gnutls: upgraded package to upstream Upgraded net-libs/gnutls to version 3.7.6 on amd64, arm64 BUG=b/244292308 TEST=sponge2/87c386fb-d814-48cf-8453-de364a3c8352 RELEASE_NOTE=upgrade gnutls to 3.7.6 and fix CVE-2021-4209 Change-Id: Ie1ffa3beb1285747e8d2b1b64857e601cefd8f3e Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/36556 Reviewed-by: Meena Shanmugam <meenashanmugam@google.com> Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>

commit: d2219892a5710a793301d5216e62b1ab1fda7c2d [log] [tgz]
author: Varsha Teratipally <teratipally@google.com> Wed Aug 31 23:57:09 2022 +0000
committer: Varsha Teratipally <teratipally@google.com> Thu Sep 01 21:14:56 2022 +0000
tree: 97be05785b65795885ae00eeeb5d06c9d76813e2
parent: 90f1507cf9fd15b6a58a538688a2be671b118a85 [diff]
diff --git a/net-libs/gnutls/Manifest b/net-libs/gnutls/Manifest
index 94f3fc8..f468c56 100644
--- a/net-libs/gnutls/Manifest
+++ b/net-libs/gnutls/Manifest

@@ -1 +1,4 @@
-DIST gnutls-3.7.1.tar.xz 6038388 BLAKE2B 1d55eb441827c7148d63bcad37bf7bc62d539ee9bc7e14c2fe5ec1d0bdcadd75e2cbc98ba104523b24c8dfd9526b4595475a818d206971cc012fac509cd33a6f SHA512 0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95
+DIST gnutls-3.7.6.tar.xz 6338276 BLAKE2B 9f3cce8dfc0b88f2c42d1d2633417dac649a265407b620b6d15967e5210debb99d287ef31d2b9dc37a527ac1e5b9db4c240b98a63293078fbd2e26ac694bf3d3 SHA512 f872339df80ec31d292821ff00eaafbe50e0bd4cdbb86e21e4f78541cd0a26d843596d5e69c91de4db8ce7d027fc639ae6462b57d89fb116162ae63c5a97486a
+DIST gnutls-3.7.6.tar.xz.sig 685 BLAKE2B eae022d6cb0d772e465257411381afd97f3dfd19d6f794a1c3e0f8c3c1232a8a1b91269ca7252a5662782183b11ca393c31efe3f88171a526884400fd0534528 SHA512 c969da9a938b9d29a70cea3b00cce337f9a4c4304aae7f501ef6263894f81a420395ddbe1b005f35dff2e900d3fac75e288f10bbfde0ebea034f7e257bb16d0e
+DIST gnutls-3.7.7.tar.xz 6351664 BLAKE2B a66037ecc6da660ff12949f50012840263c2e0b174079e41b62a2d884f060cee56f0c64a2815d07321a54b08cce016d2b4c8f0e059636c1ab5f7db9c8d64c7c6 SHA512 ba00b20126379ec7e96c6bfa606cfb7bb0d9a5853318b29b5278a42a85ae40d39d8442778938e1f165debcdb1adaf9c63bcec59a4eb3387dd1ac99b08bcc5c08
+DIST gnutls-3.7.7.tar.xz.sig 685 BLAKE2B 53d76a06ed5a74664d6c193459eb310f06e87dd3db97aca9e9fa78837677df58d8de66f187c182b9375786ee0308c5da55f08414183c959c7acb4527c38cd7c7 SHA512 6463bc4661e20051ff9f31c1a557cece34d06b748f4e24f98e807ddc72a3daa9348aa9f0afa83a0f9cd226421c575210eec1936fbeb9a55849e2c397ace9d03d

diff --git a/net-libs/gnutls/files/gnutls-3.6.15-skip-dtls-seccomp-tests.patch b/net-libs/gnutls/files/gnutls-3.6.15-skip-dtls-seccomp-tests.patch
deleted file mode 100644
index dad6cec..0000000
--- a/net-libs/gnutls/files/gnutls-3.6.15-skip-dtls-seccomp-tests.patch
+++ /dev/null

