From 58f4822f405d57e2131ea8cd4cf1356c702fbc64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Holger=20Hoffst=C3=A4tte?= Date: Thu, 4 Dec 2025 14:03:26 +0100 Subject: [PATCH] net-analyzer/wireshark: make PKCS support explicit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wireshark automagically enables PKCS support if it finds corresponding symbols in gnutls at build time. This dependency is not recorded in the ebuild's RDEPEND for gnutls, which means changes in gnutls might break its ABI and consequently Wireshark. Fix this by adding USE=pkcs11 support in the ebuild, forwarding this to the Wireshark cmake build and depending on gnutls[pkcs11] when required. Closes: https://bugs.gentoo.org/967060 Signed-off-by: Holger Hoffstätte Part-of: https://github.com/gentoo/gentoo/pull/44894 Closes: https://github.com/gentoo/gentoo/pull/44894 Signed-off-by: Sam James --- .../wireshark/files/4.6.2-gnutls-pkcs11.patch | 45 +++++++++++++++++++ net-analyzer/wireshark/metadata.xml | 1 + ...4.6.2.ebuild => wireshark-4.6.2-r1.ebuild} | 6 ++- 3 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 net-analyzer/wireshark/files/4.6.2-gnutls-pkcs11.patch rename net-analyzer/wireshark/{wireshark-4.6.2.ebuild => wireshark-4.6.2-r1.ebuild} (97%) diff --git a/net-analyzer/wireshark/files/4.6.2-gnutls-pkcs11.patch b/net-analyzer/wireshark/files/4.6.2-gnutls-pkcs11.patch new file mode 100644 index 000000000000..dd01014f2570 --- /dev/null +++ b/net-analyzer/wireshark/files/4.6.2-gnutls-pkcs11.patch @@ -0,0 +1,45 @@ +Bug: https://bugs.gentoo.org/967060 + +diff -rup wireshark-4.6.2/CMakeLists.txt wireshark-4.6.2-pkcs11/CMakeLists.txt +--- wireshark-4.6.2/CMakeLists.txt 2025-12-04 13:48:57.732168127 +0100 ++++ wireshark-4.6.2-pkcs11/CMakeLists.txt 2025-12-04 13:48:29.067453231 +0100 +@@ -1587,16 +1587,18 @@ if(GNUTLS_FOUND) + # Calculating public keys from PKCS #11 private keys requires GnuTLS + # 3.4.0 or greater. + # +- # Check that the support is present in case GnuTLS was compiled +- # --without-p11-kit as macos-setup.sh did until December 2020. +- cmake_push_check_state() +- if(WIN32 AND NOT MINGW) +- set(CMAKE_REQUIRED_DEFINITIONS -Dssize_t=int) +- endif() +- set(CMAKE_REQUIRED_INCLUDES ${GNUTLS_INCLUDE_DIRS}) +- set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES}) +- check_symbol_exists(gnutls_pkcs11_obj_list_import_url4 gnutls/pkcs11.h HAVE_GNUTLS_PKCS11) +- cmake_pop_check_state() ++ if (ENABLE_PKCS11) ++ # Check that the support is present in case GnuTLS was compiled ++ # --without-p11-kit as macos-setup.sh did until December 2020. ++ cmake_push_check_state() ++ if(WIN32 AND NOT MINGW) ++ set(CMAKE_REQUIRED_DEFINITIONS -Dssize_t=int) ++ endif() ++ set(CMAKE_REQUIRED_INCLUDES ${GNUTLS_INCLUDE_DIRS}) ++ set(CMAKE_REQUIRED_LIBRARIES ${GNUTLS_LIBRARIES}) ++ check_symbol_exists(gnutls_pkcs11_obj_list_import_url4 gnutls/pkcs11.h HAVE_GNUTLS_PKCS11) ++ cmake_pop_check_state() ++ endif (PKCS11) + endif() + + if (QT_FOUND) +diff -rup wireshark-4.6.2/CMakeOptions.txt wireshark-4.6.2-pkcs11/CMakeOptions.txt +--- wireshark-4.6.2/CMakeOptions.txt 2025-12-03 18:45:32.000000000 +0100 ++++ wireshark-4.6.2-pkcs11/CMakeOptions.txt 2025-12-04 13:44:49.553654179 +0100 +@@ -106,6 +106,7 @@ option(ENABLE_NGHTTP3 "Build with HTT + option(ENABLE_LUA "Build with Lua dissector support" ON) + option(ENABLE_SMI "Build with libsmi snmp support" ON) + option(ENABLE_GNUTLS "Build with RSA decryption support" ON) ++option(ENABLE_PKCS11 "Build with PKCS11 support" ON) + if(WIN32 AND USE_REPOSITORY) + option(ENABLE_WINSPARKLE "Enable automatic updates using WinSparkle" ON) + endif() diff --git a/net-analyzer/wireshark/metadata.xml b/net-analyzer/wireshark/metadata.xml index 90aa7e6ec619..9c6129803d5a 100644 --- a/net-analyzer/wireshark/metadata.xml +++ b/net-analyzer/wireshark/metadata.xml @@ -52,6 +52,7 @@ Build with zip file compression support Use dev-libs/libnl Use net-libs/libpcap for network packet capturing (build dumpcap, rawshark) + Add support for PKCS in net-libs/gnutls Install plugins Install randpkt, a utility for creating pcap trace files full of random packets Install randpktdump, an extcap interface to provide access to the random packet generator (randpkt) diff --git a/net-analyzer/wireshark/wireshark-4.6.2.ebuild b/net-analyzer/wireshark/wireshark-4.6.2-r1.ebuild similarity index 97% rename from net-analyzer/wireshark/wireshark-4.6.2.ebuild rename to net-analyzer/wireshark/wireshark-4.6.2-r1.ebuild index 248611ee13c6..c072b12a20c6 100644 --- a/net-analyzer/wireshark/wireshark-4.6.2.ebuild +++ b/net-analyzer/wireshark/wireshark-4.6.2-r1.ebuild @@ -31,7 +31,7 @@ LICENSE="GPL-2" SLOT="0/${PV}" IUSE="androiddump bcg729 brotli +capinfos +captype ciscodump +dftest doc dpauxmon" IUSE+=" +dumpcap +editcap +gui http2 http3 ilbc kerberos lua lz4 maxminddb" -IUSE+=" +mergecap +minizip +netlink opus +plugins +pcap +randpkt" +IUSE+=" +mergecap +minizip +netlink opus pkcs11 +plugins +pcap +randpkt" IUSE+=" +randpktdump +reordercap sbc selinux +sharkd smi snappy spandsp sshdump ssl" IUSE+=" sdjournal test +text2pcap +tshark +udpdump wifi zlib +zstd" @@ -77,7 +77,7 @@ RDEPEND=" snappy? ( app-arch/snappy:= ) spandsp? ( media-libs/spandsp:= ) sshdump? ( >=net-libs/libssh-0.6:= ) - ssl? ( >=net-libs/gnutls-3.5.8:= ) + ssl? ( >=net-libs/gnutls-3.5.8:=[pkcs11?] ) wifi? ( >=net-libs/libssh-0.6:= ) zlib? ( virtual/zlib:= ) zstd? ( app-arch/zstd:= ) @@ -118,6 +118,7 @@ fi PATCHES=( "${FILESDIR}/4.4.6-lto.patch" + "${FILESDIR}/4.6.2-gnutls-pkcs11.patch" ) python_check_deps() { @@ -201,6 +202,7 @@ src_configure() { -DENABLE_BROTLI=$(usex brotli) -DENABLE_CAP=$(usex filecaps caps) -DENABLE_GNUTLS=$(usex ssl) + -DENABLE_PKCS11=$(usex pkcs11) -DENABLE_ILBC=$(usex ilbc) -DENABLE_KERBEROS=$(usex kerberos) -DENABLE_LUA=$(usex lua)