Pullup ticket #6232 - requested by maya

security/gnutls: security fix Revisions pulled up: - security/gnutls/Makefile 1.210-1.213 - security/gnutls/PLIST 1.70-1.71 - security/gnutls/PLIST.guile 1.1 - security/gnutls/buildlink3.mk 1.37 - security/gnutls/distinfo 1.143-1.144 - security/gnutls/options.mk 1.3 - security/gnutls/patches/patch-configure 1.5 --- Module Name: pkgsrc Committed By: adam Date: Wed Apr 1 08:24:07 UTC 2020 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Added Files: pkgsrc/security/gnutls/patches: patch-configure Log Message: gnutls: updated to 3.6.13 Version 3.6.13: ** libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3 support), since 3.6.3. The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol [GNUTLS-SA-2020-03-31, CVSS: high] ** libgnutls: Added new APIs to access KDF algorithms. ** libgnutls: Added new callback gnutls_keylog_func that enables a custom logging functionality. ** libgnutls: Added support for non-null terminated usernames in PSK negotiation. ** gnutls-cli-debug: Improved support for old servers that only support SSL 3.0. ** API and ABI modifications: gnutls_hkdf_extract: Added gnutls_hkdf_expand: Added gnutls_pbkdf2: Added gnutls_session_get_keylog_function: Added gnutls_session_set_keylog_function: Added gnutls_prf_hash_get: Added gnutls_psk_server_get_username2: Added gnutls_psk_set_client_credentials2: Added gnutls_psk_set_client_credentials_function2: Added gnutls_psk_set_server_credentials_function2: Added --- Module Name: pkgsrc Committed By: nikita Date: Thu May 14 14:30:02 UTC 2020 Modified Files: pkgsrc/security/gnutls: Makefile buildlink3.mk options.mk Added Files: pkgsrc/security/gnutls: PLIST.guile Log Message: security/gnutls: revbump, add support for building guile bindings --- Module Name: pkgsrc Committed By: leot Date: Mon Jun 8 19:48:14 UTC 2020 Modified Files: pkgsrc/security/gnutls: Makefile PLIST distinfo Log Message: gnutls: Update to 3.6.14 Changes: 3.6.14 ------ * libgnutls: Fixed insecure session ticket key construction, since 3.6.4. The TLS server would not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (#1011). [GNUTLS-SA-2020-06-03, CVSS: high] * libgnutls: Fixed handling of certificate chain with cross-signed intermediate CA certificates (#1008). * libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997). * libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority Key Identifier (AKI) properly (#989, #991). * certtool: PKCS #7 attributes are now printed with symbolic names (!1246). * libgnutls: Added several improvements on Windows Vista and later releases (!1257, !1254, !1256). Most notably the system random number generator now uses Windows BCrypt* API if available (!1255). * libgnutls: Use accelerated AES-XTS implementation if possible (!1244). Also both accelerated and non-accelerated implementations check key block according to FIPS-140-2 IG A.9 (!1233). * libgnutls: Added support for AES-SIV ciphers (#463). * libgnutls: Added support for 192-bit AES-GCM cipher (!1267). * libgnutls: No longer use internal symbols exported from Nettle (!1235) * API and ABI modifications: GNUTLS_CIPHER_AES_128_SIV: Added GNUTLS_CIPHER_AES_256_SIV: Added GNUTLS_CIPHER_AES_192_GCM: Added gnutls_pkcs7_print_signature_info: Added
NetBSD · Jun 9, 2020 · b13e4f6 · b13e4f6
1 parent b81de8f
commit b13e4f6
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 13 deletions.
diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.209 2020/03/22 12:21:59 rillig Exp $
+# $NetBSD: Makefile,v 1.209.2.1 2020/06/09 11:55:34 bsiegert Exp $
 
-DISTNAME=	gnutls-3.6.12
-PKGREVISION=	1
+DISTNAME=	gnutls-3.6.14
 CATEGORIES=	security devel
 MASTER_SITES=	https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/
 EXTRACT_SUFX=	.tar.xz
@@ -22,7 +21,6 @@ USE_TOOLS+=			msgfmt msgmerge xgettext
 GNU_CONFIGURE=			yes
 # this library duplicates (and conflicts with) openssl
 CONFIGURE_ARGS+=		--disable-openssl-compatibility
-CONFIGURE_ARGS+=		--disable-guile
 CONFIGURE_ARGS+=		--disable-libdane
 CONFIGURE_ARGS+=		--without-idn
 CONFIGURE_ARGS+=		--without-tpm

