Subject: CVS commit: pkgsrc/security/gnutls
From: Adam Ciarcinski
Date: 2022-05-18 20:26:14
Message id: 20220518182614.C5FFDFAEB@cvs.NetBSD.org
Log Message:
gnutls: updated to 3.7.5

Version 3.7.5 (released 2022-05-15)

** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 priority
   modifier have been added to disable session ticket usage in TLS 1.2 because
   it does not provide forward secrecy.  On the other hand, since session
   tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now
   only disables session tickets in TLS 1.2.  Future backward incompatibility:
   in the next major release of GnuTLS, we plan to remove those flag and
   modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect TLS 1.2.

** gnutls-cli, gnutls-serv: Channel binding for printing information
   has been changed from tls-unique to tls-exporter as tls-unique is
   not supported in TLS 1.3.

** libgnutls: Certificate sanity checks has been enhanced to make
   gnutls more RFC 5280 compliant (!1583).
   Following changes were included:
   - critical extensions are parsed when loading x509
     certificate to prohibit any random octet strings.
     Requires strict-x509 configure option to be enabled
   - garbage bits in Key Usage extension are prohibited
   - empty DirectoryStrings in Distinguished name structures
     of Issuer and Subject name are prohibited

** libgnutls: Removed 3DES from FIPS approved algorithms.
   According to the section 2 of SP800-131A Rev.2, 3DES algorithm
   will be disallowed for encryption after December 31, 2023:
   https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final

** libgnutls: Optimized support for AES-SIV-CMAC algorithms.
   The existing AEAD API that works in a scatter-gather fashion
   (gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC.
   For further optimization, new function (gnutls_aead_cipher_set_key) has been
   added to set key on the existing AEAD handle without re-allocation.

** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
   when used in TLS.

** The configure arguments for Brotli and Zstandard (zstd) support
   have changed to reflect the previous help text: they are now
   --with-brotli/--with-zstd respectively.

** Detecting the Zstandard (zstd) library in configure has been
   fixed.

** API and ABI modifications:
GNUTLS_NO_TICKETS_TLS12: New flag
gnutls_aead_cipher_set_key: New function
Files:
RevisionActionfile
1.231modifypkgsrc/security/gnutls/Makefile
1.76modifypkgsrc/security/gnutls/PLIST
1.153modifypkgsrc/security/gnutls/distinfo