From 0e949f9a9f572f84fd959b6f09306d345638cdd8 Mon Sep 17 00:00:00 2001
From: he <he>
Date: Thu, 18 May 2017 07:54:26 +0000
Subject: [PATCH] Update to GnuTLS 3.5.12.

Pkgsrc changes:
Adapt PLIST.

Upstream changes:

* Version 3.5.12 (released 2017-05-11)

** libgnutls: enabled TCP Fast open for MacOSX. Patch by Tim Ruehsen.

** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses
   against DNS fields of certificate (CN or DNSname). The previous behavior
   was to tolerate some misconfigured servers, but that was non-standard
   and skipped any IP constraints present in higher level certificates.

** libgnutls: when converting to IDNA2008, fallback to IDNA2003
   (i.e., transitional encoding) if the domain cannot be converted.
   That provides maximum compatibility with browsers like firefox
   that perform the same conversion.

** libgnutls: fix issue in RSA-PSK client callback which resulted
   in no username being sent to the peer. Patch by Nicolas Dufresne.

** libgnutls: fix regression causing stapled extensions in trust modules not
   to be considered.

** certtool: introduced the email_protection_key option.  This
   option was introduced in documentation for certtool without an
   implementation of it.  It is a shortcut for option 'key_purpose_oid
   = 1.3.6.1.5.5.7.3.4'.

** certtool: made printing of key ID and key PIN consistent between
   certificates, public keys, and private keys. That is the private
   key printing now uses the same format as the rest.

** gnutls-cli: introduced the --sni-hostname option. This allows overriding the
   hostname advertised to the peer.

** API and ABI modifications:
No changes since last version.


* Version 3.5.11 (released 2017-04-07)

** gnutls.pc: do not include libtool options into Libs.private.

** libgnutls: Fixed issue when rehandshaking without a client certificate in
   a session which initially used one. Reported by Frantisek Sumsal.

** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP
   certificate parsing. Issues found using oss-fuzz project and were fixed
   by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824

** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access.
   That allows PKCS#11 operations such as signing to be performed with the
   same object from multiple threads.

** libgnutls: Added support for MacOSX key chain for obtaining
   trust store's root CA certificates. That is,
   gnutls_x509_trust_list_add_system_trust() and
   gnutls_certificate_set_x509_system_trust() will load the certificates
   from the key chain. That also means that we no longer check for a
   default trust store file in configure when building on MacOSX (unless
   explicitly asked to).  Patch by David Caldwell.

** libgnutls: when disabling OpenPGP authentication, the resulting library
   is ABI compatible (with openpgp related functions being stubs that fail
   on invocation).

** API and ABI modifications:
No changes since last version.


* Version 3.5.10 (released 2017-03-06)

** gnutls.pc: do not include libidn2 in Requires.private. The
   libidn2 versions available do not include libidn2.pc, thus the
   inclusion was causing pkg-config issues. Instead we include
   -lidn2 in Libs.private when compile against libidn2.

** libgnutls: optimized access to subject alternative names (SANs)
   in parsed certificates. The previous implementation assumed a
   small number of SANs in a certificate, with repeated calls to
   ASN.1 decoding of the extension without any intermediate caching.
   That caused delays in certificates with a long list of names in
   functions such as gnutls_x509_crt_check_hostname().  With the
   current code, the SANs are parsed once on certificate import.
   Resolves gitlab issue #165.

** libgnutls: Addressed integer overflow resulting to invalid memory
   write in OpenPGP certificate parsing. Issue found using oss-fuzz
   project:  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
   [GNUTLS-SA-2017-3A]

** libgnutls: Addressed read of 1 byte past the end of buffer in OpenPGP
   certificate parsing. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391

** libgnutls: Addressed crashes in OpenPGP certificate parsing, related
   to private key parser. No longer allow OpenPGP certificates (public keys)
   to contain private key sub-packets. Issue found using oss-fuzz project:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B]

** libgnutls: Addressed large allocation in OpenPGP certificate parsing, that
   could lead in out-of-memory condition. Issue found using oss-fuzz project,
   and was fixed by Alex Gaynor:
   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C]

** libgnutls: Print the key PIN value used by the HPKP protocol as per RFC7469
   when printing certificate information.

** libgnutls: gnutls_ocsp_resp_verify_direct() and gnutls_ocsp_resp_verify()
   flags can be set from the gnutls_certificate_verify_flags enumeration.
   This allows the functions to pass the same flags available for certificates
   to the verification function (e.g., GNUTLS_VERIFY_DISABLE_TIME_CHECKS or
   GNUTLS_VERIFY_ALLOW_BROKEN).

** libgnutls: gnutls_store_commitment() can accept flag
   GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN. This is to allow the function to operate
   in applications which use SHA1 for example, after SHA1 is deprecated.

