net-libs/gnutls: update to 3.7.1

Update gnutls to 3.7.1, mainly to address security vulnerabilities: * CVE-2021-20231 * CVE-2021-20232
2025-08-17 09:56:59 +02:00 · 2021-04-19 14:26:37 +02:00 · 2021-04-19 14:26:37 +02:00 · 226a7191dc
commit 226a7191dc
parent 301cfa8be7
3 changed files with 148 additions and 5 deletions
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
@ -1 +1,2 @@
 DIST gnutls-3.6.15.tar.xz 6081656 BLAKE2B 6c52419037e41e817087a2577a6b73969cf065453ecf88e2f87152f544a177e4ad0ef825ae9dab243312e0223a953ab28e532bd2dbf96cb9498618415bc7f654 SHA512 f757d1532198f44bcad7b73856ce6a05bab43f6fb77fcc81c59607f146202f73023d0796d3e1e7471709cf792c8ee7d436e19407e0601bc0bda2f21512b3b01c
+DIST gnutls-3.7.1.tar.xz 6038388 BLAKE2B 1d55eb441827c7148d63bcad37bf7bc62d539ee9bc7e14c2fe5ec1d0bdcadd75e2cbc98ba104523b24c8dfd9526b4595475a818d206971cc012fac509cd33a6f SHA512 0fe801f03676c3bd970387f94578c8be7ba6030904989e7d21dffdc726209bab44c8096fbcb6d51fed2de239537bd00df2338ee9c8d984a1c386826b91062a95
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.6.15.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.6.15.ebuild
@ -1,17 +1,17 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

 EAPI=7

 inherit libtool multilib-minimal

-DESCRIPTION="A TLS 1.2 and SSL 3.0 implementation for the GNU project"
-HOMEPAGE="http://www.gnutls.org/"
+DESCRIPTION="A secure communications library implementing the SSL, TLS and DTLS protocols"
+HOMEPAGE="https://www.gnutls.org/"
 SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz"

 LICENSE="GPL-3 LGPL-2.1+"
 SLOT="0/30" # libgnutls.so number
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 IUSE="+cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind"

 REQUIRED_USE="
@ -54,7 +54,7 @@ DOCS=(

 HTML_DOCS=()

-#PATCHES=( "${FILESDIR}"/${PN}-3.6.15-skip-dtls-seccomp-tests.patch )
+PATCHES=( "${FILESDIR}"/${PN}-3.6.15-skip-dtls-seccomp-tests.patch )

 pkg_setup() {
 	# bug#520818
@ -74,6 +74,11 @@ src_prepare() {
 		rm src/$(basename ${file} .c).{c,h} || die
 	done

