Update to 3.2.7:

* Version 3.2.7 (released 2013-11-23)

** libgnutls: gnutls_cipher_get_iv_size() now returns the correct IV size in
GCM ciphers (previously it returned the implicit IV used in TLS).

** libgnutls: gnutls_certificate_set_x509_key_file() et al when provided
with a PKCS #11 URL pointing to a certificate, will attempt to load the whole
chain.

** libgnutls: When traversing PKCS #11 tokens looking for an object, avoid
looking in unrelated to the object tokens.

** libgnutls: Added an experimental %DUMBFW option in priority strings. This
avoids a black hole behavior in some firewalls by sending a large client hello.
See http://www.ietf.org/mail-archive/web/tls/current/msg10423.html

** libgnutls: The GNUTLS_DEBUG_LEVEL variable if set to a log level number
will force output of debug messages to stderr.

** libgnutls: Fixed the setting of the ciphersuite when gnutls_premaster_set()
is used with another protocol than the GNUTLS_DTLS0_9 protocol.

** libgnutls: gnutls_x509_crt_set_expiration_time() will set the no well defined
expiration date when (time_t)-1 is specified as date.

** libgnutls: Session tickets are encrypted using AES-GCM.

** libgnutls: Corrected issue in record decompression. Issue pinpointed
by Frank Zschockel.

** libgnutls: Forbid all compression methods in DTLS.

** gnutls-serv: Fixed issue with IPv6 address in UDP mode.

** certtool: When exporting an encrypted PEM private key do not output the key
parameters.

** certtool: Expiration days template option allows for a -1 value which
will set to the no well defined expiration date (RFC5280), and no longer
chokes on integer overflows. Suggested by Stefan Buehler.

** certtool: Added new template options: 'activation_date', and
'expiration_date'.

** tools: The environment variable GNUTLS_PIN can be used to read any PIN
requested from tokens.

** tools: The installed version of libopts is used if the autogen tool is
present.

** API and ABI modifications:
gnutls_pkcs11_obj_export3: Added
gnutls_pkcs11_get_raw_issuer: Added
gnutls_est_record_overhead_size: Exported

security/gnutls/Makefile

@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.134 2013/11/04 08:22:54 wiz Exp $
+# $NetBSD: Makefile,v 1.135 2013/11/29 22:55:29 wiz Exp $
 
-DISTNAME=	gnutls-3.2.6
+DISTNAME=	gnutls-3.2.7
 CATEGORIES=	security devel
 MASTER_SITES=	ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/
 EXTRACT_SUFX=	.tar.xz

