commit: 58f4822f405d57e2131ea8cd4cf1356c702fbc64 Author: Holger Hoffstätte <holger <AT> applied-asynchrony <DOT> com> AuthorDate: Thu Dec 4 13:03:26 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Fri Dec 5 07:51:55 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58f4822f
net-analyzer/wireshark: make PKCS support explicit Wireshark automagically enables PKCS support if it finds corresponding symbols in gnutls at build time. This dependency is not recorded in the ebuild's RDEPEND for gnutls, which means changes in gnutls might break its ABI and consequently Wireshark. Fix this by adding USE=pkcs11 support in the ebuild, forwarding this to the Wireshark cmake build and depending on gnutls[pkcs11] when required. Closes: https://bugs.gentoo.org/967060 Signed-off-by: Holger Hoffstätte <holger <AT> applied-asynchrony.com> Part-of: https://github.com/gentoo/gentoo/pull/44894 Closes: https://github.com/gentoo/gentoo/pull/44894 Signed-off-by: Sam James <sam <AT> gentoo.org> .../wireshark/files/4.6.2-gnutls-pkcs11.patch | 45 ++++++++++++++++++++++ net-analyzer/wireshark/metadata.xml | 1 + ...hark-4.6.2.ebuild => wireshark-4.6.2-r1.ebuild} | 6 ++- 3 files changed, 50 insertions(+), 2 deletions(-) diff --git a/net-analyzer/wireshark/files/4.6.2-gnutls-pkcs11.patch b/net-analyzer/wireshark/files/4.6.2-gnutls-pkcs11.patch new file mode 100644 index 000000000000..dd01014f2570 --- /dev/null +++ b/net-analyzer/wireshark/files/4.6.2-gnutls-pkcs11.patch @@ -0,0 +1,45 @@ +Bug: https://bugs.gentoo.org/967060 + +diff -rup wireshark-4.6.2/CMakeLists.txt wireshark-4.6.2-pkcs11/CMakeLists.txt +--- wireshark-4.6.2/CMakeLists.txt 2025-12-04 13:48:57.732168127 +0100 ++++ wireshark-4.6.2-pkcs11/CMakeLists.txt 2025-12-04 13:48:29.067453231 +0100 +@@ -1587,16 +1587,18 @@ if(GNUTLS_FOUND) + # Calculating public keys from PKCS #11 private keys requires GnuTLS + # 3.4.0 or greater. + # +- # Check that the support is present in case GnuTLS was compiled +- # --without-p11-kit as macos-setup.sh did until December 2020. +- cmake_push_check_state() +- if(WIN32 AND NOT MINGW) +- set(CMAKE_REQUIRED_DEFINITIONS -Dssize_t=int) +- endif() +- set(CMAKE_REQUIRED_INCLUDES ${GNUTLS_INCLUDE_DIRS}) +- set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES}) +- check_symbol_exists(gnutls_pkcs11_obj_list_import_url4 gnutls/pkcs11.h HAVE_GNUTLS_PKCS11) +- cmake_pop_check_state() ++ if (ENABLE_PKCS11) ++ # Check that the support is present in case GnuTLS was compiled ++ # --without-p11-kit as macos-setup.sh did until December 2020. ++ cmake_push_check_state() ++ if(WIN32 AND NOT MINGW) ++ set(CMAKE_REQUIRED_DEFINITIONS -Dssize_t=int) ++ endif() ++ set(CMAKE_REQUIRED_INCLUDES ${GNUTLS_INCLUDE_DIRS}) ++ set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES}) ++ check_symbol_exists(gnutls_pkcs11_obj_list_import_url4 gnutls/pkcs11.h HAVE_GNUTLS_PKCS11) ++ cmake_pop_check_state() ++ endif (PKCS11) + endif() + + if (QT_FOUND) +diff -rup wireshark-4.6.2/CMakeOptions.txt