Pullup ticket #5185 - requested by wiz

security/gnutls: security fix

Revisions pulled up:
- security/gnutls/Makefile                                      1.168-1.169
- security/gnutls/PLIST                                         1.54
- security/gnutls/distinfo                                      1.122
- security/gnutls/patches/patch-tests_mini-server-name.c        deleted

---
   Module Name:	pkgsrc
   Committed By:	maya
   Date:		Sat Jan  7 18:49:16 UTC 2017

   Modified Files:
   	pkgsrc/security/gnutls: Makefile

   Log Message:
   gnutls: don't redefine max_align_t on FreeBSD. It incorrectly fails the
   configure test because the type in stddef.h is guarded by a c11 macro
   (most likely).

   Force the configure test to pass.

   From David Shao in PR pkg/51793 (originally from FreeBSD ports).

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Tue Jan 10 16:23:50 UTC 2017

   Modified Files:
   	pkgsrc/security/gnutls: Makefile PLIST distinfo
   Removed Files:
   	pkgsrc/security/gnutls/patches: patch-tests_mini-server-name.c

   Log Message:
   Updated gnutls to 3.5.8.

   * Version 3.5.8 (released 2016-01-09)

   ** libgnutls: Ensure that multiple calls to the gnutls_set_priority_*
     functions will not leave the verification profiles field to an
     undefined state. The last call will take precedence.

   ** libgnutls: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
     by PKCS#8 decryption functions when an invalid key is provided. This
     addresses regression on decrypting certain PKCS#8 keys.

   ** libgnutls: Introduced option to override the default priority string
     used by the library. The intention is to allow support of system-wide
     priority strings (as set with --with-system-priority-file). The
     configure option is --with-default-priority-string.

   ** libgnutls: Require a valid IV size on all ciphers for PKCS#8 decryption.
     This prevents crashes when decrypting malformed PKCS#8 keys.

   ** libgnutls: Fix crash on the loading of malformed private keys with certain
     parameters set to zero.

   ** libgnutls: Fix double free in certificate information printing. If the PKIX
     extension proxy was set with a policy language set but no policy specified,
     that could lead to a double free.

   ** libgnutls: Addressed memory leaks in client and server side error paths
     (issues found using oss-fuzz project)

   ** libgnutls: Addressed memory leaks in X.509 certificate printing error paths
     (issues found using oss-fuzz project)

   ** libgnutls: Addressed memory leaks and an infinite loop in OpenPGP certificate
     parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project)

   ** libgnutls: Addressed invalid memory accesses in OpenPGP certificate parsing.
     (issues found using oss-fuzz project)

   ** API and ABI modifications:
   No changes since last version.

   * Version 3.5.7 (released 2016-12-8)

   ** libgnutls: Include CHACHA20-POLY1305 ciphersuites in the SECURE128
     and SECURE256 priority strings.

   ** libgnutls: Require libtasn1 4.9; this ensures gnutls will correctly
     operate with OIDs which have elements that exceed 2^32.

   ** libgnutls: The DN decoding functions output the traditional DN format
     rather than the strict RFC4514 compliant textual DN. This reverts the
     3.5.6 introduced change, and allows applications which depended on the
     previous format to continue to function. Introduced new functions which
     output the strict format by default, and can revert to the old one using
     a flag.

   ** libgnutls: Improved TPM key handling. Check authorization requirements
     prior to using a key and fix issue on loop for PIN input. Patches by
     James Bottomley.

   ** libgnutls: In all functions accepting UTF-8 passwords, ensure that
     passwords are normalized according to RFC7613. When invalid UTF-8
     passwords are detected, they are only tolerated for decryption.
     This introduces a libunistring dependency on GnuTLS. A version of
     libunistring is included in the library for the platforms that do
     not ship it; it can be used with the '--with-included-unistring'
     option to configure script.

   ** libgnutls: When setting a subject alternative name in a certificate
     which is in UTF-8 format, it will transparently be converted to IDNA form
     prior to storing.

   ** libgnutls: GNUTLS_CRT_PRINT_ONELINE flag on gnutls_x509_crt_print()
     will print the SHA256 key-ID instead of a certificate fingerprint.