diff --git a/security/gnutls/PLIST b/security/gnutls/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.69 2020/02/09 13:56:28 wiz Exp $
+@comment $NetBSD: PLIST,v 1.69.2.1 2020/06/09 11:55:34 bsiegert Exp $
 bin/certtool
 bin/gnutls-cli
 bin/gnutls-cli-debug
@@ -261,6 +261,7 @@ man/man3/gnutls_est_record_overhead_size.3
 man/man3/gnutls_ext_get_current_msg.3
 man/man3/gnutls_ext_get_data.3
 man/man3/gnutls_ext_get_name.3
+man/man3/gnutls_ext_get_name2.3
 man/man3/gnutls_ext_raw_parse.3
 man/man3/gnutls_ext_register.3
 man/man3/gnutls_ext_set_data.3
@@ -310,6 +311,8 @@ man/man3/gnutls_hex_decode.3
 man/man3/gnutls_hex_decode2.3
 man/man3/gnutls_hex_encode.3
 man/man3/gnutls_hex_encode2.3
+man/man3/gnutls_hkdf_expand.3
+man/man3/gnutls_hkdf_extract.3
 man/man3/gnutls_hmac.3
 man/man3/gnutls_hmac_copy.3
 man/man3/gnutls_hmac_deinit.3
@@ -388,6 +391,7 @@ man/man3/gnutls_openpgp_privkey_sign_hash.3
 man/man3/gnutls_openpgp_send_cert.3
 man/man3/gnutls_packet_deinit.3
 man/man3/gnutls_packet_get.3
+man/man3/gnutls_pbkdf2.3
 man/man3/gnutls_pcert_deinit.3
 man/man3/gnutls_pcert_export_openpgp.3
 man/man3/gnutls_pcert_export_x509.3
@@ -520,6 +524,7 @@ man/man3/gnutls_pkcs7_get_signature_info.3
 man/man3/gnutls_pkcs7_import.3
 man/man3/gnutls_pkcs7_init.3
 man/man3/gnutls_pkcs7_print.3
+man/man3/gnutls_pkcs7_print_signature_info.3
 man/man3/gnutls_pkcs7_set_crl.3
 man/man3/gnutls_pkcs7_set_crl_raw.3
 man/man3/gnutls_pkcs7_set_crt.3
@@ -533,6 +538,7 @@ man/man3/gnutls_pkcs_schema_get_name.3
 man/man3/gnutls_pkcs_schema_get_oid.3
 man/man3/gnutls_prf.3
 man/man3/gnutls_prf_early.3
+man/man3/gnutls_prf_hash_get.3
 man/man3/gnutls_prf_raw.3
 man/man3/gnutls_prf_rfc5705.3
 man/man3/gnutls_priority_certificate_type_list.3
@@ -609,11 +615,15 @@ man/man3/gnutls_psk_client_get_hint.3
 man/man3/gnutls_psk_free_client_credentials.3
 man/man3/gnutls_psk_free_server_credentials.3
 man/man3/gnutls_psk_server_get_username.3
+man/man3/gnutls_psk_server_get_username2.3
 man/man3/gnutls_psk_set_client_credentials.3
+man/man3/gnutls_psk_set_client_credentials2.3
 man/man3/gnutls_psk_set_client_credentials_function.3
+man/man3/gnutls_psk_set_client_credentials_function2.3
 man/man3/gnutls_psk_set_params_function.3
 man/man3/gnutls_psk_set_server_credentials_file.3
 man/man3/gnutls_psk_set_server_credentials_function.3
+man/man3/gnutls_psk_set_server_credentials_function2.3
 man/man3/gnutls_psk_set_server_credentials_hint.3
 man/man3/gnutls_psk_set_server_dh_params.3
 man/man3/gnutls_psk_set_server_known_dh_params.3
@@ -711,6 +721,7 @@ man/man3/gnutls_session_get_desc.3
 man/man3/gnutls_session_get_flags.3
 man/man3/gnutls_session_get_id.3
 man/man3/gnutls_session_get_id2.3
+man/man3/gnutls_session_get_keylog_function.3
 man/man3/gnutls_session_get_master_secret.3
 man/man3/gnutls_session_get_ptr.3
 man/man3/gnutls_session_get_random.3
@@ -720,6 +731,7 @@ man/man3/gnutls_session_key_update.3
 man/man3/gnutls_session_resumption_requested.3
 man/man3/gnutls_session_set_data.3
 man/man3/gnutls_session_set_id.3
+man/man3/gnutls_session_set_keylog_function.3
 man/man3/gnutls_session_set_premaster.3
 man/man3/gnutls_session_set_ptr.3
 man/man3/gnutls_session_set_verify_cert.3

diff --git a/security/gnutls/PLIST.guile b/security/gnutls/PLIST.guile
@@ -0,0 +1,10 @@
+@comment $NetBSD: PLIST.guile,v 1.1.2.2 2020/06/09 11:55:34 bsiegert Exp $
+guile/2.2/lib/guile/2.2/extensions/guile-gnutls-v-2.a
+guile/2.2/lib/guile/2.2/extensions/guile-gnutls-v-2.la
+guile/2.2/lib/guile/2.2/extensions/guile-gnutls-v-2.so
+guile/2.2/lib/guile/2.2/extensions/guile-gnutls-v-2.so.0
+guile/2.2/lib/guile/2.2/extensions/guile-gnutls-v-2.so.0.0.0
+guile/2.2/lib/guile/2.2/site-ccache/gnutls.go
+guile/2.2/lib/guile/2.2/site-ccache/gnutls/extra.go
+guile/2.2/share/guile/site/2.2/gnutls.scm
+guile/2.2/share/guile/site/2.2/gnutls/extra.scm
diff --git a/security/gnutls/buildlink3.mk b/security/gnutls/buildlink3.mk
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.36 2020/03/08 16:48:06 wiz Exp $
+# $NetBSD: buildlink3.mk,v 1.36.2.1 2020/06/09 11:55:34 bsiegert Exp $
 
