Subject: CVS commit: pkgsrc/security/gnutls
From: Leonardo Taccari
Date: 2018-12-09 21:12:41
Message id: 20181209201241.DFB4EFB16@cvs.NetBSD.org

Log Message:
gnutls: Update security/gnutls to 3.6.5

pkgsrc changes:
- Remove comments regarding bash and tests (bash was added
  unconditionally due REPLACE_BASH usages)

Changes:
3.6.5
-----
** libgnutls: Provide the option of transparent re-handshake/reauthentication
   when the GNUTLS_AUTO_REAUTH flag is specified in gnutls_init() (#571).
** libgnutls: Added support for TLS 1.3 zero round-trip (0-RTT) mode (#127)
** libgnutls: The priority functions will ignore and not enable TLS1.3 if
   requested with legacy TLS versions enabled but not TLS1.2. That is because
   if such a priority string is used in the client side (e.g., TLS1.3+TLS1.0 enabled)
   servers which do not support TLS1.3 will negotiate TLS1.2 which will be
   rejected by the client as disabled (#621).
** libgnutls: Change RSA decryption to use a new side-channel silent function.
   This addresses a security issue where memory access patterns as well as timing
   on the underlying Nettle rsa-decrypt function could lead to new Bleichenbacher
   attacks. Side-channel resistant code is slower due to the need to mask
   access and timings. When used in TLS the new functions cause RSA based
   handshakes to be between 13% and 28% slower on average (Numbers are indicative,
   the tests where performed on a relatively modern Intel CPU, results vary
   depending on the CPU and architecture used). This change makes nettle 3.4.1
   the minimum requirement of gnutls (#630). [CVSS: medium]
** libgnutls: gnutls_priority_init() and friends, allow the CTYPE-OPENPGP keyword
   in the priority string. It is only accepted as legacy option and is ignored.
** libgnutls: Added support for EdDSA under PKCS#11 (#417)
** libgnutls: Added support for AES-CFB8 cipher (#357)
** libgnutls: Added support for AES-CMAC MAC (#351)
** libgnutls: In two previous versions GNUTLS_CIPHER_GOST28147_CPB/CPC/CPD_CFB \ 
ciphers
   have incorrectly used CryptoPro-A S-BOX instead of proper (CryptoPro-B/-C/-D
   S-BOXes). They are fixed now.
** libgnutls: Added support for GOST key unmasking and unwrapped GOST private
   keys parsing, as specified in R 50.1.112-2016.
** gnutls-serv: It applies the default settings when no --priority option is given,
   using gnutls_set_default_priority().
** p11tool: Fix initialization of security officer's PIN with the --initialize-so-pin
   option (#561)
** certtool: Add parameter --no-text that prevents certtool from outputting
   text before PEM-encoded private key, public key, certificate, CRL or CSR.

** API and ABI modifications:
GNUTLS_AUTO_REAUTH: Added
GNUTLS_CIPHER_AES_128_CFB8: Added
GNUTLS_CIPHER_AES_192_CFB8: Added
GNUTLS_CIPHER_AES_256_CFB8: Added
GNUTLS_MAC_AES_CMAC_128: Added
GNUTLS_MAC_AES_CMAC_256: Added
gnutls_record_get_max_early_data_size: Added
gnutls_record_send_early_data: Added
gnutls_record_recv_early_data: Added
gnutls_db_check_entry_expire_time: Added
gnutls_anti_replay_set_add_function: Added
gnutls_anti_replay_init: Added
gnutls_anti_replay_deinit: Added
gnutls_anti_replay_set_window: Added
gnutls_anti_replay_enable: Added
gnutls_privkey_decrypt_data2: Added

Files:
RevisionActionfile
1.192modifypkgsrc/security/gnutls/Makefile
1.62modifypkgsrc/security/gnutls/PLIST
1.34modifypkgsrc/security/gnutls/buildlink3.mk
1.132modifypkgsrc/security/gnutls/distinfo