Commit: 57e5b1d503704dc9072fcea50db71250d4124b60
Parent: 34a346e664e5262685fbb509537de81d2ab04999
Author: Randy Palamar
Date: Sat, 2 Mar 2024 06:18:37 -0700
app-crypt/gnupg: bump to 2.4.4
Diffstat:
6 files changed, 375 insertions(+), 768 deletions(-)
diff --git a/app-crypt/gnupg/Manifest b/app-crypt/gnupg/Manifest
@@ -1,2 +1,2 @@
-DIST gnupg-2.4.3.tar.bz2 7351327 BLAKE2B b7f4f5e548ec6dfc89cf8792f507ee8642e8500692998cf8d2edc9f5d8002904d24a714b9caffabee6094707c4595e0f54197535135622a7a32aa772f5818f28 SHA512 193a9398445272ec3eb5b79e802efb7414f74bcfffc3db0bf72c0056e04228120c419ed91db168e5733a16a33e548bab5368dd9cf11ecd483825bce189341a1e
-DIST gnupg-2.4.3.tar.bz2.sig 119 BLAKE2B 763c0569e5378e132de39e1583c19bae8912455bf7cd5a65bcfc88fa43be99fb6bbf8397192b3086db2f6f0f63fc25789f5e6ce98b2fe63cda3bf673b1c60a20 SHA512 7affff694d194c3befdfc865a7872c0883304ea704e3691eac328d802f12f4f82c2a93eaa1257d3e09b38494b38185f5b8cf35c964f0c3846bbb29b93727ffee
+DIST gnupg-2.4.4.tar.bz2 7886036 BLAKE2B 02661e89f0358be09fa3e71e7235b764a7dbda62a48a0c8c7a4e6c9919c3b37d54ead50b930af58f8f2fdb87861b849d3f3751e95cbedf46bdfd76caa90c4db4 SHA512 3d1a3b08d1ce2319d238d8be96591e418ede1dc0b4ede33a4cc2fe40e9c56d5bbc27b1984736d8a786e7f292ddbc836846a8bdb4bf89f064e953c37cb54b94ef
+DIST gnupg-2.4.4.tar.bz2.sig 237 BLAKE2B 6ee5878c36fbec747a6d84a268903749d862aab50dd7f9a389aabbf7b94dec1c424615f520b5f4a6d44e02093e8d9ad0b08d0c6cf6fd8886d8c174ce9faac99c SHA512 3ae7b6833576df851901a7619459b514bb82faeed350c864a57a782719d21f694d9ced5a3445c81dfa584a0302f87fedc660b08ea97bb8b861e76d7c5b46d07f
diff --git a/app-crypt/gnupg/files/gnupg-2.4.2-fix-emacs.patch b/app-crypt/gnupg/files/gnupg-2.4.2-fix-emacs.patch
@@ -1,564 +0,0 @@
-https://bugs.gentoo.org/907839
-https://dev.gnupg.org/T6481
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2f872fa68c6576724b9dabee9fb0844266f55d0d
-
-From 2f872fa68c6576724b9dabee9fb0844266f55d0d Mon Sep 17 00:00:00 2001
-From: NIIBE Yutaka <gniibe@fsij.org>
-Date: Wed, 24 May 2023 10:36:04 +0900
-Subject: [PATCH] gpg: Report BEGIN_* status before examining the input.
-
-* common/miscellaneous.c (is_openpgp_compressed_packet)
-(is_file_compressed): Moved to ...
-* common/iobuf.c: ... in this file.
-(is_file_compressed): Change the argument to INP, the iobuf.
-* common/util.h (is_file_compressed): Remove.
-* common/iobuf.h (is_file_compressed): Add.
-* g10/cipher-aead.c (write_header): Don't call write_status_printf
-here.
-(cipher_filter_aead): Call write_status_printf when called with
-IOBUFCTRL_INIT.
-* g10/cipher-cfb.c (write_header): Don't call write_status_printf
-here.
-(cipher_filter_cfb): Call write_status_printf when called with
-IOBUFCTRL_INIT.
