[gentoo-commits] repo/gentoo:master commit in: net-libs/gnutls/

Tue, 24 Feb 2026 08:44:12 -0800 

commit:     90d0ec250a8bb4242ba9942c45a4b97908e88353
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Feb 23 19:56:13 2026 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Feb 23 20:00:22 2026 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90d0ec25

net-libs/gnutls: wire up PQC support

Was going to make this unconditional but upstream had some SIMD
conditional issues so let's wait a bit on that at least.

Bug: https://github.com/hughsie/libjcat/issues/195
Signed-off-by: Sam James <sam <AT> gentoo.org>

 net-libs/gnutls/gnutls-3.8.12-r1.ebuild | 166 ++++++++++++++++++++++++++++++++
 net-libs/gnutls/metadata.xml            |   4 +
 2 files changed, 170 insertions(+)

diff --git a/net-libs/gnutls/gnutls-3.8.12-r1.ebuild 
b/net-libs/gnutls/gnutls-3.8.12-r1.ebuild
new file mode 100644
index 000000000000..c1744bcf0ecc
--- /dev/null
+++ b/net-libs/gnutls/gnutls-3.8.12-r1.ebuild
@@ -0,0 +1,166 @@
+# Copyright 1999-2026 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnutls.asc
+inherit libtool multilib-minimal verify-sig
+
+DESCRIPTION="Secure communications library implementing the SSL, TLS and DTLS 
protocols"
+HOMEPAGE="https://www.gnutls.org/";
+SRC_URI="mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnutls/v$(ver_cut 1-2)/${P}.tar.xz.sig 
)"
+
+LICENSE="GPL-3 LGPL-2.1+"
+# As of 3.8.0, the C++ library is header-only, but we won't drop the subslot
+# component for it until libgnutls.so breaks ABI, to avoid pointless rebuilds.
+# Subslot format:
+# <libgnutls.so number>.<libgnutlsxx.so number>
+SLOT="0/30.30"
+KEYWORDS="~amd64"
+IUSE="brotli +cxx dane doc examples +idn nls +openssl pkcs11 +post-quantum 
sslv2 sslv3"
+IUSE+=" systemtap static-libs test test-full +tls-heartbeat tools zlib zstd"
+REQUIRED_USE="test-full? ( cxx dane doc examples idn nls openssl pkcs11 
tls-heartbeat tools )"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+       >=dev-libs/libtasn1-4.9:=[${MULTILIB_USEDEP}]
+       dev-libs/libunistring:=[${MULTILIB_USEDEP}]
+       >=dev-libs/nettle-3.10:=[gmp,${MULTILIB_USEDEP}]
+       >=dev-libs/gmp-5.1.3-r1:=[${MULTILIB_USEDEP}]
+       brotli? ( >=app-arch/brotli-1.0.0:=[${MULTILIB_USEDEP}] )
+       dane? ( >=net-dns/unbound-1.4.20:=[${MULTILIB_USEDEP}] )
+       nls? ( >=virtual/libintl-0-r1:=[${MULTILIB_USEDEP}] )
+       pkcs11? ( >=app-crypt/p11-kit-0.23.1[${MULTILIB_USEDEP}] )
+       post-quantum? ( >=dev-libs/leancrypto-1.2.0:=[${MULTILIB_USEDEP}] )
+       idn? ( >=net-dns/libidn2-0.16-r1:=[${MULTILIB_USEDEP}] )
+       zlib? ( virtual/zlib:=[${MULTILIB_USEDEP}] )
+       zstd? ( >=app-arch/zstd-1.3.0:=[${MULTILIB_USEDEP}] )
+"
+DEPEND="
+       ${RDEPEND}
+       test-full? ( sys-libs/libseccomp )
+       systemtap? ( dev-debug/systemtap )
+"
+BDEPEND="
+       dev-build/gtk-doc-am
+       >=virtual/pkgconfig-0-r1
+       doc? ( dev-util/gtk-doc )
+       nls? ( sys-devel/gettext )
+       test-full? (
+               app-crypt/dieharder
+               || ( sys-libs/libfaketime >=app-misc/datefudge-1.22 )
+               dev-libs/softhsm:2[-bindist(-)]
+               net-dialup/ppp
+               net-misc/socat
+       )
+       verify-sig? ( >=sec-keys/openpgp-keys-gnutls-20240415 )
+"
+
+DOCS=( README.md doc/certtool.cfg )
+
+HTML_DOCS=()
+
+QA_CONFIG_IMPL_DECL_SKIP=(
+       # gnulib FPs
+       MIN
+       alignof
+       static_assert
+)
+
+src_prepare() {
+       default
+
+       # bug #520818
+       export TZ=UTC
+
+       use doc && HTML_DOCS+=( doc/gnutls.html )
+
+       # don't try to use system certificate store on macOS, it is
+       # confusingly ignoring our ca-certificates and more importantly
+       # fails to compile in certain configurations
+       sed -i -e 's/__APPLE__/__NO_APPLE__/' lib/system/certs.c || die
+
+       # Fails with some combinations of USE="brotli zlib zstd"
+       # https://gitlab.com/gnutls/gnutls/-/issues/1721