@@ -1,26 +0,0 @@
-https://bugs.gentoo.org/649396
-https://bugs.gentoo.org/711104
-
---- a/tests/dtls-client-with-seccomp.c
-+++ b/tests/dtls-client-with-seccomp.c
-@@ -27,7 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32) || !defined(HAVE_LIBSECCOMP)
-+#if 1
- 
- int main()
- {
---- a/tests/dtls-with-seccomp.c
-+++ b/tests/dtls-with-seccomp.c
-@@ -27,7 +27,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
--#if defined(_WIN32) || !defined(HAVE_LIBSECCOMP)
-+#if 1
- 
- int main()
- {
- 

diff --git a/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch b/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch
deleted file mode 100644
index b014381..0000000
--- a/net-libs/gnutls/files/gnutls-3.7.0-ignore-duplicate-certificates.patch
+++ /dev/null

@@ -1,403 +0,0 @@
-From 09b40be6e0e0a59ba4bd764067eb353241043a70 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Mon, 28 Dec 2020 12:14:13 +0100
-Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: ignore duplicate
- certificates
-
-The commit ebb19db9165fed30d73c83bab1b1b8740c132dfd caused a
-regression, where duplicate certificates in a certificate chain are no
-longer ignored but treated as a non-contiguous segment and that
-results in calling the issuer callback, or a verification failure.
-
-This adds a mechanism to record certificates already seen in the
-chain, and skip them while still allow the caller to inject missing
-certificates.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
-Co-authored-by: Andreas Metzler <ametzler@debian.org>
----
- lib/x509/common.c          |   8 ++
- lib/x509/verify-high.c     | 157 +++++++++++++++++++++++++++++++------
- tests/missingissuer.c      |   2 +
- tests/test-chains-issuer.h | 101 +++++++++++++++++++++++-
- 4 files changed, 245 insertions(+), 23 deletions(-)
-
-diff --git a/lib/x509/common.c b/lib/x509/common.c
-index 3301aaad0c..10c8db53c0 100644
---- a/lib/x509/common.c
-+++ b/lib/x509/common.c
-@@ -1758,6 +1758,14 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
- 	 * increasing DEFAULT_MAX_VERIFY_DEPTH.
- 	 */
- 	for (i = 0; i < clist_size; i++) {
-+		/* Self-signed certificate found in the chain; skip it
-+		 * as it should only appear in the trusted set.
-+		 */
-+		if (gnutls_x509_crt_check_issuer(clist[i], clist[i])) {
-+			_gnutls_cert_log("self-signed cert found", clist[i]);
-+			continue;
-+		}
-+
- 		for (j = 1; j < clist_size; j++) {
- 			if (i == j)
- 				continue;
-diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
-index 588e7ee0dc..9a16e6b42a 100644
---- a/lib/x509/verify-high.c
-+++ b/lib/x509/verify-high.c
-@@ -67,6 +67,80 @@ struct gnutls_x509_trust_list_iter {
- 
- #define DEFAULT_SIZE 127
- 
-+struct cert_set_node_st {
-+	gnutls_x509_crt_t *certs;
-+	unsigned int size;
-+};
-+
-+struct cert_set_st {
-+	struct cert_set_node_st *node;
-+	unsigned int size;
-+};
-+
-+static int
-+cert_set_init(struct cert_set_st *set, unsigned int size)
-+{
-+	memset(set, 0, sizeof(*set));
-+
-+	set->size = size;
-+	set->node = gnutls_calloc(size, sizeof(*set->node));
-+	if (!set->node) {
-+		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-+	}
-+
-+	return 0;
-+}
-+
-+static void
-+cert_set_deinit(struct cert_set_st *set)
-+{
-+	size_t i;
-+
-+	for (i = 0; i < set->size; i++) {
-+		gnutls_free(set->node[i].certs);
-+	}
-+
-+	gnutls_free(set->node);
-+}
-+
-+static bool
-+cert_set_contains(struct cert_set_st *set, const gnutls_x509_crt_t cert)
-+{
-+	size_t hash, i;
-+
-+	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
-+	hash %= set->size;
-+
-+	for (i = 0; i < set->node[hash].size; i++) {
-+		if (unlikely(gnutls_x509_crt_equals(set->node[hash].certs[i], cert))) {
-+			return true;
-+		}
-+	}
-+
-+	return false;
-+}
-+
-+static int
-+cert_set_add(struct cert_set_st *set, const gnutls_x509_crt_t cert)
-+{
-+	size_t hash;
-+
-+	hash = hash_pjw_bare(cert->raw_dn.data, cert->raw_dn.size);
-+	hash %= set->size;
-+
-+	set->node[hash].certs =
-+		gnutls_realloc_fast(set->node[hash].certs,
-+				    (set->node[hash].size + 1) *
-+				    sizeof(*set->node[hash].certs));
-+	if (!set->node[hash].certs) {