-* g10/encrypt.c (encrypt_simple): Use new is_file_compressed function,
-after call of iobuf_push_filter.
-(encrypt_crypt): Likewise.
-* g10/sign.c (sign_file): Likewise.
-
---
-
-GnuPG-bug-id: 6481
-Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---- a/common/iobuf.c
-+++ b/common/iobuf.c
-@@ -3057,3 +3057,123 @@ iobuf_skip_rest (iobuf_t a, unsigned long n, int partial)
- }
- }
- }
-+
-+
-+/* Check whether (BUF,LEN) is valid header for an OpenPGP compressed
-+ * packet. LEN should be at least 6. */
-+static int
-+is_openpgp_compressed_packet (const unsigned char *buf, size_t len)
-+{
-+ int c, ctb, pkttype;
-+ int lenbytes;
-+
-+ ctb = *buf++; len--;
-+ if (!(ctb & 0x80))
-+ return 0; /* Invalid packet. */
-+
-+ if ((ctb & 0x40)) /* New style (OpenPGP) CTB. */
-+ {
-+ pkttype = (ctb & 0x3f);
-+ if (!len)
-+ return 0; /* Expected first length octet missing. */
-+ c = *buf++; len--;
-+ if (c < 192)
-+ ;
-+ else if (c < 224)
-+ {
-+ if (!len)
-+ return 0; /* Expected second length octet missing. */
-+ }
-+ else if (c == 255)
-+ {
-+ if (len < 4)
-+ return 0; /* Expected length octets missing */
-+ }
-+ }
-+ else /* Old style CTB. */
-+ {
-+ pkttype = (ctb>>2)&0xf;
-+ lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3));
-+ if (len < lenbytes)
-+ return 0; /* Not enough length bytes. */
-+ }
-+
-+ return (pkttype == 8);
-+}
-+
-+
-+/*
-+ * Check if the file is compressed, by peeking the iobuf. You need to
-+ * pass the iobuf with INP. Returns true if the buffer seems to be
-+ * compressed.
-+ */
-+int
-+is_file_compressed (iobuf_t inp)
-+{
-+ int i;
-+ char buf[32];
-+ int buflen;
-+
-+ struct magic_compress_s
-+ {
-+ byte len;
-+ byte extchk;
-+ byte magic[5];
-+ } magic[] =
-+ {
-+ { 3, 0, { 0x42, 0x5a, 0x68, 0x00 } }, /* bzip2 */
-+ { 3, 0, { 0x1f, 0x8b, 0x08, 0x00 } }, /* gzip */
-+ { 4, 0, { 0x50, 0x4b, 0x03, 0x04 } }, /* (pk)zip */
-+ { 5, 0, { '%', 'P', 'D', 'F', '-'} }, /* PDF */
-+ { 4, 1, { 0xff, 0xd8, 0xff, 0xe0 } }, /* Maybe JFIF */
-+ { 5, 2, { 0x89, 'P','N','G', 0x0d} } /* Likely PNG */
-+ };
-+
-+ if (!inp)
-+ return 0;
-+
-+ for ( ; inp->chain; inp = inp->chain )
-+ ;
-+
-+ buflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof buf, buf);
-+ if (buflen < 0)
-+ {
-+ buflen = 0;
-+ log_debug ("peeking at input failed\n");
-+ }
-+
-+ if ( buflen < 6 )
-+ {
-+ return 0; /* Too short to check - assume uncompressed. */
-+ }
-+
-+ for ( i = 0; i < DIM (magic); i++ )
-+ {
-+ if (!memcmp( buf, magic[i].magic, magic[i].len))
-+ {
-+ switch (magic[i].extchk)
-+ {
-+ case 0:
-+ return 1; /* Is compressed. */
-+ case 1:
-+ if (buflen > 11 && !memcmp (buf + 6, "JFIF", 5))
-+ return 1; /* JFIF: this likely a compressed JPEG. */
-+ break;
-+ case 2:
-+ if (buflen > 8
-+ && buf[5] == 0x0a && buf[6] == 0x1a && buf[7] == 0x0a)
-+ return 1; /* This is a PNG. */
-+ break;
-+ default:
-+ break;
-+ }
-+ }
-+ }
-+
-+ if (buflen >= 6 && is_openpgp_compressed_packet (buf, buflen))
-+ {
-+ return 1; /* Already compressed. */
-+ }
-+
-+ return 0; /* Not detected as compressed. */
-+}
---- a/common/iobuf.h
-+++ b/common/iobuf.h
-@@ -629,6 +629,9 @@ void iobuf_set_partial_body_length_mode (iobuf_t a, size_t len);
