Subject: CVS commit: [pkgsrc-2018Q3] pkgsrc/security/gnutls
From: S.P.Zeidler
Date: 2018-11-22 06:45:13
Message id: 20181122054514.0921BFB1F@cvs.NetBSD.org

Log Message:
Pullup ticket #5880 - requested by nia
security/gnutls: security update

Revisions pulled up:
- security/gnutls/Makefile                                      1.191
- security/gnutls/PLIST                                         1.61
- security/gnutls/distinfo                                      1.131
- security/gnutls/patches/patch-doc_examples_tlsproxy_tlsproxy.c deleted

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Fri Nov  9 18:03:45 UTC 2018

   Modified Files:
   	pkgsrc/security/gnutls: Makefile PLIST distinfo
   Removed Files:
   	pkgsrc/security/gnutls/patches: patch-doc_examples_tlsproxy_tlsproxy.c

   Log Message:
   gnutls: update to 3.6.4.

   * Version 3.6.4 (released 2018-09-24)

   ** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol.

   ** libgnutls: Corrected regression since 3.6.3 in the callbacks set with
      gnutls_certificate_set_retrieve_function() which could not handle the case \ 
where
      no certificates were returned, or the callbacks were set to NULL (see #528).

   ** libgnutls: gnutls_handshake() on server returns early on handshake when no
      certificate is presented by client and the gnutls_init() flag \ 
GNUTLS_ENABLE_EARLY_START
      is specified.

   ** libgnutls: Added session ticket key rotation on server side with TOTP.
      The key set with gnutls_session_ticket_enable_server() is used as a
      master key to generate time-based keys for tickets. The rotation
      relates to the gnutls_db_set_cache_expiration() period.

   ** libgnutls: The 'record size limit' extension is added and preferred to the
      'max record size' extension when possible.

   ** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates.
      This addresses the problem where the CA certificate doesn't have a subject key
      identifier whereas the end certificates have an authority key identifier (#569)

   ** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(),
      gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import
      and export GOST parameters in the "native" little endian format \ 
used for these
      curves. This is an intentional incompatible change with 3.6.3.

   ** libgnutls: Added support for seperately negotiating client and server \ 
certificate types
      as defined in RFC7250. This mechanism must be explicitly enabled via the
      GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init().

   ** gnutls-cli: enable CRL validation on startup (#564)

   ** API and ABI modifications:
   GNUTLS_ENABLE_EARLY_START: Added
   GNUTLS_ENABLE_CERT_TYPE_NEG: Added
   GNUTLS_TL_FAIL_ON_INVALID_CRL: Added
   GNUTLS_CERTIFICATE_VERIFY_CRLS: Added
   gnutls_ctype_target_t: New enumeration
   gnutls_record_set_max_early_data_size: Added
   gnutls_certificate_type_get2: Added
   gnutls_priority_certificate_type_list2: Added
   gnutls_ffdhe_6144_group_prime: Added
   gnutls_ffdhe_6144_group_generator: Added
   gnutls_ffdhe_6144_key_bits: Added

   To generate a diff of this commit:
   cvs rdiff -u -r1.190 -r1.191 pkgsrc/security/gnutls/Makefile
   cvs rdiff -u -r1.60 -r1.61 pkgsrc/security/gnutls/PLIST
   cvs rdiff -u -r1.130 -r1.131 pkgsrc/security/gnutls/distinfo
   cvs rdiff -u -r1.1 -r0 \
       pkgsrc/security/gnutls/patches/patch-doc_examples_tlsproxy_tlsproxy.c

Files:
RevisionActionfile
1.190.2.1modifypkgsrc/security/gnutls/Makefile
1.60.2.1modifypkgsrc/security/gnutls/PLIST
1.130.2.1modifypkgsrc/security/gnutls/distinfo
1.1removepkgsrc/security/gnutls/patches/patch-doc_examples_tlsproxy_tlsproxy.c