-+		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-+	}
-+	set->node[hash].certs[set->node[hash].size] = cert;
-+	set->node[hash].size++;
-+
-+	return 0;
-+}
-+
- /**
-  * gnutls_x509_trust_list_init:
-  * @list: A pointer to the type to be initialized
-@@ -1328,6 +1402,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
- 	unsigned have_set_name = 0;
- 	unsigned saved_output;
- 	gnutls_datum_t ip = {NULL, 0};
-+	struct cert_set_st cert_set = { NULL, 0 };
- 
- 	if (cert_list == NULL || cert_list_size < 1)
- 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-@@ -1376,36 +1451,68 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
- 	memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
- 	cert_list = sorted;
- 
-+	ret = cert_set_init(&cert_set, DEFAULT_MAX_VERIFY_DEPTH);
-+	if (ret < 0) {
-+		return ret;
-+	}
-+
- 	for (i = 0; i < cert_list_size &&
--		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; i++) {
--		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
--			unsigned int sorted_size;
-+		     cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) {
-+		unsigned int sorted_size = 1;
-+		unsigned int j;
-+		gnutls_x509_crt_t issuer;
- 
-+		if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) {
- 			sorted_size = _gnutls_sort_clist(&cert_list[i],
- 							 cert_list_size - i);
--			i += sorted_size - 1;
- 		}
- 
--		if (i == cert_list_size - 1) {
--			gnutls_x509_crt_t issuer;
--
--			/* If it is the last certificate and its issuer is
--			 * known, don't need to run issuer callback. */
--			if (_gnutls_trust_list_get_issuer(list,
--							  cert_list[i],
--							  &issuer,
--							  0) == 0) {
-+		/* Remove duplicates. Start with index 1, as the first element
-+		 * may be re-checked after issuer retrieval. */
-+		for (j = 1; j < sorted_size; j++) {
-+			if (cert_set_contains(&cert_set, cert_list[i + j])) {
-+				if (i + j < cert_list_size - 1) {
-+					memmove(&cert_list[i + j],
-+						&cert_list[i + j + 1],
-+						sizeof(cert_list[i]));
-+				}
-+				cert_list_size--;
- 				break;
- 			}
--		} else if (gnutls_x509_crt_check_issuer(cert_list[i],
--							cert_list[i + 1])) {
--			/* There is no gap between this and the next
--			 * certificate. */
-+		}
-+		/* Found a duplicate, try again with the same index. */
-+		if (j < sorted_size) {
-+			continue;
-+		}
-+
-+		/* Record the certificates seen. */
-+		for (j = 0; j < sorted_size; j++, i++) {
-+			ret = cert_set_add(&cert_set, cert_list[i]);
-+			if (ret < 0) {
-+				goto cleanup;
-+			}
-+		}
-+
-+		/* If the issuer of the certificate is known, no need
-+		 * for further processing. */
-+		if (_gnutls_trust_list_get_issuer(list,
-+						  cert_list[i - 1],
-+						  &issuer,
-+						  0) == 0) {
-+			cert_list_size = i;
-+			break;
-+		}
-+
-+		/* If there is no gap between this and the next certificate,
-+		 * proceed with the next certificate. */
-+		if (i < cert_list_size &&
-+		    gnutls_x509_crt_check_issuer(cert_list[i - 1],
-+						 cert_list[i])) {
- 			continue;
- 		}
- 
- 		ret = retrieve_issuers(list,
--				       cert_list[i],
-+				       cert_list[i - 1],
- 				       &retrieved[retrieved_size],
- 				       DEFAULT_MAX_VERIFY_DEPTH -
- 				       MAX(retrieved_size,
-@@ -1413,15 +1520,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
- 		if (ret < 0) {
- 			break;
- 		} else if (ret > 0) {
--			memmove(&cert_list[i + 1 + ret],
--				&cert_list[i + 1],
--				(cert_list_size - i - 1) *
-+			assert((unsigned int)ret <=
-+			       DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
-+			memmove(&cert_list[i + ret],
-+				&cert_list[i],
-+				(cert_list_size - i) *
- 				sizeof(gnutls_x509_crt_t));
--			memcpy(&cert_list[i + 1],
-+			memcpy(&cert_list[i],
- 			       &retrieved[retrieved_size],
- 			       ret * sizeof(gnutls_x509_crt_t));
- 			retrieved_size += ret;
- 			cert_list_size += ret;
-+
-+			/* Start again from the end of the previous segment. */
-+			i--;
- 		}
- 	}
- 
-@@ -1581,6 +1693,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
- 	for (i = 0; i < retrieved_size; i++) {