   ** libgnutls: enhance the PKCS#7 verification capabilities. In the case
     signers that are not discoverable using the trust list or input, use
     the stored list as pool to generate a trusted chain to the signer.

   ** libgnutls: Improved MTU calculation precision for the CBC ciphersuites
     under DTLS.

   ** libgnutls: [added missing news entry since 3.5.0]
     No longer tolerate certificate key usage violations for
     TLS signature verification, and decryption. That is GnuTLS will fail
     to connect to servers which incorrectly use a restricted to signing certificate
     for decryption, or vice-versa. This reverts the lax behavior introduced
     in 3.1.0, due to several such broken servers being available. The %COMPAT
     priority keyword can be used to work-around connecting on these servers.

   ** certtool: When exporting a CRQ in DER format ensure no text data are
     intermixed. Patch by Dmitry Eremin-Solenikov.

   ** certtool: Include the SHA-256 variant of key ID in --certificate-info
     options.

   ** p11tool: Introduced the --initialize-pin and --initialize-so-pin
     options.

   ** API and ABI modifications:
   gnutls_utf8_password_normalize: Added
   gnutls_ocsp_resp_get_responder2: Added
   gnutls_x509_crt_get_issuer_dn3: Added
   gnutls_x509_crt_get_dn3: Added
   gnutls_x509_rdn_get2: Added
   gnutls_x509_dn_get_str2: Added
   gnutls_x509_crl_get_issuer_dn3: Added
   gnutls_x509_crq_get_dn3: Added

   * Version 3.5.6 (released 2016-11-04)

   ** libgnutls: Enhanced the PKCS#7 parser to allow decoding old
     (pre-rfc5652) structures with arbitrary encapsulated content.

   ** libgnutls: Introduced a function group to set known DH parameters
     using groups from RFC7919.

   ** libgnutls: Added more strict RFC4514 textual DN encoding and decoding.
     Now the generated textual DN is in reverse order according to RFC4514,
     and functions which generate a DN from strings such gnutls_x509_crt_set_*dn()
     set the expected DN (reverse of the provided string).

   ** libgnutls: Introduced time and constraints checks in the end certificate
     in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()
     functions.

   ** libgnutls: Set limits on the maximum number of alerts handled. That is,
     applications using gnutls could be tricked into an busy loop if the
     peer sends continuously alert messages. Applications which set a maximum
     handshake time (via gnutls_handshake_set_timeout) will eventually recover
     but others may remain in a busy loops indefinitely. This is related but
     not identical to CVE-2016-8610, due to the difference in alert handling
     of the libraries (gnutls delegates that handling to applications).

   ** libgnutls: Reverted the change which made the gnutls_certificate_set_*key*
     functions return an index (introduced in 3.5.5), to avoid affecting programs
     which explicitly check success of the function as equality to zero. In order
     for these functions to return an index an explicit call to gnutls_certificate_set_flags
     with the GNUTLS_CERTIFICATE_API_V2 flag is now required.

   ** libgnutls: Reverted the behavior of sending a status request extension even
     without a response (introduced in 3.5.5). That is, we no longer reply to a
     client's hello with a status request, with a status request extension. Although
     that behavior is legal, it creates incompatibility issues with releases in
     the gnutls 3.3.x branch.

   ** libgnutls: Delayed the initialization of the random generator at
     the first call of gnutls_rnd(). This allows applications to load
     on systems which getrandom() would block, without blocking until
     real random data are needed.

   ** certtool: --get-dh-params will output parameters from the RFC7919
     groups.

   ** p11tool: improvements in --initialize option.

   ** API and ABI modifications:
   GNUTLS_CERTIFICATE_API_V2: Added
   GNUTLS_NO_TICKETS: Added
   gnutls_pkcs7_get_embedded_data_oid: Added
   gnutls_anon_set_server_known_dh_params: Added
   gnutls_certificate_set_known_dh_params: Added
   gnutls_psk_set_server_known_dh_params: Added
   gnutls_x509_crt_check_key_purpose: Added

   * Version 3.5.5 (released 2016-10-09)

   ** libgnutls: enhanced gnutls_certificate_set_ocsp_status_request_file()
     to allow importing multiple OCSP request files, one for each chain
     provided.