- from the following filter (which may or may not return EOF). */
- void iobuf_skip_rest (iobuf_t a, unsigned long n, int partial);
-
-+/* Check if the file is compressed, by peeking the iobuf. */
-+int is_file_compressed (iobuf_t inp);
-+
- #define iobuf_where(a) "[don't know]"
-
- /* Each time a filter is allocated (via iobuf_alloc()), a
---- a/common/miscellaneous.c
-+++ b/common/miscellaneous.c
-@@ -415,112 +415,6 @@ decode_c_string (const char *src)
- }
-
-
--/* Check whether (BUF,LEN) is valid header for an OpenPGP compressed
-- * packet. LEN should be at least 6. */
--static int
--is_openpgp_compressed_packet (const unsigned char *buf, size_t len)
--{
-- int c, ctb, pkttype;
-- int lenbytes;
--
-- ctb = *buf++; len--;
-- if (!(ctb & 0x80))
-- return 0; /* Invalid packet. */
--
-- if ((ctb & 0x40)) /* New style (OpenPGP) CTB. */
-- {
-- pkttype = (ctb & 0x3f);
-- if (!len)
-- return 0; /* Expected first length octet missing. */
-- c = *buf++; len--;
-- if (c < 192)
-- ;
-- else if (c < 224)
-- {
-- if (!len)
-- return 0; /* Expected second length octet missing. */
-- }
-- else if (c == 255)
-- {
-- if (len < 4)
-- return 0; /* Expected length octets missing */
-- }
-- }
-- else /* Old style CTB. */
-- {
-- pkttype = (ctb>>2)&0xf;
-- lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3));
-- if (len < lenbytes)
-- return 0; /* Not enough length bytes. */
-- }
--
-- return (pkttype == 8);
--}
--
--
--
--/*
-- * Check if the file is compressed. You need to pass the first bytes
-- * of the file as (BUF,BUFLEN). Returns true if the buffer seems to
-- * be compressed.
-- */
--int
--is_file_compressed (const byte *buf, unsigned int buflen)
--{
-- int i;
--
-- struct magic_compress_s
-- {
-- byte len;
-- byte extchk;
-- byte magic[5];
-- } magic[] =
-- {
-- { 3, 0, { 0x42, 0x5a, 0x68, 0x00 } }, /* bzip2 */
-- { 3, 0, { 0x1f, 0x8b, 0x08, 0x00 } }, /* gzip */
-- { 4, 0, { 0x50, 0x4b, 0x03, 0x04 } }, /* (pk)zip */
-- { 5, 0, { '%', 'P', 'D', 'F', '-'} }, /* PDF */
-- { 4, 1, { 0xff, 0xd8, 0xff, 0xe0 } }, /* Maybe JFIF */
-- { 5, 2, { 0x89, 'P','N','G', 0x0d} } /* Likely PNG */
-- };
--
-- if ( buflen < 6 )
-- {
-- return 0; /* Too short to check - assume uncompressed. */
-- }
--
-- for ( i = 0; i < DIM (magic); i++ )
-- {
-- if (!memcmp( buf, magic[i].magic, magic[i].len))
-- {
-- switch (magic[i].extchk)
-- {
-- case 0:
-- return 1; /* Is compressed. */
-- case 1:
-- if (buflen > 11 && !memcmp (buf + 6, "JFIF", 5))
-- return 1; /* JFIF: this likely a compressed JPEG. */
-- break;
-- case 2:
-- if (buflen > 8
-- && buf[5] == 0x0a && buf[6] == 0x1a && buf[7] == 0x0a)
-- return 1; /* This is a PNG. */
-- break;
-- default:
-- break;
-- }
-- }
-- }
--
-- if (buflen >= 6 && is_openpgp_compressed_packet (buf, buflen))
-- {
-- return 1; /* Already compressed. */
-- }
--
-- return 0; /* Not detected as compressed. */
--}
--
--
- /* Try match against each substring of multistr, delimited by | */
- int
- match_multistr (const char *multistr,const char *match)
---- a/common/util.h
-+++ b/common/util.h
-@@ -360,8 +360,6 @@ char *try_make_printable_string (const void *p, size_t n, int delim);