+       # https://gitlab.com/gnutls/gnutls/-/merge_requests/1980
+       cat <<-EOF > tests/system-override-compress-cert.sh || die
+       #!/bin/sh
+       exit 77
+       EOF
+       chmod +x tests/system-override-compress-cert.sh || die
+
+       elibtoolize
+}
+
+multilib_src_configure() {
+       LINGUAS="${LINGUAS//en/en@boldquot en@quot}"
+
+       local libconf=()
+
+       # TPM needs to be tested before being enabled
+       # Note that this may add a libltdl dep when enabled. Check configure.ac.
+       libconf+=(
+               --without-tpm
+               --without-tpm2
+       )
+
+       # hardware-accel is disabled on OSX because the asm files force
+       #   GNU-stack (as doesn't support that) and when that's removed ld
+       #   complains about duplicate symbols
+       [[ ${CHOST} == *-darwin* ]] && libconf+=( 
--disable-hardware-acceleration )
+
+       # -fanalyzer substantially slows down the build and isn't useful for
+       # us. It's useful for upstream as it's static analysis, but it's not
+       # useful when just getting something built.
+       export gl_cv_warn_c__fanalyzer=no
+
+       local myeconfargs=(
+               --disable-valgrind-tests
+               $(multilib_native_enable manpages)
+               $(multilib_native_use_enable doc gtk-doc)
+               $(multilib_native_use_enable doc)
+               $(multilib_native_use_enable test tests)
+               $(multilib_native_use_enable test-full full-test-suite)
+               $(multilib_native_use_enable test-full seccomp-tests)
+               $(multilib_native_use_enable tools)
+               $(use_enable cxx)
+               $(use_enable dane libdane)
+               $(use_enable nls)
+               $(use_enable openssl openssl-compatibility)
+               $(use_enable sslv2 ssl2-support)
+               $(use_enable sslv3 ssl3-support)
+               $(use_enable static-libs static)
+               $(use_enable systemtap crypto-auditing)
+               $(use_enable tls-heartbeat heartbeat-support)
+               $(use_with brotli '' link)
+               $(use_with idn)
+               $(use_with pkcs11 p11-kit)
+               $(use_with post-quantum leancrypto)
+               $(use_with zlib '' link)
+               $(use_with zstd '' link)
+               --disable-rpath
+               
--with-default-trust-store-file="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt
+               
--with-unbound-root-key-file="${EPREFIX}"/etc/dnssec/root-anchors.txt
+               --without-included-libtasn1
+               $("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+       )
+
+       ECONF_SOURCE="${S}" econf "${libconf[@]}" "${myeconfargs[@]}"
+
+       if [[ ${CHOST} == *-solaris* ]] ; then
+               # gnulib ends up defining its own pthread_mutexattr_gettype
+               # otherwise, which is causing versioning problems
+               echo "#define PTHREAD_IN_USE_DETECTION_HARD 1" >> config.h || 
die
+       fi
+}
+
+multilib_src_install_all() {
+       einstalldocs
+       find "${ED}" -type f -name '*.la' -delete || die
+
+       if use examples; then
+               docinto examples
+               dodoc doc/examples/*.c
+       fi
+}

diff --git a/net-libs/gnutls/metadata.xml b/net-libs/gnutls/metadata.xml
index c619456d5746..ab38d4a5b3c6 100644
--- a/net-libs/gnutls/metadata.xml
+++ b/net-libs/gnutls/metadata.xml
@@ -15,6 +15,10 @@
                <flag name="pkcs11">
                        Add support for PKCS#11 through 
<pkg>app-crypt/p11-kit</pkg>
                </flag>
+               <flag name="post-quantum">
+                       Support post-quantum cryptography (PQC) using
+                       <pkg>dev-libs/leancrypto</pkg>.
+               </flag>
                <flag name="tools">
                        Build cli tools such as gnutls-cli, certtool and 
oscptool
                </flag>

Reply via email to