   ** libgnutls: The gnutls_certificate_set_key* functions return an
     index of the added chain. That index can be used either with
     gnutls_certificate_set_ocsp_status_request_file(), or with
     gnutls_certificate_get_crt_raw() and friends.

   ** libgnutls: Added SHA*, AES-GCM, AES-CCM and AES-CBC optimized implementations
     for the aarch64 architecture. Uses Andy Polyakov's assembly code.

   ** libgnutls: Ensure proper cleanups on gnutls_certificate_set_*key()
     failures due to key mismatch. This prevents leaks or double freeing
     on such failures.

   ** libgnutls: Increased the maximum size of the handshake message hash.
     This will allow the library to cope better with larger packets, as
     the ones offered by current TLS 1.3 drafts.

   ** libgnutls: Allow to use client certificates despite them containing
     disallowed algorithms for a session. That allows for example a client
     to use DSA-SHA1 due to his old DSA certificate, without requiring him
     to enable DSA-SHA1 (and thus make it acceptable for the server's certificate).

   ** libgnutls: Reverted AESNI code on x86 to earlier version as the
     latest version was creating position depending code. Added checks
     in the CI to detect position depending code early.

   ** guile: Update code to the I/O port API of Guile >= 2.1.4
     This makes sure the GnuTLS bindings will work with the forthcoming 2.2
     stable series of Guile, of which 2.1 is a preview.

   ** API and ABI modifications:
   gnutls_certificate_set_ocsp_status_request_function2: Added
   gnutls_session_ext_register: Added
   gnutls_session_supplemental_register: Added
   GNUTLS_E_PK_INVALID_PUBKEY: Added
   GNUTLS_E_PK_INVALID_PRIVKEY: Added

4 files changed, 39 insertions, 44 deletions

diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile
index dbddc8a74c8..264212e5f37 100644
--- a/security/gnutls/Makefile
+++ b/security/gnutls/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.167 2016/09/20 08:40:15 wiz Exp $
+# $NetBSD: Makefile,v 1.167.4.1 2017/01/19 19:55:17 bsiegert Exp $
 
-DISTNAME=	gnutls-3.5.4
-PKGREVISION=	1
+DISTNAME=	gnutls-3.5.8
 CATEGORIES=	security devel
 MASTER_SITES=	ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/
 EXTRACT_SUFX=	.tar.xz
@@ -24,9 +23,9 @@ CONFIGURE_ARGS+=	--disable-libdane
 CONFIGURE_ARGS+=	--without-tpm
 CONFIGURE_ARGS+=	--disable-valgrind-tests
 
-# as of 3.5.4, 0 test failures
+# as of 3.5.8, 0 test failures
 TEST_TARGET=		check
-# without the USE_TOOLS line below, two more shell script based tests fail
+# without the USE_TOOLS line below, the fastopen.sh test fails
 # but when this line is added, the tool path for bash is embedded
 # in to the binaries, so only enable this for testing and
 # disable before commit
@@ -34,15 +33,15 @@ TEST_TARGET=		check
 
 INFO_FILES=		yes
 
-REPLACE_BASH+=	tests/cert-tests/openpgp-certs
-REPLACE_BASH+=	tests/danetool.sh
-REPLACE_BASH+=	tests/ocsp-tests/ocsp-must-staple-connection
-REPLACE_BASH+=	tests/ocsp-tests/ocsp-tls-connection
-REPLACE_BASH+=	tests/key-tests/dsa
-REPLACE_BASH+=	tests/suite/testcompat-main-polarssl
-REPLACE_BASH+=	tests/suite/testcompat-main-openssl
-REPLACE_BASH+=	tests/fastopen.sh
-REPLACE_BASH+=	tests/starttls.sh
+REPLACE_BASH+=		tests/cert-tests/openpgp-certs
+REPLACE_BASH+=		tests/danetool.sh
+REPLACE_BASH+=		tests/ocsp-tests/ocsp-must-staple-connection
+REPLACE_BASH+=		tests/ocsp-tests/ocsp-tls-connection
+REPLACE_BASH+=		tests/key-tests/dsa
+REPLACE_BASH+=		tests/suite/testcompat-main-polarssl
+REPLACE_BASH+=		tests/suite/testcompat-main-openssl
+REPLACE_BASH+=		tests/fastopen.sh
+REPLACE_BASH+=		tests/starttls.sh
 