- char *make_printable_string (const void *p, size_t n, int delim);
- char *decode_c_string (const char *src);
-
--int is_file_compressed (const byte *buf, unsigned int buflen);
--
- int match_multistr (const char *multistr,const char *match);
-
- int gnupg_compare_version (const char *a, const char *b);
---- a/g10/cipher-aead.c
-+++ b/g10/cipher-aead.c
-@@ -174,8 +174,6 @@ write_header (cipher_filter_context_t *cfx, iobuf_t a)
- log_debug ("aead packet: len=%lu extralen=%d\n",
- (unsigned long)ed.len, ed.extralen);
-
-- write_status_printf (STATUS_BEGIN_ENCRYPTION, "0 %d %d",
-- cfx->dek->algo, ed.aead_algo);
- print_cipher_algo_note (cfx->dek->algo);
-
- if (build_packet( a, &pkt))
-@@ -488,6 +486,11 @@ cipher_filter_aead (void *opaque, int control,
- {
- mem2str (buf, "cipher_filter_aead", *ret_len);
- }
-+ else if (control == IOBUFCTRL_INIT)
-+ {
-+ write_status_printf (STATUS_BEGIN_ENCRYPTION, "0 %d %d",
-+ cfx->dek->algo, cfx->dek->use_aead);
-+ }
-
- return rc;
- }
---- a/g10/cipher-cfb.c
-+++ b/g10/cipher-cfb.c
-@@ -72,9 +72,6 @@ write_header (cipher_filter_context_t *cfx, iobuf_t a)
- log_info (_("Hint: Do not use option %s\n"), "--rfc2440");
- }
-
-- write_status_printf (STATUS_BEGIN_ENCRYPTION, "%d %d",
-- ed.mdc_method, cfx->dek->algo);
--
- init_packet (&pkt);
- pkt.pkttype = cfx->dek->use_mdc? PKT_ENCRYPTED_MDC : PKT_ENCRYPTED;
- pkt.pkt.encrypted = &ed;
-@@ -182,6 +179,12 @@ cipher_filter_cfb (void *opaque, int control,
- {
- mem2str (buf, "cipher_filter_cfb", *ret_len);
- }
-+ else if (control == IOBUFCTRL_INIT)
-+ {
-+ write_status_printf (STATUS_BEGIN_ENCRYPTION, "%d %d",
-+ cfx->dek->use_mdc ? DIGEST_ALGO_SHA1 : 0,
-+ cfx->dek->algo);
-+ }
-
- return rc;
- }
---- a/g10/encrypt.c
-+++ b/g10/encrypt.c
-@@ -410,8 +410,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
- text_filter_context_t tfx;
- progress_filter_context_t *pfx;
- int do_compress = !!default_compress_algo();
-- char peekbuf[32];
-- int peekbuflen;
-
- if (!gnupg_rng_is_compliant (opt.compliance))
- {
-@@ -448,14 +446,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
- return rc;
- }
-
-- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf);
-- if (peekbuflen < 0)
-- {
-- peekbuflen = 0;
-- if (DBG_FILTER)
-- log_debug ("peeking at input failed\n");
-- }
--
- handle_progress (pfx, inp, filename);
-
- if (opt.textmode)
-@@ -517,17 +507,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
- /**/ : "CFB");
- }
-
-- if (do_compress
-- && cfx.dek
-- && (cfx.dek->use_mdc || cfx.dek->use_aead)
-- && !opt.explicit_compress_option
-- && is_file_compressed (peekbuf, peekbuflen))
-- {
-- if (opt.verbose)
-- log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
-- do_compress = 0;
-- }
--
- if ( rc || (rc = open_outfile (-1, filename, opt.armor? 1:0, 0, &out )))
- {
- iobuf_cancel (inp);
-@@ -598,6 +577,24 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
- else
- filesize = opt.set_filesize ? opt.set_filesize : 0; /* stdin */
-
-+ /* Register the cipher filter. */
-+ if (mode)
-+ iobuf_push_filter (out,
-+ cfx.dek->use_aead? cipher_filter_aead
-+ /**/ : cipher_filter_cfb,
-+ &cfx );
-+
-+ if (do_compress
-+ && cfx.dek
-+ && (cfx.dek->use_mdc || cfx.dek->use_aead)