security/gnutls/PLIST

@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.48 2013/10/31 14:41:48 wiz Exp $
+@comment $NetBSD: PLIST,v 1.49 2013/11/29 22:55:29 wiz Exp $
 bin/certtool
 bin/danetool
 bin/gnutls-cli
@@ -66,6 +66,7 @@ man/man3/gnutls_bye.3
 man/man3/gnutls_certificate_activation_time_peers.3
 man/man3/gnutls_certificate_allocate_credentials.3
 man/man3/gnutls_certificate_client_get_request_status.3
+man/man3/gnutls_certificate_client_set_retrieve_function.3
 man/man3/gnutls_certificate_expiration_time_peers.3
 man/man3/gnutls_certificate_free_ca_names.3
 man/man3/gnutls_certificate_free_cas.3
@@ -79,6 +80,7 @@ man/man3/gnutls_certificate_get_peers.3
 man/man3/gnutls_certificate_get_peers_subkey_id.3
 man/man3/gnutls_certificate_send_x509_rdn_sequence.3
 man/man3/gnutls_certificate_server_set_request.3
+man/man3/gnutls_certificate_server_set_retrieve_function.3
 man/man3/gnutls_certificate_set_dh_params.3
 man/man3/gnutls_certificate_set_key.3
 man/man3/gnutls_certificate_set_ocsp_status_request_file.3
@@ -339,6 +341,7 @@ man/man3/gnutls_openpgp_privkey_get_preferred_key_id.3
 man/man3/gnutls_openpgp_privkey_get_revoked_status.3
 man/man3/gnutls_openpgp_privkey_get_subkey_count.3
 man/man3/gnutls_openpgp_privkey_get_subkey_creation_time.3
+man/man3/gnutls_openpgp_privkey_get_subkey_expiration_time.3
 man/man3/gnutls_openpgp_privkey_get_subkey_fingerprint.3
 man/man3/gnutls_openpgp_privkey_get_subkey_id.3
 man/man3/gnutls_openpgp_privkey_get_subkey_idx.3
@@ -375,10 +378,12 @@ man/man3/gnutls_pkcs11_copy_x509_privkey.3
 man/man3/gnutls_pkcs11_deinit.3
 man/man3/gnutls_pkcs11_delete_url.3
 man/man3/gnutls_pkcs11_get_pin_function.3
+man/man3/gnutls_pkcs11_get_raw_issuer.3
 man/man3/gnutls_pkcs11_init.3
 man/man3/gnutls_pkcs11_obj_deinit.3
 man/man3/gnutls_pkcs11_obj_export.3
 man/man3/gnutls_pkcs11_obj_export2.3
+man/man3/gnutls_pkcs11_obj_export3.3
 man/man3/gnutls_pkcs11_obj_export_url.3
 man/man3/gnutls_pkcs11_obj_get_info.3
 man/man3/gnutls_pkcs11_obj_get_type.3
@@ -898,6 +903,18 @@ man/man3/gnutls_x509_trust_list_remove_trust_file.3
 man/man3/gnutls_x509_trust_list_remove_trust_mem.3
 man/man3/gnutls_x509_trust_list_verify_crt.3
 man/man3/gnutls_x509_trust_list_verify_named_crt.3
+man/man3/xssl_client_init.3
+man/man3/xssl_cred_deinit.3
+man/man3/xssl_cred_init.3
+man/man3/xssl_deinit.3
+man/man3/xssl_flush.3
+man/man3/xssl_get_session.3
+man/man3/xssl_getdelim.3
+man/man3/xssl_printf.3
+man/man3/xssl_read.3
+man/man3/xssl_server_init.3
+man/man3/xssl_sinit.3
+man/man3/xssl_write.3
 share/examples/gnutls/ex-alert.c
 share/examples/gnutls/ex-cert-select-pkcs11.c
 share/examples/gnutls/ex-cert-select.c

security/gnutls/distinfo

@@ -1,11 +1,13 @@
-$NetBSD: distinfo,v 1.99 2013/10/31 14:41:48 wiz Exp $
+$NetBSD: distinfo,v 1.100 2013/11/29 22:55:29 wiz Exp $
 
-SHA1 (gnutls-3.2.6.tar.xz) = eb5a404d297e8ee2f344bcd9cdeea86fe8977287
-RMD160 (gnutls-3.2.6.tar.xz) = df4105b28241eac7ac18206e24ea3dc9723dc697
-Size (gnutls-3.2.6.tar.xz) = 4992204 bytes
+SHA1 (gnutls-3.2.7.tar.xz) = 8c86048e7c01abb25f9285188d629f1f0f2bc6be
+RMD160 (gnutls-3.2.7.tar.xz) = 3a3135441555b1c67a06696d973895b68a11c68a
+Size (gnutls-3.2.7.tar.xz) = 5098572 bytes
 SHA1 (patch-ae) = 71fbbeb43ac1689fca6fec7f8348d8534c1dc38a
+SHA1 (patch-configure) = 66927d81a0d22624d70181e73e6a2b856483118e
 SHA1 (patch-gl_stdio.in.h) = b5802da2cccddd6fab73bd39c49f7d62bef58464
-SHA1 (patch-lib_Makefile.in) = 949df8644a1f6085d8ad63984188cee0518a837a
-SHA1 (patch-lib_nettle_egd.c) = b7e9769e8c620519c43ca7b7481a558e9d389c68
+SHA1 (patch-lib_Makefile.in) = 00cbff0bfaf8f5b8ec6db8dbe12d14a1cb3ffb9b
+SHA1 (patch-lib_nettle_egd.c) = 7c04ce0e731ad55b3baae3d1d53dda29c50972c1
+SHA1 (patch-lib_nettle_rnd.c) = c0b0bd744e2370abd111f5418668bbf4dc0ea35d
 SHA1 (patch-src_libopts_autoopts_options.h) = 60be5b43f23ba5978759c1e245781da7f9125071
 SHA1 (patch-src_libopts_compat_compat.h) = 2e0a1be460917b2d7a8f6bdac698dad405143013