 REPLACE_PERL+=	doc/scripts/gdoc doc/scripts/sort2.pl
 
@@ -57,6 +56,8 @@ EGDIR=		${PREFIX}/share/examples/gnutls
 # Assembler support is broken for SunOS in 3.2.9.
 CONFIGURE_ARGS.SunOS+=	--disable-hardware-acceleration
 
+CONFIGURE_ARGS.FreeBSD+=	ac_cv_type_max_align_t=yes
+
 INSTALLATION_DIRS=	${DOCDIR} ${EGDIR} include/gnutls
 
 post-install:
@@ -73,10 +74,11 @@ post-install:
 CHECK_BUILTIN.zlib:=yes
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../devel/gmp/buildlink3.mk"
-BUILDLINK_API_DEPENDS.libtasn1+=	libtasn1>=0.3.4
+BUILDLINK_API_DEPENDS.libtasn1+=	libtasn1>=4.9
 .include "../../security/libtasn1/buildlink3.mk"
 BUILDLINK_API_DEPENDS.nettle+=		nettle>=3.1
 .include "../../security/nettle/buildlink3.mk"
+.include "../../textproc/libunistring/buildlink3.mk"
 # guile is useful for selftests, but bindings should be separate pkgs
 #.include "../../lang/guile20/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff --git a/security/gnutls/PLIST b/security/gnutls/PLIST
index b2b60967e96..6b48437e668 100644
--- a/security/gnutls/PLIST
+++ b/security/gnutls/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.53 2016/09/19 12:33:10 wiz Exp $
+@comment $NetBSD: PLIST,v 1.53.4.1 2017/01/19 19:55:17 bsiegert Exp $
 bin/certtool
 bin/gnutls-cli
 bin/gnutls-cli-debug
@@ -83,6 +83,7 @@ man/man3/gnutls_anon_free_client_credentials.3
 man/man3/gnutls_anon_free_server_credentials.3
 man/man3/gnutls_anon_set_params_function.3
 man/man3/gnutls_anon_set_server_dh_params.3
+man/man3/gnutls_anon_set_server_known_dh_params.3
 man/man3/gnutls_anon_set_server_params_function.3
 man/man3/gnutls_auth_client_get_type.3
 man/man3/gnutls_auth_get_type.3
@@ -114,8 +115,10 @@ man/man3/gnutls_certificate_server_set_request.3
 man/man3/gnutls_certificate_set_dh_params.3
 man/man3/gnutls_certificate_set_flags.3
 man/man3/gnutls_certificate_set_key.3
+man/man3/gnutls_certificate_set_known_dh_params.3
 man/man3/gnutls_certificate_set_ocsp_status_request_file.3
 man/man3/gnutls_certificate_set_ocsp_status_request_function.3
+man/man3/gnutls_certificate_set_ocsp_status_request_function2.3
 man/man3/gnutls_certificate_set_openpgp_key.3
 man/man3/gnutls_certificate_set_openpgp_key_file.3
 man/man3/gnutls_certificate_set_openpgp_key_file2.3
@@ -170,7 +173,6 @@ man/man3/gnutls_cipher_get_name.3
 man/man3/gnutls_cipher_get_tag_size.3
 man/man3/gnutls_cipher_init.3
 man/man3/gnutls_cipher_list.3
-man/man3/gnutls_cipher_self_test.3
 man/man3/gnutls_cipher_set_iv.3
 man/man3/gnutls_cipher_suite_get_name.3
 man/man3/gnutls_cipher_suite_info.3
@@ -219,7 +221,6 @@ man/man3/gnutls_digest_get_id.3
 man/man3/gnutls_digest_get_name.3
 man/man3/gnutls_digest_get_oid.3
 man/man3/gnutls_digest_list.3
-man/man3/gnutls_digest_self_test.3
 man/man3/gnutls_dtls_cookie_send.3