- 		gnutls_x509_crt_deinit(retrieved[i]);
- 	}
-+	cert_set_deinit(&cert_set);
- 	return ret;
- }
- 
-diff --git a/tests/missingissuer.c b/tests/missingissuer.c
-index f21e2b6b0c..226d095929 100644
---- a/tests/missingissuer.c
-+++ b/tests/missingissuer.c
-@@ -145,6 +145,8 @@ void doit(void)
- 		printf("[%d]: Chain '%s'...\n", (int)i, chains[i].name);
- 
- 		for (j = 0; chains[i].chain[j]; j++) {
-+			assert(j < MAX_CHAIN);
-+
- 			if (debug > 2)
- 				printf("\tAdding certificate %d...", (int)j);
- 
-diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h
-index 543e2d71fb..bf1e65c956 100644
---- a/tests/test-chains-issuer.h
-+++ b/tests/test-chains-issuer.h
-@@ -24,7 +24,7 @@
- #ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
- #define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H
- 
--#define MAX_CHAIN 6
-+#define MAX_CHAIN 15
- 
- #define SERVER_CERT "-----BEGIN CERTIFICATE-----\n"			\
- 	"MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" \
-@@ -338,11 +338,102 @@ static const char *missing_middle_unrelated_extra_insert[] = {
- 	NULL,
- };
- 
-+static const char *missing_middle_single_duplicate[] = {
-+	SERVER_CERT,
-+	SERVER_CERT,
-+	CA_CERT_5,
-+	CA_CERT_5,
-+	CA_CERT_4,
-+	CA_CERT_4,
-+	CA_CERT_2,
-+	CA_CERT_2,
-+	CA_CERT_1,
-+	CA_CERT_1,
-+	NULL,
-+};
-+
-+static const char *missing_middle_multiple_duplicate[] = {
-+	SERVER_CERT,
-+	SERVER_CERT,
-+	CA_CERT_5,
-+	CA_CERT_5,
-+	CA_CERT_4,
-+	CA_CERT_4,
-+	CA_CERT_1,
-+	CA_CERT_1,
-+	NULL,
-+};
-+
-+static const char *missing_last_single_duplicate[] = {
-+	SERVER_CERT,
-+	SERVER_CERT,
-+	CA_CERT_5,
-+	CA_CERT_5,
-+	CA_CERT_4,
-+	CA_CERT_4,
-+	CA_CERT_3,
-+	CA_CERT_3,
-+	CA_CERT_2,
-+	CA_CERT_2,
-+	NULL,
-+};
-+
-+static const char *missing_last_multiple_duplicate[] = {
-+	SERVER_CERT,
-+	SERVER_CERT,
-+	CA_CERT_5,
-+	CA_CERT_5,
-+	CA_CERT_4,
-+	CA_CERT_4,
-+	CA_CERT_3,
-+	CA_CERT_3,
-+	NULL,
-+};
-+
-+static const char *missing_skip_single_duplicate[] = {
-+	SERVER_CERT,
-+	SERVER_CERT,
-+	CA_CERT_5,
-+	CA_CERT_5,
-+	CA_CERT_3,
-+	CA_CERT_3,
-+	CA_CERT_1,
-+	CA_CERT_1,
-+	NULL,
-+};
-+
-+static const char *missing_skip_multiple_duplicate[] = {
-+	SERVER_CERT,
-+	SERVER_CERT,
-+	CA_CERT_5,
-+	CA_CERT_5,
-+	CA_CERT_3,
-+	CA_CERT_3,
-+	NULL,
-+};
-+
- static const char *missing_ca[] = {
- 	CA_CERT_0,
- 	NULL,
- };
- 
-+static const char *middle_single_duplicate_ca[] = {
-+	SERVER_CERT,
-+	CA_CERT_5,
-+	CA_CERT_0,
-+	CA_CERT_4,
-+	CA_CERT_0,
-+	CA_CERT_2,
-+	CA_CERT_0,
-+	CA_CERT_1,
-+	NULL,
-+};
-+
-+static const char *missing_middle_single_duplicate_ca_unrelated_insert[] = {
-+	CA_CERT_0,
-+	NULL,
-+};
-+
- static struct chains {
- 	const char *name;
- 	const char **chain;
-@@ -377,6 +468,14 @@ static struct chains {
- 	{ "skip multiple unsorted", missing_skip_multiple_unsorted, missing_skip_multiple_insert, missing_ca, 0, 0 },
- 	{ "unrelated", missing_middle_single, missing_middle_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
- 	{ "unrelated extra", missing_middle_single, missing_middle_unrelated_extra_insert, missing_ca, 0, 0 },
-+	{ "middle single duplicate", missing_middle_single_duplicate, missing_middle_single_insert, missing_ca, 0, 0 },
-+	{ "middle multiple duplicate", missing_middle_multiple_duplicate, missing_middle_multiple_insert, missing_ca, 0, 0 },
-+	{ "last single duplicate", missing_last_single_duplicate, missing_last_single_insert, missing_ca, 0, 0 },
-+	{ "last multiple duplicate", missing_last_multiple_duplicate, missing_last_multiple_insert, missing_ca, 0, 0 },
-+	{ "skip single duplicate", missing_skip_single_duplicate, missing_skip_single_insert, missing_ca, 0, 0 },
-+	{ "skip multiple duplicate", missing_skip_multiple_duplicate, missing_skip_multiple_insert, missing_ca, 0, 0 },
-+	{ "middle single duplicate ca", middle_single_duplicate_ca, missing_middle_single_insert, missing_ca, 0, 0 },
-+	{ "middle single duplicate ca - insert unrelated", middle_single_duplicate_ca, missing_middle_single_duplicate_ca_unrelated_insert, missing_ca, 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND },
- 	{ NULL, NULL, NULL, NULL },
- };
- 
--- 
-GitLab
-