-+ && !opt.explicit_compress_option
-+ && is_file_compressed (inp))
-+ {
-+ if (opt.verbose)
-+ log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
-+ do_compress = 0;
-+ }
-+
- if (!opt.no_literal)
- {
- /* Note that PT has been initialized above in !no_literal mode. */
-@@ -617,13 +614,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
- pkt.pkt.generic = NULL;
- }
-
-- /* Register the cipher filter. */
-- if (mode)
-- iobuf_push_filter (out,
-- cfx.dek->use_aead? cipher_filter_aead
-- /**/ : cipher_filter_cfb,
-- &cfx );
--
- /* Register the compress filter. */
- if ( do_compress )
- {
-@@ -783,7 +773,7 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
- PKT_plaintext *pt = NULL;
- DEK *symkey_dek = NULL;
- STRING2KEY *symkey_s2k = NULL;
-- int rc = 0, rc2 = 0;
-+ int rc = 0;
- u32 filesize;
- cipher_filter_context_t cfx;
- armor_filter_context_t *afx = NULL;
-@@ -792,8 +782,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
- progress_filter_context_t *pfx;
- PK_LIST pk_list;
- int do_compress;
-- char peekbuf[32];
-- int peekbuflen;
-
- if (filefd != -1 && filename)
- return gpg_error (GPG_ERR_INV_ARG); /* Both given. */
-@@ -866,14 +854,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
- if (opt.verbose)
- log_info (_("reading from '%s'\n"), iobuf_get_fname_nonnull (inp));
-
-- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf);
-- if (peekbuflen < 0)
-- {
-- peekbuflen = 0;
-- if (DBG_FILTER)
-- log_debug ("peeking at input failed\n");
-- }
--
- handle_progress (pfx, inp, filename);
-
- if (opt.textmode)
-@@ -900,25 +880,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
- if (!cfx.dek->use_aead)
- cfx.dek->use_mdc = !!use_mdc (pk_list, cfx.dek->algo);
-
-- /* Only do the is-file-already-compressed check if we are using a
-- * MDC or AEAD. This forces compressed files to be re-compressed if
-- * we do not have a MDC to give some protection against chosen
-- * ciphertext attacks. */
-- if (do_compress
-- && (cfx.dek->use_mdc || cfx.dek->use_aead)
-- && !opt.explicit_compress_option
-- && is_file_compressed (peekbuf, peekbuflen))
-- {
-- if (opt.verbose)
-- log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
-- do_compress = 0;
-- }
-- if (rc2)
-- {
-- rc = rc2;
-- goto leave;
-- }
--
- make_session_key (cfx.dek);
- if (DBG_CRYPTO)
- log_printhex (cfx.dek->key, cfx.dek->keylen, "DEK is: ");
-@@ -960,6 +921,26 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
- else
- filesize = opt.set_filesize ? opt.set_filesize : 0; /* stdin */
-
-+ /* Register the cipher filter. */
-+ iobuf_push_filter (out,
-+ cfx.dek->use_aead? cipher_filter_aead
-+ /**/ : cipher_filter_cfb,
-+ &cfx);
-+
-+ /* Only do the is-file-already-compressed check if we are using a
-+ * MDC or AEAD. This forces compressed files to be re-compressed if
-+ * we do not have a MDC to give some protection against chosen
-+ * ciphertext attacks. */
-+ if (do_compress
-+ && (cfx.dek->use_mdc || cfx.dek->use_aead)
-+ && !opt.explicit_compress_option
-+ && is_file_compressed (inp))
-+ {
-+ if (opt.verbose)
-+ log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
-+ do_compress = 0;
-+ }
-+