 man/man3/gnutls_dtls_cookie_verify.3
 man/man3/gnutls_dtls_get_data_mtu.3
@@ -301,7 +302,6 @@ man/man3/gnutls_mac_get_key_size.3
 man/man3/gnutls_mac_get_name.3
 man/man3/gnutls_mac_get_nonce_size.3
 man/man3/gnutls_mac_list.3
-man/man3/gnutls_mac_self_test.3
 man/man3/gnutls_memcmp.3
 man/man3/gnutls_memset.3
 man/man3/gnutls_ocsp_req_add_cert.3
@@ -326,6 +326,7 @@ man/man3/gnutls_ocsp_resp_get_extension.3
 man/man3/gnutls_ocsp_resp_get_nonce.3
 man/man3/gnutls_ocsp_resp_get_produced.3
 man/man3/gnutls_ocsp_resp_get_responder.3
+man/man3/gnutls_ocsp_resp_get_responder2.3
 man/man3/gnutls_ocsp_resp_get_responder_raw_id.3
 man/man3/gnutls_ocsp_resp_get_response.3
 man/man3/gnutls_ocsp_resp_get_signature.3
@@ -437,7 +438,6 @@ man/man3/gnutls_pk_get_id.3
 man/man3/gnutls_pk_get_name.3
 man/man3/gnutls_pk_get_oid.3
 man/man3/gnutls_pk_list.3
-man/man3/gnutls_pk_self_test.3
 man/man3/gnutls_pk_to_sign.3
 man/man3/gnutls_pkcs11_add_provider.3
 man/man3/gnutls_pkcs11_copy_attached_extension.3
@@ -538,6 +538,7 @@ man/man3/gnutls_pkcs7_get_crt_count.3
 man/man3/gnutls_pkcs7_get_crt_raw.3
 man/man3/gnutls_pkcs7_get_crt_raw2.3
 man/man3/gnutls_pkcs7_get_embedded_data.3
+man/man3/gnutls_pkcs7_get_embedded_data_oid.3
 man/man3/gnutls_pkcs7_get_signature_count.3
 man/man3/gnutls_pkcs7_get_signature_info.3
 man/man3/gnutls_pkcs7_import.3
@@ -624,6 +625,7 @@ man/man3/gnutls_psk_set_server_credentials_file.3
 man/man3/gnutls_psk_set_server_credentials_function.3
 man/man3/gnutls_psk_set_server_credentials_hint.3
 man/man3/gnutls_psk_set_server_dh_params.3
+man/man3/gnutls_psk_set_server_known_dh_params.3
 man/man3/gnutls_psk_set_server_params_function.3
 man/man3/gnutls_pubkey_deinit.3
 man/man3/gnutls_pubkey_encrypt_data.3
@@ -696,6 +698,7 @@ man/man3/gnutls_session_channel_binding.3
 man/man3/gnutls_session_enable_compatibility_mode.3
 man/man3/gnutls_session_etm_status.3
 man/man3/gnutls_session_ext_master_secret_status.3
+man/man3/gnutls_session_ext_register.3
 man/man3/gnutls_session_force_valid.3
 man/man3/gnutls_session_get_data.3
 man/man3/gnutls_session_get_data2.3
@@ -716,6 +719,7 @@ man/man3/gnutls_session_set_ptr.3
 man/man3/gnutls_session_set_verify_cert.3
 man/man3/gnutls_session_set_verify_cert2.3
 man/man3/gnutls_session_set_verify_function.3
+man/man3/gnutls_session_supplemental_register.3
 man/man3/gnutls_session_ticket_enable_client.3
 man/man3/gnutls_session_ticket_enable_server.3
 man/man3/gnutls_session_ticket_key_generate.3
@@ -797,6 +801,7 @@ man/man3/gnutls_transport_set_pull_timeout_function.3
 man/man3/gnutls_transport_set_push_function.3
 man/man3/gnutls_transport_set_vec_push_function.3
 man/man3/gnutls_url_is_supported.3
+man/man3/gnutls_utf8_password_normalize.3
 man/man3/gnutls_verify_stored_pubkey.3
 man/man3/gnutls_x509_aia_deinit.3