diff --git a/net-libs/gnutls/gnutls-3.7.1.ebuild b/net-libs/gnutls/gnutls-3.7.6.ebuild
similarity index 63%
rename from net-libs/gnutls/gnutls-3.7.1.ebuild
rename to net-libs/gnutls/gnutls-3.7.6.ebuild
index e8db6e9..080c6cf 100644
--- a/net-libs/gnutls/gnutls-3.7.1.ebuild
+++ b/net-libs/gnutls/gnutls-3.7.6.ebuild

@@ -1,61 +1,61 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-inherit libtool multilib-minimal
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnutls.asc
+inherit libtool multilib-minimal verify-sig
 
 DESCRIPTION="A secure communications library implementing the SSL, TLS and DTLS protocols"
 HOMEPAGE="https://www.gnutls.org/"
 SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz.sig )"
 
 LICENSE="GPL-3 LGPL-2.1+"
-SLOT="0/30" # libgnutls.so number
+SLOT="0/30.30" # <libgnutls.so number>.<libgnutlsxx.so number>
 KEYWORDS="*"
-IUSE="+cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind"
+IUSE="brotli +cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind zlib zstd"
 
-REQUIRED_USE="
-	test-full? ( cxx dane doc examples guile idn nls openssl pkcs11 seccomp tls-heartbeat tools )"
+REQUIRED_USE="test-full? ( cxx dane doc examples guile idn nls openssl pkcs11 seccomp tls-heartbeat tools )"
 RESTRICT="!test? ( test )"
 
