./security/gnutls, Transport Layer Security library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 3.7.7, Package name: gnutls-3.7.7, Maintainer: pkgsrc-users

GnuTLS is a portable ANSI C based library which implements the TLS 1.0 and SSL
3.0 protocols. The library does not include any patented algorithms and is
available under the GNU Lesser GPL license.

Important features of the GnuTLS library include:
- Thread safety
- Support for both TLS 1.0 and SSL 3.0 protocols
- Support for both X.509 and OpenPGP certificates
- Support for basic parsing and verification of certificates
- Support for SRP for TLS authentication
- Support for TLS Extension mechanism
- Support for TLS Compression Methods

Additionally GnuTLS provides an emulation API for the widely used OpenSSL
library, to ease integration with existing applications.


Required to run:
[archivers/lzo] [security/libtasn1] [devel/gmp] [devel/libcfg+] [security/mozilla-rootcerts] [security/nettle] [security/p11-kit] [textproc/libunistring]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 6202.797 KB

Version history: (Expand)


CVS history: (Expand)


   2022-07-29 10:04:48 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
gnutls: updated to 3.7.7

Version 3.7.7 (released 2022-07-28)

** libgnutls: Fixed double free during verification of pkcs7 signatures.
   [CVE-2022-2509]

** libgnutls: gnutls_hkdf_expand now only accepts LENGTH argument less than or
   equal to 255 times hash digest size, to comply with RFC 5869 2.3.

** libgnutls: Length limit for TLS PSK usernames has been increased
   from 128 to 65535 characters.

** libgnutls: AES-GCM encryption function now limits plaintext
   length to 2^39-256 bits, according to SP800-38D 5.2.1.1.

** libgnutls: New block cipher functions have been added to transparently
   handle padding.  gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 can be
   used in combination of GNUTLS_CIPHER_PADDING_PKCS7 flag to automatically
   add/remove padding if the length of the original plaintext is not a multiple
   of the block size.

** libgnutls: New function for manual FIPS self-testing.

** API and ABI modifications:
gnutls_fips140_run_self_tests: New function
gnutls_cipher_encrypt3: New function
gnutls_cipher_decrypt3: New function
gnutls_cipher_padding_flags_t: New enum

** guile: Guile 1.8 is no longer supported

** guile: Session record port treats premature termination as EOF
   Previously, a ‘gnutls-error’ exception with the
   ‘error/premature-termination’ value would be thrown while reading from a
   session record port when the underlying session was terminated
   prematurely.  This was inconvenient since users of the port may not be
   prepared to handle such an exception.
   Reading from the session record port now returns the end-of-file object
   instead of throwing an exception, just like it would for a proper
   session termination.

** guile: Session record ports can have a ‘close’ procedure.
   The ‘session-record-port’ procedure now takes an optional second
   parameter, and a new ‘set-session-record-port-close!’ procedure is
   provided to specify a ‘close’ procedure for a session record port.
   This ‘close’ procedure lets users specify cleanup operations for when
   the port is closed, such as closing the file descriptor or port that
   backs the underlying session.
   2022-06-28 13:38:00 by Thomas Klausner | Files touched by this commit (3952)
Log message:
*: recursive bump for perl 5.36
   2022-05-28 08:03:42 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
gnutls: updated to 3.7.6

Version 3.7.6 (released 2022-05-27)

** libgnutls: Fixed invalid write when gnutls_realloc_zero()
   is called with new_size < old_size. This bug caused heap
   corruption when gnutls_realloc_zero() has been set as gmp
   reallocfunc
   2022-05-18 20:26:14 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
gnutls: updated to 3.7.5

Version 3.7.5 (released 2022-05-15)

** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 priority
   modifier have been added to disable session ticket usage in TLS 1.2 because
   it does not provide forward secrecy.  On the other hand, since session
   tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now
   only disables session tickets in TLS 1.2.  Future backward incompatibility:
   in the next major release of GnuTLS, we plan to remove those flag and
   modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect TLS 1.2.

** gnutls-cli, gnutls-serv: Channel binding for printing information
   has been changed from tls-unique to tls-exporter as tls-unique is
   not supported in TLS 1.3.

** libgnutls: Certificate sanity checks has been enhanced to make
   gnutls more RFC 5280 compliant (!1583).
   Following changes were included:
   - critical extensions are parsed when loading x509
     certificate to prohibit any random octet strings.
     Requires strict-x509 configure option to be enabled
   - garbage bits in Key Usage extension are prohibited
   - empty DirectoryStrings in Distinguished name structures
     of Issuer and Subject name are prohibited

** libgnutls: Removed 3DES from FIPS approved algorithms.
   According to the section 2 of SP800-131A Rev.2, 3DES algorithm
   will be disallowed for encryption after December 31, 2023:
   https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final

** libgnutls: Optimized support for AES-SIV-CMAC algorithms.
   The existing AEAD API that works in a scatter-gather fashion
   (gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC.
   For further optimization, new function (gnutls_aead_cipher_set_key) has been
   added to set key on the existing AEAD handle without re-allocation.

** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
   when used in TLS.

** The configure arguments for Brotli and Zstandard (zstd) support
   have changed to reflect the previous help text: they are now
   --with-brotli/--with-zstd respectively.

** Detecting the Zstandard (zstd) library in configure has been
   fixed.

** API and ABI modifications:
GNUTLS_NO_TICKETS_TLS12: New flag
gnutls_aead_cipher_set_key: New function
   2022-03-17 22:16:25 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
gnutls: updated to 3.7.4

Version 3.7.4 (released 2022-03-17)

** libgnutls: Added support for certificate compression as defined in RFC8879.
** certtool: Added option --compress-cert that allows user to specify compression
   methods for certificate compression.
** libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure
   option to enforce stricter certificate sanity checks that are compliant
   with RFC5280.
** libgnutls: Removed IA5String type from DirectoryString within issuer
   and subject name to make DirectoryString RFC5280 compliant.
** libgnutls: Added function to retrieve the name of current ciphersuite
   from session.

** API and ABI modifications:
GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
gnutls_compress_certificate_get_selected_method: Added
gnutls_compress_certificate_set_methods: Added
   2022-03-16 14:32:37 by Tobias Nygren | Files touched by this commit (1)
Log message:
gnutls: fix build w/ latest xcode on Apple M1
   2022-02-06 21:54:24 by Roland Illig | Files touched by this commit (2)
Log message:
security/gnutls: remove unknown configure options

The option --enable-lzo was removed in 2011, the option
--enable-local-libopts was removed in January 2022.

Bump PKGREVISION.
   2022-01-19 22:11:11 by Adam Ciarcinski | Files touched by this commit (8) | Package removed
Log message:
gnutls: updated to 3.7.3

Version 3.7.3 (released 2022-01-17)

** libgnutls: The allowlisting configuration mode has been added to the system-wide
   settings. In this mode, all the algorithms are initially marked as insecure
   or disabled, while the applications can re-enable them either through the
   [overrides] section of the configuration file or the new API.

** The build infrastructure no longer depends on GNU AutoGen for generating
   command-line option handling, template file parsing in certtool, and
   documentation generation. This change also removes run-time or
   bundled dependency on the libopts library, and requires Python 3.6 or later
   to regenerate the distribution tarball.

   Note that this brings in known backward incompatibility in command-line
   tools, such as long options are now case sensitive, while previously they
   were treated in a case insensitive manner: for example --RSA is no longer a
   valid option of certtool. The existing scripts using GnuTLS tools may need
   adjustment for this change.

** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
   used as a gnutls_privkey_t. The code was originally written for the
   OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
   tpm2tss-genkey tool from tpm2-tss-engine:
   https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
   or the tpm2_encodeobject tool from unreleased tpm2-tools.

** libgnutls: The library now transparently enables Linux KTLS
   (kernel TLS) when the feature is compiled in with --enable-ktls configuration
   option. If the KTLS initialization fails it automatically falls back
   to the user space implementation.

** certtool: The certtool command can now read the Certificate Transparency
   (RFC 6962) SCT extension.  New API functions are also provided to
   access and manipulate the extension values.

** certtool: The certtool command can now generate, manipulate, and evaluate
   x25519 and x448 public keys, private keys, and certificates.

** libgnutls: Disabling a hashing algorithm through "insecure-hash"
   configuration directive now also disables TLS ciphersuites that use it as a
   PRF algorithm.

** libgnutls: PKCS#12 files are now created with modern algorithms by default.
   Previously certtool used PKCS12-3DES-SHA1 for key derivation and
   HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
   PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
   default PBKDF2 iteration count has been increased to 600000.

** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
   HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
   conform with the latest TC-26 requirements.

** libgnutls: The library now provides a means to report the status of approved
   cryptographic operations. To adhere to the FIPS140-3 IG 2.4.C., this
   complements the existing mechanism to prohibit the use of unapproved
   algorithms by making the library unusable state.

** gnutls-cli: The gnutls-cli command now provides a --list-config option to
   print the library configuration.

** libgnutls: Fixed possible race condition in
   gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
   among multiple threads. [GNUTLS-SA-2022-01-17, CVSS: low]

** API and ABI modifications:
GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
gnutls_ecc_curve_set_enabled: Added.
gnutls_sign_set_secure: Added.
gnutls_sign_set_secure_for_certs: Added.
gnutls_digest_set_secure: Added.
gnutls_protocol_set_enabled: Added.
gnutls_fips140_context_init: New function
gnutls_fips140_context_deinit: New function
gnutls_fips140_push_context: New function
gnutls_fips140_pop_context: New function
gnutls_fips140_get_operation_state: New function
gnutls_fips140_operation_state_t: New enum
gnutls_transport_is_ktls_enabled: New function
gnutls_get_library_configuration: New function