security/gnutls/patches/patch-configure

@@ -0,0 +1,13 @@
+$NetBSD: patch-configure,v 1.1 2013/11/29 22:55:29 wiz Exp $
+
+--- configure.orig	2013-11-29 17:00:05.000000000 +0000
++++ configure
+@@ -48402,7 +48402,7 @@ $as_echo "#define NO_OPTIONAL_OPT_ARGS 1
+
+           fi    # end of AC_DEFUN of LIBOPTS_CHECK
+
+-if test "$NEED_LIBOPTS_DIR" == "true";then
++if test "$NEED_LIBOPTS_DIR" = "true";then
+ 		for i in ${srcdir}/src/*-args.c.bak ${srcdir}/src/*-args.h.bak; do
+ 		nam=`echo $i|sed 's/.bak//g'`
+ 		if test -f $i;then

security/gnutls/patches/patch-lib_Makefile.in

@@ -1,8 +1,8 @@
-$NetBSD: patch-lib_Makefile.in,v 1.3 2013/08/01 20:00:59 adam Exp $
+$NetBSD: patch-lib_Makefile.in,v 1.4 2013/11/29 22:55:29 wiz Exp $
 
---- lib/Makefile.in.orig	2013-07-29 14:23:14.000000000 +0000
+--- lib/Makefile.in.orig	2013-11-23 10:09:55.000000000 +0000
 +++ lib/Makefile.in
-@@ -369,7 +369,7 @@ am_libgnutls_la_OBJECTS = $(am__objects_
+@@ -362,7 +362,7 @@ am_libgnutls_la_OBJECTS = $(am__objects_
  libgnutls_la_OBJECTS = $(am_libgnutls_la_OBJECTS)
  libgnutls_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
  	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -11,3 +11,12 @@ $NetBSD: patch-lib_Makefile.in,v 1.3 2013/08/01 20:00:59 adam Exp $
  @ENABLE_CXX_TRUE@libgnutlsxx_la_DEPENDENCIES = libgnutls.la
  am__libgnutlsxx_la_SOURCES_DIST = gnutlsxx.cpp
  @ENABLE_CXX_TRUE@am_libgnutlsxx_la_OBJECTS =  \
+@@ -1445,7 +1445,7 @@ infodir = @infodir@
+ install_sh = @install_sh@
+ libdir = @libdir@
+ libexecdir = @libexecdir@
+-localedir = $(datadir)/locale
++localedir = /usr/pkg/share/locale
+ localstatedir = @localstatedir@
+ mandir = @mandir@
+ mkdir_p = @mkdir_p@

security/gnutls/patches/patch-lib_nettle_egd.c

@@ -1,17 +1,62 @@
-$NetBSD: patch-lib_nettle_egd.c,v 1.1 2011/05/02 09:27:44 obache Exp $
+$NetBSD: patch-lib_nettle_egd.c,v 1.2 2013/11/29 22:55:29 wiz Exp $
 
-* for backward compatibility for lack of AF_LOCAL.
+http://lists.gnupg.org/pipermail/gnutls-devel/2013-November/006588.html
 
---- lib/nettle/egd.c.orig	2011-04-08 00:30:45.000000000 +0000
+--- lib/nettle/egd.c.orig	2013-11-10 17:59:14.000000000 +0000
 +++ lib/nettle/egd.c
-@@ -37,6 +37,10 @@
- #define offsetof(type, member) ((size_t) &((type *)0)->member)
- #endif
+@@ -155,12 +155,10 @@ int _rndegd_connect_socket(void)
 
