gnutls: Update to 3.6.9

* Version 3.6.9 (released 2019-07-25)

** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy
   of digest or MAC context. Copying contexts for externally-registered digest and MAC
   contexts is unupported (#787).

** Marked the crypto implementation override APIs as deprecated. These APIs are rarely
   used, are for a niche use case, but have significant side effects, such as preventing
   any internal re-organization and extension of the internal cipher API. The APIs remain
   functional though a compiler warning will be issued, and a future minor version update
   may transform them to a no-op while keeping ABI compatibility (#789).

** libgnutls: Added support for AES-GMAC, as a separate to GCM, MAC algorithm (#781).

** libgnutls: gnutls_privkey_sign_hash2 now accepts the GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA
   flag as documented. This makes it a complete replacement of gnutls_privkey_sign_hash().

** libgnutls: Added support for Generalname registeredID.

** The priority configuration was enhanced to allow more elaborate
   system-wide configuration of the library (#587).
   The following changes were included:
    - The file is read as an ini file with '#' indicating a comment.
    - The section "[priorities]" or global follows the existing semantics of
      the configuration file, and allows to specify system-wide priority strings
      which are accessed with the '@' prefix.
    - The section "[overrides]" is added with the parameters "insecure-hash",
      "insecure-sig", "insecure-sig-for-cert", "disabled-curve",
      "disabled-version", "min-verification-profile", "tls-disabled-cipher",
      "tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit
      specific algorithms or options globally. Existing algorithms in the
      library can be marked as disabled and insecure, but no hard-coded
      insecure algorithm can be marked as secure (so that the configuration
      cannot be abused to make the system vulnerable).
    - Unknown sections or options are skipped with a debug message, unless
      the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is
      set to 1.

** libgnutls: Added new flag for GNUTLS_CPUID_OVERRIDE
    - 0x20: Enable SHA_NI instruction set

** API and ABI modifications:
gnutls_crypto_register_cipher: Deprecated
gnutls_crypto_register_aead_cipher: Deprecated
gnutls_crypto_register_digest: Deprecated
gnutls_crypto_register_mac: Deprecated
gnutls_get_system_config_file: Added
gnutls_hash_copy: Added
gnutls_hmac_copy: Added
GNUTLS_MAC_AES_GMAC_128: Added
GNUTLS_MAC_AES_GMAC_192: Added
GNUTLS_MAC_AES_CMAC_256: Added
GNUTLS_SAN_REGISTERED_ID: Added

3 files changed, 13 insertions, 11 deletions

diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile
index e182920a483..bff0711b604 100644
--- a/security/gnutls/Makefile
+++ b/security/gnutls/Makefile
@@ -1,13 +1,12 @@
-# $NetBSD: Makefile,v 1.198 2019/08/11 13:22:46 wiz Exp $
+# $NetBSD: Makefile,v 1.199 2019/09/16 00:28:48 nia Exp $
 
-DISTNAME=	gnutls-3.6.8
-PKGREVISION=	2
+DISTNAME=	gnutls-3.6.9
 CATEGORIES=	security devel
-MASTER_SITES=	ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/
+MASTER_SITES=	https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/
 EXTRACT_SUFX=	.tar.xz
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
-HOMEPAGE=	http://www.gnutls.org/
+HOMEPAGE=	https://www.gnutls.org/
 COMMENT=	GNU Transport Layer Security library
 LICENSE=	gnu-gpl-v3 AND gnu-lgpl-v2.1
 
diff --git a/security/gnutls/PLIST b/security/gnutls/PLIST
index cfcf9215943..11230420db7 100644
--- a/security/gnutls/PLIST
+++ b/security/gnutls/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.64 2019/07/11 14:53:36 sevan Exp $
+@comment $NetBSD: PLIST,v 1.65 2019/09/16 00:28:48 nia Exp $
 bin/certtool
 bin/gnutls-cli
 bin/gnutls-cli-debug
@@ -263,6 +263,7 @@ man/man3/gnutls_ext_set_data.3
 man/man3/gnutls_fingerprint.3
 man/man3/gnutls_fips140_mode_enabled.3
 man/man3/gnutls_fips140_set_mode.3
+man/man3/gnutls_get_system_config_file.3
 man/man3/gnutls_global_deinit.3
 man/man3/gnutls_global_init.3
 man/man3/gnutls_global_set_audit_log_function.3
@@ -288,6 +289,7 @@ man/man3/gnutls_handshake_set_private_extensions.3
 man/man3/gnutls_handshake_set_random.3
 man/man3/gnutls_handshake_set_timeout.3
 man/man3/gnutls_hash.3
+man/man3/gnutls_hash_copy.3
 man/man3/gnutls_hash_deinit.3
 man/man3/gnutls_hash_fast.3
 man/man3/gnutls_hash_get_len.3
@@ -305,6 +307,7 @@ man/man3/gnutls_hex_decode2.3
 man/man3/gnutls_hex_encode.3
 man/man3/gnutls_hex_encode2.3
 man/man3/gnutls_hmac.3
+man/man3/gnutls_hmac_copy.3
 man/man3/gnutls_hmac_deinit.3
 man/man3/gnutls_hmac_fast.3
 man/man3/gnutls_hmac_get_len.3
diff --git a/security/gnutls/distinfo b/security/gnutls/distinfo
index eff2f2542c1..54e996994c8 100644
--- a/security/gnutls/distinfo
+++ b/security/gnutls/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.136 2019/08/15 15:46:15 sevan Exp $
+$NetBSD: distinfo,v 1.137 2019/09/16 00:28:48 nia Exp $
 
-SHA1 (gnutls-3.6.8.tar.xz) = e1243188791af409bca118d31faf3ec3d5f0a5ab
-RMD160 (gnutls-3.6.8.tar.xz) = a834679524f95a38a8a1ea77394906db637d33fe
-SHA512 (gnutls-3.6.8.tar.xz) = 71f0899de0ffb2a39b25928042114e2bbfde7fbf2029d9f91f60bf60794916d13f544fc97337e4e3282e7faa17e79a8012b0e08f98805bee543c0ba4e5d5a905
-Size (gnutls-3.6.8.tar.xz) = 5712580 bytes
+SHA1 (gnutls-3.6.9.tar.xz) = 4a12757b129562ae92a01ca890ed282050595296
+RMD160 (gnutls-3.6.9.tar.xz) = 2771adabb5342b24fbebcb69b324924ee2b56513
+SHA512 (gnutls-3.6.9.tar.xz) = a9fd0f4edae4c081d5c539ba2e5574a4d7294bc00c5c73ea25ce26cb7fd126299c2842a282d45ef5cf0544108f27066e587df28776bc7915143d190d7d5b9d07
+Size (gnutls-3.6.9.tar.xz) = 5773928 bytes
 SHA1 (patch-lib_Makefile.in) = c9a6bbe6238ccd9de41c708012e36b202d2a86e7
 SHA1 (patch-lib_accelerated_x86_x86-common.c) = eaf3c473b1ca83c5b15be26f8c06a82d7961420c
 SHA1 (patch-lib_system_certs.c) = fba74b2834a36d66bddcd7d3405d0c91c1b14efc