
    - The file is read as an ini file with '#' indicating a comment.
    - The section "[priorities]" or global follows the existing \ 
semantics of
      the configuration file, and allows to specify system-wide priority strings
      which are accessed with the '@' prefix.
    - The section "[overrides]" is added with the parameters \ 
"insecure-hash",
      "insecure-sig", "insecure-sig-for-cert", \ 
"disabled-curve",
      "disabled-version", "min-verification-profile", \ 
"tls-disabled-cipher",
      "tls-disabled-mac", "tls-disabled-group", \ 
"tls-disabled-kx", which prohibit
      specific algorithms or options globally. Existing algorithms in the
      library can be marked as disabled and insecure, but no hard-coded
      insecure algorithm can be marked as secure (so that the configuration
      cannot be abused to make the system vulnerable).
    - Unknown sections or options are skipped with a debug message, unless
      the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is
      set to 1.

** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE
    - 0x20: Enable SHA_NI instruction set

** API and ABI modifications:
gnutls_crypto_register_cipher: Deprecated
gnutls_crypto_register_aead_cipher: Deprecated
gnutls_crypto_register_digest: Deprecated
gnutls_crypto_register_mac: Deprecated
gnutls_get_system_config_file: Added
gnutls_hash_copy: Added
gnutls_hmac_copy: Added
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
GNUTLS_SAN_REGISTERED_ID: Added

Log message:
Build fix for OS X Tiger via Macports

Log message:
Bump PKGREVISIONs for perl 5.30.0

Log message:
*: recursive bump for nettle 3.5.1

Log message:
Update to v3.6.8

Changes
=======

* Version 3.6.8 (released 2019-05-28)

** libgnutls: Added gnutls_prf_early() function to retrieve early keying
   material (#329)

** libgnutls: Added support for AES-XTS cipher (#354)

** libgnutls: Fix calculation of Streebog digests (incorrect carry operation in
   512 bit addition)

** libgnutls: During Diffie-Hellman operations in TLS, verify that the peer's
   public key is on the right subgroup (y^q=1 mod p), when q is available (under
   TLS 1.3 and under earlier versions when RFC7919 parameters are used).

** libgnutls: the gnutls_srp_set_server_credentials_function can now be used
   with the 8192 parameters as well (#995).

** libgnutls: Fixed bug preventing the use of gnutls_pubkey_verify_data2() and
   gnutls_pubkey_verify_hash2() with the GNUTLS_VERIFY_DISABLE_CA_SIGN flag (#754)

** libgnutls: The priority string option %ALLOW_SMALL_RECORDS was added to allow
   clients to communicate with the server advertising smaller limits than 512

** libgnutls: Apply STD3 ASCII rules in gnutls_idna_map() to prevent
   hostname/domain crafting via IDNA conversion (#720)

** certtool: allow the digital signature key usage flag in CA certificates.
   Previously certtool would ignore this flag for CA certificates even if
   specified (#767)

** gnutls-cli/serv: added the --keymatexport and --keymatexportsize options.
   These allow testing the RFC5705 using these tools.

** API and ABI modifications:
gnutls_prf_early: Added
gnutls_record_set_max_recv_size: Added
gnutls_dh_params_import_raw3: Added
gnutls_ffdhe_2048_group_q: Added
gnutls_ffdhe_3072_group_q: Added
gnutls_ffdhe_4096_group_q: Added
gnutls_ffdhe_6144_group_q: Added
gnutls_ffdhe_8192_group_q: Added

Log message:
gnutls: Update to 3.6.7

Bug fix and security release on the stable 3.6.x branch.
OK during the freeze by <jperkin>, thanks!

Changes:
3.6.7
-----

 - libgnutls, gnutls tools: Every gnutls_free() will automatically set
   the free'd pointer to NULL. This prevents possible use-after-free and
   double free issues. Use-after-free will be turned into NULL dereference.
   The counter-measure does not extend to applications using gnutls_free().
 - libgnutls: Fixed a memory corruption (double free) vulnerability in the
   certificate verification API. Reported by Tavis Ormandy; addressed with
   the change above. [GNUTLS-SA-2019-03-27, #694]
 - libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages;
   Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704]
 - libgnutls: enforce key usage limitations on certificates more actively.
   Previously we would enforce it for TLS1.2 protocol, now we enforce it
   even when TLS1.3 is negotiated, or on client certificates as well. When
   an inappropriate for TLS1.3 certificate is seen on the credentials structure
   GnuTLS will disable TLS1.3 support for that session (#690).
 - libgnutls: the default number of tickets sent under TLS 1.3 was increased to
   two. This makes it easier for clients which perform multiple connections
   to the server to use the tickets sent by a default server.
 - libgnutls: enforce the equality of the two signature parameters fields in
   a certificate. We were already enforcing the signature algorithm, but there
   was a bug in parameter checking code.
 - libgnutls: fixed issue preventing sending and receiving from different
   threads when false start was enabled (#713).
 - libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
   session, as non-writeable security officer sessions are undefined in PKCS#11
   (#721).
 - libgnutls: no longer send downgrade sentinel in TLS 1.3.
   Previously the sentinel value was embedded to early in version
   negotiation and was sent even on TLS 1.3. It is now sent only when
   TLS 1.2 or earlier is negotiated (#689).
 - gnutls-cli: Added option --logfile to redirect informational messages output.

 - No API and ABI modifications since last version.

Log message:
gnutls: updated to 3.6.6

Version 3.6.6:
* libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
  on the public key.
* libgnutls: Added support for raw public-key authentication as defined in RFC7250.
  Raw public-keys can be negotiated by enabling the corresponding certificate
  types via the priority strings. The raw public-key mechanism must be explicitly
  enabled via the GNUTLS_ENABLE_RAWPK init flag.
* libgnutls: When on server or client side we are sending no extensions we do
  not set an empty extensions field but we rather remove that field competely.
  This solves a regression since 3.5.x and improves compatibility of the server
  side with certain clients.
* libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
  the CKA_SIGN is not set.
* libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
  disable extensions at all cases, while providing a functional session. This
  also implies that when specified, TLS1.3 is disabled.
* libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
  The previous definition was non-functional.
* API and ABI modifications:
GNUTLS_ENABLE_RAWPK: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK)
GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: Deprecated
GNUTLS_PCERT_NO_CERT: Deprecated