wireshark-4.6.2-pkcs11/CMakeOptions.txt +--- wireshark-4.6.2/CMakeOptions.txt 2025-12-03 18:45:32.000000000 +0100 ++++ wireshark-4.6.2-pkcs11/CMakeOptions.txt 2025-12-04 13:44:49.553654179 +0100 +@@ -106,6 +106,7 @@ option(ENABLE_NGHTTP3 "Build with HTT + option(ENABLE_LUA "Build with Lua dissector support" ON) + option(ENABLE_SMI "Build with libsmi snmp support" ON) + option(ENABLE_GNUTLS "Build with RSA decryption support" ON) ++option(ENABLE_PKCS11 "Build with PKCS11 support" ON) + if(WIN32 AND USE_REPOSITORY) + option(ENABLE_WINSPARKLE "Enable automatic updates using WinSparkle" ON) + endif() diff --git a/net-analyzer/wireshark/metadata.xml b/net-analyzer/wireshark/metadata.xml index 90aa7e6ec619..9c6129803d5a 100644 --- a/net-analyzer/wireshark/metadata.xml +++ b/net-analyzer/wireshark/metadata.xml @@ -52,6 +52,7 @@ <flag name="minizip">Build with zip file compression support</flag> <flag name="netlink">Use <pkg>dev-libs/libnl</pkg></flag> <flag name="pcap">Use <pkg>net-libs/libpcap</pkg> for network packet capturing (build dumpcap, rawshark)</flag> + <flag name="pkcs11">Add support for PKCS in <pkg>net-libs/gnutls</pkg></flag> <flag name="plugins">Install plugins</flag> <flag name="randpkt">Install randpkt, a utility for creating pcap trace files full of random packets</flag> <flag name="randpktdump">Install randpktdump, an extcap interface to provide access to the random packet generator (randpkt)</flag> diff --git a/net-analyzer/wireshark/wireshark-4.6.2.ebuild b/net-analyzer/wireshark/wireshark-4.6.2-r1.ebuild similarity index 97% rename from net-analyzer/wireshark/wireshark-4.6.2.ebuild rename to net-analyzer/wireshark/wireshark-4.6.2-r1.ebuild index 248611ee13c6..c072b12a20c6 100644 --- a/net-analyzer/wireshark/wireshark-4.6.2.ebuild +++ b/net-analyzer/wireshark/wireshark-4.6.2-r1.ebuild @@ -31,7 +31,7 @@ LICENSE="GPL-2" SLOT="0/${PV}" IUSE="androiddump bcg729 brotli +capinfos +captype ciscodump +dftest doc dpauxmon" IUSE+=" +dumpcap +editcap +gui http2 http3 ilbc kerberos lua lz4 maxminddb" -IUSE+=" +mergecap +minizip +netlink opus +plugins +pcap +randpkt" +IUSE+=" +mergecap +minizip +netlink opus pkcs11 +plugins +pcap +randpkt" IUSE+=" +randpktdump +reordercap sbc selinux +sharkd smi snappy spandsp sshdump ssl" IUSE+=" sdjournal test +text2pcap +tshark +udpdump wifi zlib +zstd" @@ -77,7 +77,7 @@ RDEPEND=" snappy? ( app-arch/snappy:= ) spandsp? ( media-libs/spandsp:= ) sshdump? ( >=net-libs/libssh-0.6:= ) - ssl? ( >=net-libs/gnutls-3.5.8:= ) + ssl? ( >=net-libs/gnutls-3.5.8:=[pkcs11?] ) wifi? ( >=net-libs/libssh-0.6:= ) zlib? ( virtual/zlib:= ) zstd? ( app-arch/zstd:= ) @@ -118,6 +118,7 @@ fi PATCHES=( "${FILESDIR}/4.4.6-lto.patch" + "${FILESDIR}/4.6.2-gnutls-pkcs11.patch" ) python_check_deps() { @@ -201,6 +202,7 @@ src_configure() { -DENABLE_BROTLI=$(usex brotli) -DENABLE_CAP=$(usex filecaps caps) -DENABLE_GNUTLS=$(usex ssl) + -DENABLE_PKCS11=$(usex pkcs11) -DENABLE_ILBC=$(usex ilbc) -DENABLE_KERBEROS=$(usex kerberos) -DENABLE_LUA=$(usex lua)