 BUILDLINK_TREE+=	gnutls
 
@@ -18,6 +18,12 @@ BUILDLINK_API_DEPENDS.nettle+=		nettle>=3.4.1
 .include "../../security/nettle/buildlink3.mk"
 .include "../../security/p11-kit/buildlink3.mk"
 .include "../../textproc/libunistring/buildlink3.mk"
+.if !empty(PKG_BUILD_OPTIONS.gnutls:Mdane)
+.include "../../net/unbound/buildlink3.mk"
+.endif
+.if !empty(PKG_BUILD_OPTIONS.gnutls:Mguile)
+.include "../../lang/guile22/buildlink3.mk"
+.endif
 .endif # GNUTLS_BUILDLINK3_MK
 
 BUILDLINK_TREE+=	-gnutls
diff --git a/security/gnutls/distinfo b/security/gnutls/distinfo
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.142 2020/02/09 13:56:28 wiz Exp $
+$NetBSD: distinfo,v 1.142.2.1 2020/06/09 11:55:34 bsiegert Exp $
 
-SHA1 (gnutls-3.6.12.tar.xz) = fa498b4d026e3ddfa74aa79adac27bfcd14e8b76
-RMD160 (gnutls-3.6.12.tar.xz) = f76e05c4a5f6c15277259b874bca475089c02630
-SHA512 (gnutls-3.6.12.tar.xz) = e1031fd1239d8b0f056a6b736e4c72c9268fb635f273527f310771c608b841cad7b6631401382ec3040d9b539180bf421882bf43427ad3549a5787d2864c2fa5
-Size (gnutls-3.6.12.tar.xz) = 5942064 bytes
+SHA1 (gnutls-3.6.14.tar.xz) = bea1b5abcb691acf014e592f41d0a9580a41216a
+RMD160 (gnutls-3.6.14.tar.xz) = 89c4f89e4453c2d08ad0918fbf099d9fbcfe9cba
+SHA512 (gnutls-3.6.14.tar.xz) = b2d427b5542a4679117c011dffa8efb0e0bffa3ce9cebc319f8998d03f80f4168d08f9fda35df18dbeaaada59e479d325a6c1c77d5ca7f8ce221b44e42bfe604
+Size (gnutls-3.6.14.tar.xz) = 6069088 bytes
+SHA1 (patch-configure) = 3653f74914f874aa369f62c8b267a46fd6b78eaa
 SHA1 (patch-lib_system_certs.c) = fba74b2834a36d66bddcd7d3405d0c91c1b14efc
 SHA1 (patch-src_libopts_autoopts_options.h) = ebeeafc834bce3b6b3f938e360b089e165ee4f9e
 SHA1 (patch-src_libopts_compat_compat.h) = 6e88b5e73a56c296f356aa5ce7e6048e1bcff450

diff --git a/security/gnutls/options.mk b/security/gnutls/options.mk
@@ -1,7 +1,7 @@
-# $NetBSD: options.mk,v 1.2 2019/10/04 17:25:53 nia Exp $
+# $NetBSD: options.mk,v 1.2.2.1 2020/06/09 11:55:34 bsiegert Exp $
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.gnutls
-PKG_SUPPORTED_OPTIONS=	dane
+PKG_SUPPORTED_OPTIONS=	dane guile
 
 .include "../../mk/bsd.options.mk"
 
@@ -12,3 +12,11 @@ PLIST_SRC+=		PLIST.dane
 .else
 CONFIGURE_ARGS+=	--disable-libdane
 .endif
+
+.if !empty(PKG_OPTIONS:Mguile)
+.include "../../lang/guile22/buildlink3.mk"
+CONFIGURE_ARGS+=	--enable-guile
+PLIST_SRC+=		PLIST.guile
+.else
+CONFIGURE_ARGS+=	--disable-guile
+.endif
diff --git a/security/gnutls/patches/patch-configure b/security/gnutls/patches/patch-configure
@@ -0,0 +1,14 @@
+$NetBSD: patch-configure,v 1.5.2.2 2020/06/09 11:55:34 bsiegert Exp $
+
+Fix linking on Darwin.
+
+--- configure.orig	2020-03-19 15:24:05.000000000 +0000
++++ configure
+@@ -9698,7 +9698,6 @@ $as_echo "#define _UNICODE 1" >>confdefs
+   *darwin*)
+     have_macosx=yes
+     save_LDFLAGS="$LDFLAGS"
+-                LDFLAGS="$LDFLAGS -Wl,-no_weak_imports"
+     { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker supports -Wl,-no_weak_imports" >&5
+ $as_echo_n "checking whether the linker supports -Wl,-no_weak_imports... " >&6; }
+     cat confdefs.h - <<_ACEOF >conftest.$ac_ext