- if (!opt.no_literal)
- {
- pt->timestamp = make_timestamp();
-@@ -974,12 +955,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
- else
- cfx.datalen = filesize && !do_compress ? filesize : 0;
-
-- /* Register the cipher filter. */
-- iobuf_push_filter (out,
-- cfx.dek->use_aead? cipher_filter_aead
-- /**/ : cipher_filter_cfb,
-- &cfx);
--
- /* Register the compress filter. */
- if (do_compress)
- {
---- a/g10/sign.c
-+++ b/g10/sign.c
-@@ -1035,9 +1035,6 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
- int multifile = 0;
- u32 duration=0;
- pt_extra_hash_data_t extrahash = NULL;
-- char peekbuf[32];
-- int peekbuflen = 0;
--
-
- pfx = new_progress_context ();
- afx = new_armor_context ();
-@@ -1096,14 +1093,6 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
- goto leave;
- }
-
-- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf);
-- if (peekbuflen < 0)
-- {
-- peekbuflen = 0;
-- if (DBG_FILTER)
-- log_debug ("peeking at input failed\n");
-- }
--
- handle_progress (pfx, inp, fname);
- }
-
-@@ -1261,7 +1250,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
- int compr_algo = opt.compress_algo;
-
- if (!opt.explicit_compress_option
-- && is_file_compressed (peekbuf, peekbuflen))
-+ && is_file_compressed (inp))
- {
- if (opt.verbose)
- log_info(_("'%s' already compressed\n"), fname? fname: "[stdin]");
---
-2.11.0
diff --git a/app-crypt/gnupg/files/gnupg-2.4.3-no-ldap.patch b/app-crypt/gnupg/files/gnupg-2.4.3-no-ldap.patch
@@ -1,28 +0,0 @@
-https://dev.gnupg.org/T6579
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=dc13361524c1477b2106c7385f2059f9ea111b84
-
-From dc13361524c1477b2106c7385f2059f9ea111b84 Mon Sep 17 00:00:00 2001
-From: NIIBE Yutaka <gniibe@fsij.org>
-Date: Wed, 5 Jul 2023 09:29:54 +0900
-Subject: [PATCH] dirmngr: Enable the call of ks_ldap_help_variables when
- USE_LDAP.
-
-* dirmngr/server.c [USE_LDAP] (cmd_ad_query): Conditionalize.
-
---
-
-Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---- a/dirmngr/server.c
-+++ b/dirmngr/server.c
-@@ -2776,7 +2776,9 @@ cmd_ad_query (assuan_context_t ctx, char *line)
-
- if (opt_help)
- {
-+#if USE_LDAP
- ks_ldap_help_variables (ctrl);
-+#endif
- err = 0;
- goto leave;
- }
---
-2.11.0
diff --git a/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch b/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch
@@ -0,0 +1,202 @@
+https://bugs.gentoo.org/924606
+https://dev.gnupg.org/T6997
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=04cbc3074aa98660b513a80f623a7e9f0702c7c9
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=848546b05ab0ff6abd47724ecfab73bf32dd4c01
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2810b934647edd483996bee1f5f9256a162b2705
+
+From 6236978d78886cbb476ed9fbc49ff99c7582b2d7 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 15 Feb 2024 15:38:34 +0900
+Subject: [PATCH 1/3] dirmngr: Fix proxy with TLS.
+
+* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always
+available regardless of USE_TLS.
+(run_proxy_connect): Use log_debug_string.
+(send_request): Remove USE_TLS.
+
+--
+
+Since the commit of
+
+ 1009e4e5f71347a1fe194e59a9d88c8034a67016
+
+Building with TLS library is mandatory.