 man/man3/gnutls_x509_aia_get.3
@@ -828,6 +833,7 @@ man/man3/gnutls_x509_crl_get_extension_info.3
 man/man3/gnutls_x509_crl_get_extension_oid.3
 man/man3/gnutls_x509_crl_get_issuer_dn.3
 man/man3/gnutls_x509_crl_get_issuer_dn2.3
+man/man3/gnutls_x509_crl_get_issuer_dn3.3
 man/man3/gnutls_x509_crl_get_issuer_dn_by_oid.3
 man/man3/gnutls_x509_crl_get_next_update.3
 man/man3/gnutls_x509_crl_get_number.3
@@ -865,6 +871,7 @@ man/man3/gnutls_x509_crq_get_basic_constraints.3
 man/man3/gnutls_x509_crq_get_challenge_password.3
 man/man3/gnutls_x509_crq_get_dn.3
 man/man3/gnutls_x509_crq_get_dn2.3
+man/man3/gnutls_x509_crq_get_dn3.3
 man/man3/gnutls_x509_crq_get_dn_by_oid.3
 man/man3/gnutls_x509_crq_get_dn_oid.3
 man/man3/gnutls_x509_crq_get_extension_by_oid.3
@@ -912,6 +919,7 @@ man/man3/gnutls_x509_crt_check_email.3
 man/man3/gnutls_x509_crt_check_hostname.3
 man/man3/gnutls_x509_crt_check_hostname2.3
 man/man3/gnutls_x509_crt_check_issuer.3
+man/man3/gnutls_x509_crt_check_key_purpose.3
 man/man3/gnutls_x509_crt_check_revocation.3
 man/man3/gnutls_x509_crt_cpy_crl_dist_points.3
 man/man3/gnutls_x509_crt_deinit.3
@@ -928,6 +936,7 @@ man/man3/gnutls_x509_crt_get_ca_status.3
 man/man3/gnutls_x509_crt_get_crl_dist_points.3
 man/man3/gnutls_x509_crt_get_dn.3
 man/man3/gnutls_x509_crt_get_dn2.3
+man/man3/gnutls_x509_crt_get_dn3.3
 man/man3/gnutls_x509_crt_get_dn_by_oid.3
 man/man3/gnutls_x509_crt_get_dn_oid.3
 man/man3/gnutls_x509_crt_get_expiration_time.3
@@ -944,6 +953,7 @@ man/man3/gnutls_x509_crt_get_issuer_alt_name2.3
 man/man3/gnutls_x509_crt_get_issuer_alt_othername_oid.3
 man/man3/gnutls_x509_crt_get_issuer_dn.3
 man/man3/gnutls_x509_crt_get_issuer_dn2.3
+man/man3/gnutls_x509_crt_get_issuer_dn3.3
 man/man3/gnutls_x509_crt_get_issuer_dn_by_oid.3
 man/man3/gnutls_x509_crt_get_issuer_dn_oid.3
 man/man3/gnutls_x509_crt_get_issuer_unique_id.3
@@ -1030,6 +1040,7 @@ man/man3/gnutls_x509_dn_export.3
 man/man3/gnutls_x509_dn_export2.3
 man/man3/gnutls_x509_dn_get_rdn_ava.3
 man/man3/gnutls_x509_dn_get_str.3
+man/man3/gnutls_x509_dn_get_str2.3
 man/man3/gnutls_x509_dn_import.3
 man/man3/gnutls_x509_dn_init.3
 man/man3/gnutls_x509_dn_oid_known.3
@@ -1115,6 +1126,7 @@ man/man3/gnutls_x509_privkey_sign_hash.3
 man/man3/gnutls_x509_privkey_verify_params.3
 man/man3/gnutls_x509_privkey_verify_seed.3
 man/man3/gnutls_x509_rdn_get.3
+man/man3/gnutls_x509_rdn_get2.3
 man/man3/gnutls_x509_rdn_get_by_oid.3
 man/man3/gnutls_x509_rdn_get_oid.3
 man/man3/gnutls_x509_tlsfeatures_add.3
diff --git a/security/gnutls/distinfo b/security/gnutls/distinfo
index 37707a6f520..ff527e6261c 100644
--- a/security/gnutls/distinfo
+++ b/security/gnutls/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.121 2016/09/19 15:32:47 wiz Exp $
+$NetBSD: distinfo,v 1.121.4.1 2017/01/19 19:55:17 bsiegert Exp $
 
