net-analyzer/wireshark: make PKCS support explicit

Wireshark automagically enables PKCS support if it finds corresponding symbols in gnutls at build time. This dependency is not recorded in the ebuild's RDEPEND for gnutls, which means changes in gnutls might break its ABI and consequently Wireshark. Fix this by adding USE=pkcs11 support in the ebuild, forwarding this to the Wireshark cmake build and depending on gnutls[pkcs11] when required. Closes: https://bugs.gentoo.org/967060 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com> Part-of: https://github.com/gentoo/gentoo/pull/44894 Closes: https://github.com/gentoo/gentoo/pull/44894 Signed-off-by: Sam James <sam@gentoo.org>
2025-12-07 00:04:45 +03:00 · 2025-12-04 14:03:26 +01:00 · 2025-12-04 14:03:26 +01:00 · 58f4822f40
commit 58f4822f40
parent 8df0ca4518
3 changed files with 50 additions and 2 deletions
--- a/net-analyzer/wireshark/files/4.6.2-gnutls-pkcs11.patch
+++ b/net-analyzer/wireshark/files/4.6.2-gnutls-pkcs11.patch
@ -0,0 +1,45 @@
+Bug: https://bugs.gentoo.org/967060
+
+diff -rup wireshark-4.6.2/CMakeLists.txt wireshark-4.6.2-pkcs11/CMakeLists.txt
+--- wireshark-4.6.2/CMakeLists.txt	2025-12-04 13:48:57.732168127 +0100
+++ wireshark-4.6.2-pkcs11/CMakeLists.txt	2025-12-04 13:48:29.067453231 +0100
+@@ -1587,16 +1587,18 @@ if(GNUTLS_FOUND)
+ 	# Calculating public keys from PKCS #11 private keys requires GnuTLS
+ 	# 3.4.0 or greater.
+ 	#
+-	# Check that the support is present in case GnuTLS was compiled
+-	# --without-p11-kit as macos-setup.sh did until December 2020.
+-	cmake_push_check_state()
+-	if(WIN32 AND NOT MINGW)
+-		set(CMAKE_REQUIRED_DEFINITIONS -Dssize_t=int)
+-	endif()
+-	set(CMAKE_REQUIRED_INCLUDES ${GNUTLS_INCLUDE_DIRS})
+-	set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES})
+-	check_symbol_exists(gnutls_pkcs11_obj_list_import_url4 gnutls/pkcs11.h HAVE_GNUTLS_PKCS11)
+-	cmake_pop_check_state()
+	if (ENABLE_PKCS11)
+		# Check that the support is present in case GnuTLS was compiled
+		# --without-p11-kit as macos-setup.sh did until December 2020.
+		cmake_push_check_state()
+		if(WIN32 AND NOT MINGW)
+			set(CMAKE_REQUIRED_DEFINITIONS -Dssize_t=int)
+		endif()
+		set(CMAKE_REQUIRED_INCLUDES ${GNUTLS_INCLUDE_DIRS})
+		set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES})
+		check_symbol_exists(gnutls_pkcs11_obj_list_import_url4 gnutls/pkcs11.h HAVE_GNUTLS_PKCS11)
+		cmake_pop_check_state()
+	endif (PKCS11)
+ endif()
+ 
+ if (QT_FOUND)
+diff -rup wireshark-4.6.2/CMakeOptions.txt wireshark-4.6.2-pkcs11/CMakeOptions.txt
+--- wireshark-4.6.2/CMakeOptions.txt	2025-12-03 18:45:32.000000000 +0100
+++ wireshark-4.6.2-pkcs11/CMakeOptions.txt	2025-12-04 13:44:49.553654179 +0100
+@@ -106,6 +106,7 @@ option(ENABLE_NGHTTP3    "Build with HTT
+ option(ENABLE_LUA        "Build with Lua dissector support" ON)
+ option(ENABLE_SMI        "Build with libsmi snmp support" ON)
+ option(ENABLE_GNUTLS     "Build with RSA decryption support" ON)
+option(ENABLE_PKCS11     "Build with PKCS11 support" ON)
+ if(WIN32 AND USE_REPOSITORY)
+ 	option(ENABLE_WINSPARKLE "Enable automatic updates using WinSparkle" ON)
+ endif()
--- a/net-analyzer/wireshark/metadata.xml
+++ b/net-analyzer/wireshark/metadata.xml
@ -52,6 +52,7 @@
 		<flag name="minizip">Build with zip file compression support</flag>
 		<flag name="netlink">Use <pkg>dev-libs/libnl</pkg></flag>
 		<flag name="pcap">Use <pkg>net-libs/libpcap</pkg> for network packet capturing (build dumpcap, rawshark)</flag>
+		<flag name="pkcs11">Add support for PKCS in <pkg>net-libs/gnutls</pkg></flag>
 		<flag name="plugins">Install plugins</flag>
 		<flag name="randpkt">Install randpkt, a utility for creating pcap trace files full of random packets</flag>
 		<flag name="randpktdump">Install randpktdump, an extcap interface to provide access to the random packet generator (randpkt)</flag>
--- a/net-analyzer/wireshark/wireshark-4.6.2-r1.ebuild
+++ b/net-analyzer/wireshark/wireshark-4.6.2-r1.ebuild
@ -31,7 +31,7 @@ LICENSE="GPL-2"
 SLOT="0/${PV}"
 IUSE="androiddump bcg729 brotli +capinfos +captype ciscodump +dftest doc dpauxmon"
 IUSE+=" +dumpcap +editcap +gui http2 http3 ilbc kerberos lua lz4 maxminddb"
-IUSE+=" +mergecap +minizip +netlink opus +plugins +pcap +randpkt"
+IUSE+=" +mergecap +minizip +netlink opus pkcs11 +plugins +pcap +randpkt"
 IUSE+=" +randpktdump +reordercap sbc selinux +sharkd smi snappy spandsp sshdump ssl"
 IUSE+=" sdjournal test +text2pcap +tshark +udpdump wifi zlib +zstd"

@ -77,7 +77,7 @@ RDEPEND="
 	snappy? ( app-arch/snappy:= )
 	spandsp? ( media-libs/spandsp:= )
 	sshdump? ( >=net-libs/libssh-0.6:= )
-	ssl? ( >=net-libs/gnutls-3.5.8:= )
+	ssl? ( >=net-libs/gnutls-3.5.8:=[pkcs11?] )
 	wifi? ( >=net-libs/libssh-0.6:= )
 	zlib? ( virtual/zlib:= )
 	zstd? ( app-arch/zstd:= )
@ -118,6 +118,7 @@ fi

 PATCHES=(
 	"${FILESDIR}/4.4.6-lto.patch"
+	"${FILESDIR}/4.6.2-gnutls-pkcs11.patch"
 )

 python_check_deps() {
@ -201,6 +202,7 @@ src_configure() {
 		-DENABLE_BROTLI=$(usex brotli)
 		-DENABLE_CAP=$(usex filecaps caps)
 		-DENABLE_GNUTLS=$(usex ssl)
+		-DENABLE_PKCS11=$(usex pkcs11)
 		-DENABLE_ILBC=$(usex ilbc)
 		-DENABLE_KERBEROS=$(usex kerberos)
 		-DENABLE_LUA=$(usex lua)