+
+GnuPG-bug-id: 6997
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ dirmngr/http.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 4899a5d55..10eecfdb0 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server)
+ * NULL, decode the string and use this as input from teh server. On
+ * success the final output token is stored at PROXY->OUTTOKEN and
+ * OUTTOKLEN. IF the authentication succeeded OUTTOKLEN is zero. */
+-#ifdef USE_TLS
+ static gpg_error_t
+ proxy_get_token (proxy_info_t proxy, const char *inputstring)
+ {
+@@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring)
+
+ #endif /*!HAVE_W32_SYSTEM*/
+ }
+-#endif /*USE_TLS*/
+
+
+ /* Use the CONNECT method to proxy our TLS stream. */
+-#ifdef USE_TLS
+ static gpg_error_t
+ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ const char *httphost, const char *server,
+@@ -2586,7 +2583,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ hd->keep_alive = !auth_basic; /* We may need to send more requests. */
+
+ if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
+- log_debug_with_string (request, "http.c:proxy:request:");
++ log_debug_string (request, "http.c:proxy:request:");
+
+ if (!hd->fp_write)
+ {
+@@ -2743,7 +2740,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ xfree (tmpstr);
+ return err;
+ }
+-#endif /*USE_TLS*/
+
+
+ /* Make a request string using a standard proxy. On success the
+@@ -2903,7 +2899,6 @@ send_request (ctrl_t ctrl,
+ goto leave;
+ }
+
+-#if USE_TLS
+ if (use_http_proxy && hd->uri->use_tls)
+ {
+ err = run_proxy_connect (hd, proxy, httphost, server, port);
+@@ -2915,7 +2910,6 @@ send_request (ctrl_t ctrl,
+ * clear the flag to indicate this. */
+ use_http_proxy = 0;
+ }
+-#endif /* USE_TLS */
+
+ #if HTTP_USE_NTBTLS
+ err = run_ntbtls_handshake (hd);
+--
+2.43.2
+
+From 68650eb6999e674fd2f1c78f47b68d3cd1d37ff0 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 16 Feb 2024 11:31:37 +0900
+Subject: [PATCH 2/3] dirmngr: Fix the regression of use of proxy for TLS
+ connection.
+
+* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it
+causes resource leak of FP_WRITE.
+Don't try to read response body to fix the hang.
+
+--
+
+GnuPG-bug-id: 6997
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ dirmngr/http.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 10eecfdb0..7ce01bacd 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -2553,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
+ */
+ auth_basic = !!proxy->uri->auth;
++ hd->keep_alive = 0;
+
+ /* For basic authentication we need to send just one request. */
+ if (auth_basic
+@@ -2574,13 +2575,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ httphost ? httphost : server,
+ port,
+ authhdr ? authhdr : "",
+- auth_basic? "" : "Connection: keep-alive\r\n");
++ hd->keep_alive? "Connection: keep-alive\r\n" : "");
+ if (!request)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+- hd->keep_alive = !auth_basic; /* We may need to send more requests. */
+
+ if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
+ log_debug_string (request, "http.c:proxy:request:");
+@@ -2607,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ if (err)
+ goto leave;
+
+- {
+- unsigned long count = 0;
+-
+- while (es_getc (hd->fp_read) != EOF)
+- count++;
+- if (opt_debug)
+- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n",
+- count);
+- }
+-
+ /* Reset state. */
+ es_clearerr (hd->fp_read);
+ ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1;
+--
+2.43.2
+
+From 7c7cbd94549d08780fc3767d6de8336b3f44e7d7 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 16 Feb 2024 16:24:26 +0900
+Subject: [PATCH 3/3] dirmngr: Fix keep-alive flag handling.
+
+* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic
+Authentication. Fix resource leak of FP_WRITE.