-SHA1 (gnutls-3.5.4.tar.xz) = d2b9d5f7ad158c5b2a636660fc445765ffd92c75
-RMD160 (gnutls-3.5.4.tar.xz) = d4bb8babd43455bcec24f1298710b576ae996f44
-SHA512 (gnutls-3.5.4.tar.xz) = 175aab43b6349a62530938333910feb26ea5d923e151a9942fd5a6989f87193b18862e69bbbdb6308f889585d428d689d8fd3a6e8149f9fd1ac2882802ea6a9f
-Size (gnutls-3.5.4.tar.xz) = 6930620 bytes
+SHA1 (gnutls-3.5.8.tar.xz) = 238d5e62f9bb078101131dd2f4c7f2c1ac13e813
+RMD160 (gnutls-3.5.8.tar.xz) = 77cd2f4a6da7cf1eece05422bc86b29833b08772
+SHA512 (gnutls-3.5.8.tar.xz) = e6cdc4f9f2e41bd10e61b90b6b5ea3882c80a7130de8a0e9c23e373985cdc332128529dad49d6854fe93ee934e1bbde8b34dfd19e354b3a8e11b22d61424292e
+Size (gnutls-3.5.8.tar.xz) = 7264448 bytes
 SHA1 (patch-ae) = 5e020483ac14ef6ccc45a53e351242ab16c860f1
 SHA1 (patch-lib_Makefile.in) = d0e292e632a91a9f19e39bd2c2d205a086ba5588
 SHA1 (patch-src_libopts_autoopts_options.h) = 9202c55314fe8764ac82c95bbfabfa1b031e9ba4
@@ -11,4 +11,3 @@ SHA1 (patch-src_libopts_compat_compat.h) = 240fbfc0ba20af35e0634ba873fe9e34bfbcc
 SHA1 (patch-src_libopts_libopts.c) = ce5e7681def882e95ed5ab770564d1f999b97039
 SHA1 (patch-src_libopts_makeshell.c) = e5b7d66caaec45e12ae5490d515fc9fc75de3d92
 SHA1 (patch-src_libopts_proto.h) = 78f845bdcbac8de74953a3cee0b77fa9c5b05386
-SHA1 (patch-tests_mini-server-name.c) = 5cf02775d81d01f133475e86940a222d18da5848
diff --git a/security/gnutls/patches/patch-tests_mini-server-name.c b/security/gnutls/patches/patch-tests_mini-server-name.c
deleted file mode 100644
index a22073f3b23..00000000000
--- a/security/gnutls/patches/patch-tests_mini-server-name.c
+++ /dev/null
@@ -1,18 +0,0 @@
-$NetBSD: patch-tests_mini-server-name.c,v 1.1 2016/09/19 15:32:47 wiz Exp $
-
-Only test DNS UTF-8 support when building with libidn.
-https://gitlab.com/gnutls/gnutls/commit/480c9f572c511230699a1d35d3053515058584c2
-
---- tests/mini-server-name.c.orig	2016-09-03 08:29:22.000000000 +0000
-+++ tests/mini-server-name.c
-@@ -341,8 +341,10 @@ void doit(void)
- 	start(0, "", 0, "", 0);
- 	start(0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"));
- 	start(0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"));
-+#ifdef HAVE_LIBIDN
- 	/* test invalid UTF8 */
- 	start(1, "invalid\xff.example.com.", sizeof("invalid\xff.example.com")-1, NULL, 0);
-+#endif
- 	/* test embedded NULL */
- 	start(1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0);
- }