-+#ifndef AF_LOCAL
-+#define AF_LOCAL AF_UNIX
-+#endif
-+
- static int egd_socket = -1;
+ 	fd = socket(LOCAL_SOCKET_TYPE, SOCK_STREAM, 0);
+ 	if (fd == -1) {
+-		_gnutls_debug_log("can't create unix domain socket: %s\n",
+-				  strerror(errno));
++		_gnutls_debug_log("can't create unix domain socket\n");
+ 		return -1;
+ 	} else if (connect(fd, (struct sockaddr *) &addr, addr_len) == -1) {
+-		_gnutls_debug_log("can't connect to EGD socket `%s': %s\n",
+-				  name, strerror(errno));
++		_gnutls_debug_log("can't connect to EGD socket `%s'\n", name);
+ 		close(fd);
+ 		fd = -1;
+ 	}
+@@ -202,13 +200,11 @@ int _rndegd_read(int *fd, void *_output,
+ 	buffer[1] = nbytes;
 
- static int
+ 	if (do_write(*fd, buffer, 2) == -1)
+-		_gnutls_debug_log("can't write to the EGD: %s\n",
+-				  strerror(errno));
++		_gnutls_debug_log("can't write to the EGD\n");
+
+ 	n = do_read(*fd, buffer, 1);
+ 	if (n == -1) {
+-		_gnutls_debug_log("read error on EGD: %s\n",
+-				  strerror(errno));
++		_gnutls_debug_log("read error on EGD\n");
+ 		do_restart = 1;
+ 		goto restart;
+ 	}
+@@ -217,8 +213,7 @@ int _rndegd_read(int *fd, void *_output,
+ 	if (n) {
+ 		n = do_read(*fd, buffer, n);
+ 		if (n == -1) {
+-			_gnutls_debug_log("read error on EGD: %s\n",
+-					  strerror(errno));
++			_gnutls_debug_log("read error on EGD\n");
+ 			do_restart = 1;
+ 			goto restart;
+ 		}
+@@ -240,12 +235,10 @@ int _rndegd_read(int *fd, void *_output,
+ 		buffer[0] = 2;	/* blocking */
+ 		buffer[1] = nbytes;
+ 		if (do_write(*fd, buffer, 2) == -1)
+-			_gnutls_debug_log("can't write to the EGD: %s\n",
+-					  strerror(errno));
++			_gnutls_debug_log("can't write to the EGD\n");
+ 		n = do_read(*fd, buffer, nbytes);
+ 		if (n == -1) {
+-			_gnutls_debug_log("read error on EGD: %s\n",
+-					  strerror(errno));
++			_gnutls_debug_log("read error on EGD\n");
+ 			do_restart = 1;
+ 			goto restart;
+ 		}

security/gnutls/patches/patch-lib_nettle_rnd.c

@@ -0,0 +1,26 @@
+$NetBSD: patch-lib_nettle_rnd.c,v 1.1 2013/11/29 22:55:29 wiz Exp $
+
+http://lists.gnupg.org/pipermail/gnutls-devel/2013-November/006588.html
+
+--- lib/nettle/rnd.c.orig	2013-11-10 17:59:14.000000000 +0000
++++ lib/nettle/rnd.c
+@@ -90,8 +90,7 @@ static int do_trivia_source(int init)
+ 	memcpy(&event.now, &current_time, sizeof(event.now));
+ #ifdef HAVE_GETRUSAGE
+ 	if (getrusage(RUSAGE_SELF, &event.rusage) < 0) {
+-		_gnutls_debug_log("getrusage failed: %s\n",
+-				  strerror(errno));
++		_gnutls_debug_log("getrusage failed\n");
+ 		abort();
+ 	}
+ #endif
+@@ -244,8 +243,7 @@ static int do_device_source_urandom(int 
+ 			if (res <= 0) {
+ 				if (res < 0) {
+ 					_gnutls_debug_log
+-					    ("Failed to read /dev/urandom: %s\n",
+-					     strerror(errno));
++					    ("Failed to read /dev/urandom\n");
+ 				} else {
+ 					_gnutls_debug_log
+ 					    ("Failed to read /dev/urandom: end of file\n");