+	# don't try to use system certificate store on macOS, it is
+	# confusingly ignoring our ca-certificates and more importantly
+	# fails to compile in certain configurations
+	sed -i -e 's/__APPLE__/__NO_APPLE__/' lib/system/certs.c || die
+
 	# Use sane .so versioning on FreeBSD.
 	elibtoolize
 }
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.7.1.ebuild
@ -0,0 +1,137 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit libtool multilib-minimal
+
+DESCRIPTION="A secure communications library implementing the SSL, TLS and DTLS protocols"
+HOMEPAGE="https://www.gnutls.org/"
+SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz"
+
+LICENSE="GPL-3 LGPL-2.1+"
+SLOT="0/30" # libgnutls.so number
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="+cxx dane doc examples guile +idn nls +openssl pkcs11 seccomp sslv2 sslv3 static-libs test test-full +tls-heartbeat tools valgrind"
+
+REQUIRED_USE="
+	test-full? ( cxx dane doc examples guile idn nls openssl pkcs11 seccomp tls-heartbeat tools )"
+RESTRICT="!test? ( test )"
+
+# NOTICE: sys-devel/autogen is required at runtime as we
+# use system libopts
+RDEPEND=">=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}]
+	dev-libs/libunistring:=[${MULTILIB_USEDEP}]
+	>=dev-libs/nettle-3.6:=[gmp,${MULTILIB_USEDEP}]
+	>=dev-libs/gmp-5.1.3-r1:=[${MULTILIB_USEDEP}]
+	tools? ( sys-devel/autogen:= )
+	dane? ( >=net-dns/unbound-1.4.20:=[${MULTILIB_USEDEP}] )
+	guile? ( >=dev-scheme/guile-2:=[networking] )
+	nls? ( >=virtual/libintl-0-r1:=[${MULTILIB_USEDEP}] )
+	pkcs11? ( >=app-crypt/p11-kit-0.23.1:=[${MULTILIB_USEDEP}] )
+	idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	test? (
+		seccomp? ( sys-libs/libseccomp )
+	)"
+BDEPEND=">=virtual/pkgconfig-0-r1
+	doc? ( dev-util/gtk-doc )
+	nls? ( sys-devel/gettext )
+	tools? ( sys-devel/autogen )
+	valgrind? ( dev-util/valgrind )
+	test-full? (
+		app-crypt/dieharder
+		>=app-misc/datefudge-1.22
+		dev-libs/softhsm:2[-bindist]
+		net-dialup/ppp
+		net-misc/socat
+	)"
+
+DOCS=(
+	README.md
+	doc/certtool.cfg
+)
+
+HTML_DOCS=()
+
+pkg_setup() {
+	# bug#520818
+	export TZ=UTC
+
+	use doc && HTML_DOCS+=(
+		doc/gnutls.html
+	)
+}
+
+src_prepare() {
+	default
+
+	# force regeneration of autogen-ed files
+	local file
+	for file in $(grep -l AutoGen-ed src/*.c) ; do
+		rm src/$(basename ${file} .c).{c,h} || die
+	done
+
+	# don't try to use system certificate store on macOS, it is
+	# confusingly ignoring our ca-certificates and more importantly
+	# fails to compile in certain configurations
+	sed -i -e 's/__APPLE__/__NO_APPLE__/' lib/system/certs.c || die
+
+	# Use sane .so versioning on FreeBSD.
+	elibtoolize
+}
+
+multilib_src_configure() {
+	LINGUAS="${LINGUAS//en/en@boldquot en@quot}"
+
+	local libconf=()
+
+	# TPM needs to be tested before being enabled
+	libconf+=( --without-tpm )
+
+	# hardware-accell is disabled on OSX because the asm files force
+	#   GNU-stack (as doesn't support that) and when that's removed ld
+	#   complains about duplicate symbols
+	[[ ${CHOST} == *-darwin* ]] && libconf+=( --disable-hardware-acceleration )
+
+	# Cygwin as does not understand these asm files at all
+	[[ ${CHOST} == *-cygwin* ]] && libconf+=( --disable-hardware-acceleration )
+
+	local myeconfargs=(
+		$(multilib_native_enable manpages)
+		$(multilib_native_use_enable doc gtk-doc)
+		$(multilib_native_use_enable doc)
+		$(multilib_native_use_enable guile)
+		$(multilib_native_use_enable seccomp seccomp-tests)
+		$(multilib_native_use_enable test tests)
+		$(multilib_native_use_enable test-full full-test-suite)
+		$(multilib_native_use_enable tools)
+		$(multilib_native_use_enable valgrind valgrind-tests)
+		$(use_enable cxx)
+		$(use_enable dane libdane)
+		$(use_enable nls)
+		$(use_enable openssl openssl-compatibility)
+		$(use_enable sslv2 ssl2-support)
+		$(use_enable sslv3 ssl3-support)
+		$(use_enable static-libs static)
+		$(use_enable tls-heartbeat heartbeat-support)
+		$(use_with idn)
+		$(use_with pkcs11 p11-kit)
+		--disable-rpath
+		--with-default-trust-store-file="${EPREFIX}/etc/ssl/certs/ca-certificates.crt"
+		--with-unbound-root-key-file="${EPREFIX}/etc/dnssec/root-anchors.txt"
+		--without-included-libtasn1
+		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+	)
+	ECONF_SOURCE="${S}" econf "${libconf[@]}" "${myeconfargs[@]}"
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	if use examples; then
+		docinto examples
+		dodoc doc/examples/*.c
+	fi
+}