-# NOTICE: sys-devel/autogen is required at runtime as we
-# use system libopts
 RDEPEND=">=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}]
 	dev-libs/libunistring:=[${MULTILIB_USEDEP}]
 	>=dev-libs/nettle-3.6:=[gmp,${MULTILIB_USEDEP}]
 	>=dev-libs/gmp-5.1.3-r1:=[${MULTILIB_USEDEP}]
-	tools? ( sys-devel/autogen:= )
+	brotli? ( >=app-arch/brotli-1.0.0:=[${MULTILIB_USEDEP}] )
 	dane? ( >=net-dns/unbound-1.4.20:=[${MULTILIB_USEDEP}] )
 	guile? ( >=dev-scheme/guile-2:=[networking] )
 	nls? ( >=virtual/libintl-0-r1:=[${MULTILIB_USEDEP}] )
-	pkcs11? ( >=app-crypt/p11-kit-0.23.1:=[${MULTILIB_USEDEP}] )
-	idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )"
+	pkcs11? ( >=app-crypt/p11-kit-0.23.1[${MULTILIB_USEDEP}] )
+	idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )
+	zlib? ( sys-libs/zlib[${MULTILIB_USEDEP}] )
+	zstd? ( >=app-arch/zstd-1.3.0:=[${MULTILIB_USEDEP}] )"
 DEPEND="${RDEPEND}
 	test? (
 		seccomp? ( sys-libs/libseccomp )
 	)"
-BDEPEND=">=virtual/pkgconfig-0-r1
+BDEPEND="
+	dev-util/gtk-doc-am
+	>=virtual/pkgconfig-0-r1
 	doc? ( dev-util/gtk-doc )
 	nls? ( sys-devel/gettext )
-	tools? ( sys-devel/autogen )
 	valgrind? ( dev-util/valgrind )
 	test-full? (
 		app-crypt/dieharder
 		>=app-misc/datefudge-1.22
-		dev-libs/softhsm:2[-bindist]
+		dev-libs/softhsm:2[-bindist(-)]
 		net-dialup/ppp
 		net-misc/socat
-	)"
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20220320 )"
 
-DOCS=(
-	README.md
-	doc/certtool.cfg
-)
+DOCS=( README.md doc/certtool.cfg )
 
 HTML_DOCS=()
 
 pkg_setup() {
-	# bug#520818
+	# bug #520818
 	export TZ=UTC
 
 	use doc && HTML_DOCS+=(
@@ -66,12 +66,6 @@
 src_prepare() {
 	default
 
-	# force regeneration of autogen-ed files
-	local file
-	for file in $(grep -l AutoGen-ed src/*.c) ; do
-		rm src/$(basename ${file} .c).{c,h} || die
-	done
-
 	# don't try to use system certificate store on macOS, it is
 	# confusingly ignoring our ca-certificates and more importantly
 	# fails to compile in certain configurations
@@ -87,9 +81,13 @@
 	local libconf=()
 
 	# TPM needs to be tested before being enabled
-	libconf+=( --without-tpm )
+	# Note that this may add a libltdl dep when enabled. Check configure.ac.
+	libconf+=(
+		--without-tpm
+		--without-tpm2
+	)
 
-	# hardware-accell is disabled on OSX because the asm files force
+	# hardware-accel is disabled on OSX because the asm files force
 	#   GNU-stack (as doesn't support that) and when that's removed ld
 	#   complains about duplicate symbols
 	[[ ${CHOST} == *-darwin* ]] && libconf+=( --disable-hardware-acceleration )
@@ -97,6 +95,11 @@
 	# Cygwin as does not understand these asm files at all
 	[[ ${CHOST} == *-cygwin* ]] && libconf+=( --disable-hardware-acceleration )
 
+	# -fanalyzer substantially slows down the build and isn't useful for
+	# us. It's useful for upstream as it's static analysis, but it's not
+	# useful when just getting something built.
+	export gl_cv_warn_c__fanalyzer=no
+
 	local myeconfargs=(
 		$(multilib_native_enable manpages)
 		$(multilib_native_use_enable doc gtk-doc)
@@ -115,11 +118,14 @@
 		$(use_enable sslv3 ssl3-support)
 		$(use_enable static-libs static)
 		$(use_enable tls-heartbeat heartbeat-support)
+		$(use_with brotli)
 		$(use_with idn)
 		$(use_with pkcs11 p11-kit)
+		$(use_with zlib)
+		$(use_with zstd)
 		--disable-rpath
-		--with-default-trust-store-file="${EPREFIX}/etc/ssl/certs/ca-certificates.crt"
-		--with-unbound-root-key-file="${EPREFIX}/etc/dnssec/root-anchors.txt"
+		--with-default-trust-store-file="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt
+		--with-unbound-root-key-file="${EPREFIX}"/etc/dnssec/root-anchors.txt
 		--without-included-libtasn1
 		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
 	)