** certtool: No longer ignore the 'add_critical_extension' template option if
   the 'add_extension' option is not present.

** gnutls-cli: Added LMTP, POP3, NNTP, Sieve and PostgreSQL support to the
   starttls-proto command. Patch by Robert Scheck.

** API and ABI modifications:
No changes since last version.
---
 security/gnutls/Makefile |  4 ++--
 security/gnutls/PLIST    | 12 +++++++++++-
 security/gnutls/distinfo | 10 +++++-----
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile
index ce35a17c28fef..9e413b3f3bb41 100644
--- a/security/gnutls/Makefile
+++ b/security/gnutls/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.170 2017/02/26 09:19:56 adam Exp $
+# $NetBSD: Makefile,v 1.171 2017/05/18 07:54:26 he Exp $
 
-DISTNAME=	gnutls-3.5.9
+DISTNAME=	gnutls-3.5.12
 CATEGORIES=	security devel
 MASTER_SITES=	ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/
 EXTRACT_SUFX=	.tar.xz
diff --git a/security/gnutls/PLIST b/security/gnutls/PLIST
index b521e8c2c195f..f734836dfb87d 100644
--- a/security/gnutls/PLIST
+++ b/security/gnutls/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.55 2017/02/26 09:19:56 adam Exp $
+@comment $NetBSD: PLIST,v 1.56 2017/05/18 07:54:26 he Exp $
 bin/certtool
 bin/gnutls-cli
 bin/gnutls-cli-debug
@@ -1079,6 +1079,15 @@ man/man3/gnutls_x509_trust_list_remove_trust_mem.3
 man/man3/gnutls_x509_trust_list_verify_crt.3
 man/man3/gnutls_x509_trust_list_verify_crt2.3
 man/man3/gnutls_x509_trust_list_verify_named_crt.3
+share/doc/gnutls/gnutls-client-server-use-case.png
+share/doc/gnutls/gnutls-handshake-sequence.png
+share/doc/gnutls/gnutls-handshake-state.png
+share/doc/gnutls/gnutls-internals.png
+share/doc/gnutls/gnutls-layers.png
+share/doc/gnutls/gnutls-logo.png
+share/doc/gnutls/gnutls-modauth.png
+share/doc/gnutls/gnutls-x509.png
+share/doc/gnutls/pkcs11-vision.png
 share/examples/gnutls/ex-alert.c
 share/examples/gnutls/ex-cert-select-pkcs11.c
 share/examples/gnutls/ex-cert-select.c
@@ -1121,3 +1130,4 @@ share/locale/sv/LC_MESSAGES/gnutls.mo
 share/locale/uk/LC_MESSAGES/gnutls.mo
 share/locale/vi/LC_MESSAGES/gnutls.mo
 share/locale/zh_CN/LC_MESSAGES/gnutls.mo
+
diff --git a/security/gnutls/distinfo b/security/gnutls/distinfo
index d49394e736bb0..eadced15e20ab 100644
--- a/security/gnutls/distinfo
+++ b/security/gnutls/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.124 2017/04/10 10:43:49 jperkin Exp $
+$NetBSD: distinfo,v 1.125 2017/05/18 07:54:26 he Exp $
 
-SHA1 (gnutls-3.5.9.tar.xz) = f3f184a92f128af1c2fb29b29a4d325af65694a5
-RMD160 (gnutls-3.5.9.tar.xz) = a200b078cf9204f70dfaae7c045fc2f762a22809
-SHA512 (gnutls-3.5.9.tar.xz) = 17a05143eaa70ee61b149a5f09ae7a688cb3f314ad1e67ce41a778e5960717e276cc780f3db9b6923c14c4d998e17563c134cab5297502181cd2dabb47da3515
-Size (gnutls-3.5.9.tar.xz) = 7166932 bytes
+SHA1 (gnutls-3.5.12.tar.xz) = 9f453686bc6b1e6ebc04197158a2bc123c0272df
+RMD160 (gnutls-3.5.12.tar.xz) = ffdd1b7af9376cee94e81fefd929ee6a41cd8fcb
+SHA512 (gnutls-3.5.12.tar.xz) = 8fec23e7e494a2e15e0f938115cae1ba3fee952d634db387f983b01096f68ca4313b23bc4c439d3c7fdd07c861eac4913a7c2343c8704961588ae195886ec90c
+Size (gnutls-3.5.12.tar.xz) = 7212652 bytes
 SHA1 (patch-ae) = 5e020483ac14ef6ccc45a53e351242ab16c860f1
 SHA1 (patch-lib_Makefile.in) = d0e292e632a91a9f19e39bd2c2d205a086ba5588
 SHA1 (patch-lib_accelerated_x86_x86-common.c) = 7a46ef6892b3a06ff4c949a965073c720a2491a4