diff --git a/net-libs/gnutls/metadata.xml b/net-libs/gnutls/metadata.xml
index 34baa89..8a72ba7 100644
--- a/net-libs/gnutls/metadata.xml
+++ b/net-libs/gnutls/metadata.xml

@@ -1,43 +1,47 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-  <maintainer type="project">
-    <email>base-system@gentoo.org</email>
-  </maintainer>
-  <use>
-    <flag name="dane">
-      Build libgnutls-dane, implementing DNS-based Authentication of
-      Named Entities. Requires <pkg>net-dns/unbound</pkg>
-    </flag>
-    <flag name="openssl">
-      Build openssl compatibility libraries
-    </flag>
-    <flag name="pkcs11">
-      Add support for PKCS#11 through <pkg>app-crypt/p11-kit</pkg>
-    </flag>
-    <flag name="tools">
-      Build extra tools
-    </flag>
-    <flag name="tls-heartbeat">
-      Enable the Heartbeat Extension in TLS and DTLS
-    </flag>
-    <flag name="sslv2">
-      Support for the old/insecure SSLv2 protocol
-    </flag>
-    <flag name="sslv3">
-      Support for the old/insecure SSLv3 protocol
-    </flag>
-    <flag name="test-full">
-      Enable full test mode
-    </flag>
-    <flag name="valgrind">
-      Enable usage of <pkg>dev-util/valgrind</pkg> in debug
-    </flag>
-  </use>
-  <slots>
-   <subslots>Reflect ABI compatibility of libgnutls.so</subslots>
-  </slots>
-  <upstream>
-    <remote-id type="cpe">cpe:/a:gnu:gnutls</remote-id>
-  </upstream>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+	</maintainer>
+	<use>
+		<flag name="brotli">
+			Enable brotli decompression support via <pkg>app-arch/brotli</pkg>
+		</flag>
+		<flag name="dane">
+			Build libgnutls-dane, implementing DNS-based Authentication of
+			Named Entities. Requires <pkg>net-dns/unbound</pkg>
+		</flag>
+		<flag name="openssl">
+			Build openssl compatibility libraries
+		</flag>
+		<flag name="pkcs11">
+			Add support for PKCS#11 through <pkg>app-crypt/p11-kit</pkg>
+		</flag>
+		<flag name="tools">
+			Build extra tools
+		</flag>
+		<flag name="tls-heartbeat">
+			Enable the Heartbeat Extension in TLS and DTLS
+		</flag>
+		<flag name="sslv2">
+			Support for the old/insecure SSLv2 protocol
+		</flag>
+		<flag name="sslv3">
+			Support for the old/insecure SSLv3 protocol
+		</flag>
+		<flag name="test-full">
+			Enable full test mode
+		</flag>
+		<flag name="valgrind">
+			Enable usage of <pkg>dev-util/valgrind</pkg> in debug
+		</flag>
+	</use>
+	<slots>
+		<subslots>Reflect ABI compatibility of libgnutls.so</subslots>
+	</slots>
+	<upstream>
+		<remote-id type="cpe">cpe:/a:gnu:gnutls</remote-id>
+		<remote-id type="gitlab">gnutls/gnutls</remote-id>
+	</upstream>
 </pkgmetadata>
commit	d2219892a5710a793301d5216e62b1ab1fda7c2d	[log] [tgz]
author	Varsha Teratipally <teratipally@google.com>	Wed Aug 31 23:57:09 2022 +0000
committer	Varsha Teratipally <teratipally@google.com>	Thu Sep 01 21:14:56 2022 +0000
tree	97be05785b65795885ae00eeeb5d06c9d76813e2
parent	90f1507cf9fd15b6a58a538688a2be671b118a85 [diff]