+
+--
+
+GnuPG-bug-id: 6997
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ dirmngr/http.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 7ce01bacd..da0c89ae5 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
+ */
+ auth_basic = !!proxy->uri->auth;
+- hd->keep_alive = 0;
++ hd->keep_alive = !auth_basic; /* We may need to send more requests. */
+
+ /* For basic authentication we need to send just one request. */
+ if (auth_basic
+@@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
+ }
+
+ leave:
++ if (hd->keep_alive)
++ {
++ es_fclose (hd->fp_write);
++ hd->fp_write = NULL;
++ /* The close has released the cookie and thus we better set it
++ * to NULL. */
++ hd->write_cookie = NULL;
++ }
+ /* Restore flags, destroy stream, reset state. */
+ hd->flags = saved_flags;
+ es_fclose (hd->fp_read);
+--
+2.43.2
+
diff --git a/app-crypt/gnupg/gnupg-2.4.3.ebuild b/app-crypt/gnupg/gnupg-2.4.3.ebuild
@@ -1,174 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-# Maintainers should:
-# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
-# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
-# (find the one for the current release then subscribe to it +
-# any subsequent ones linked within so you're covered for a while.)
-
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
-# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
-inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
-
-MY_P="${P/_/-}"
-
-DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
-HOMEPAGE="https://gnupg.org/"
-SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
-SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
-S="${WORKDIR}/${MY_P}"
-
-LICENSE="GPL-3+"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
-RESTRICT="!test? ( test )"
-REQUIRED_USE="test? ( tofu )"
-
-# Existence of executables is checked during configuration.
-# Note: On each bump, update dep bounds on each version from configure.ac!
-DEPEND="
- >=dev-libs/libassuan-2.5.0
- >=dev-libs/libgcrypt-1.9.1:=
- >=dev-libs/libgpg-error-1.46
- >=dev-libs/libksba-1.6.3
- >=dev-libs/npth-1.2
- >=net-misc/curl-7.10
- sys-libs/zlib
- bzip2? ( app-arch/bzip2 )
- ldap? ( net-nds/openldap:= )
- readline? ( sys-libs/readline:0= )
- smartcard? ( usb? ( virtual/libusb:1 ) )
- tofu? ( >=dev-db/sqlite-3.27 )
- tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
- ssl? ( >=net-libs/gnutls-3.0:0= )
-"
-RDEPEND="
- ${DEPEND}
- || (
- app-crypt/pinentry
- app-crypt/pinentry-dmenu
- )
- nls? ( virtual/libintl )
- selinux? ( sec-policy/selinux-gpg )
- wks-server? ( virtual/mta )
-"
-BDEPEND="
- virtual/pkgconfig
- doc? ( sys-apps/texinfo )
- nls? ( sys-devel/gettext )
- verify-sig? ( sec-keys/openpgp-keys-gnupg )
-"
-
-DOCS=(
- ChangeLog NEWS README THANKS TODO VERSION
- doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
-)
-
-PATCHES=(
- "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
- "${FILESDIR}"/${PN}-2.4.2-fix-emacs.patch
- "${FILESDIR}"/${P}-no-ldap.patch
-)
-
-src_prepare() {
- default
-}
-
-my_src_configure() {
- # Upstream don't support LTO, bug #854222.
- filter-lto
-
- local myconf=(
- $(use_enable bzip2)
- $(use_enable nls)
- $(use_enable smartcard scdaemon)
- $(use_enable ssl gnutls)
- $(use_enable test all-tests)
- $(use_enable test tests)
- $(use_enable tofu)
- $(use_enable tofu keyboxd)
- $(use_enable tofu sqlite)
- $(usex tpm '--with-tss=intel' '--disable-tpm2d')
- $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
- $(use_enable wks-server wks-tools)
- $(use_with ldap)
- $(use_with readline)
-
- # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
- # As of GnuPG 2.3, the mailprog substitution is used for the binary called
- # by wks-client & wks-server; and if it's autodetected but not not exist at
- # build time, then then 'gpg-wks-client --send' functionality will not
- # work. This has an unwanted side-effect in stage3 builds: there was a
- # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
- # the build where the install guide previously make the user chose the
- # logger & mta early in the install.
- --with-mailprog=/usr/libexec/sendmail
-
- --disable-ntbtls
- --enable-gpgsm
- --enable-large-secmem
-
- CC_FOR_BUILD="$(tc-getBUILD_CC)"
- GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
- KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
- LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
- LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
- NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
-
- $("${S}/configure" --help | grep -o -- '--without-.*-prefix')
- )
-
- if use prefix && use usb; then
- # bug #649598
- append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
- fi
-
- # bug #663142
- if use user-socket; then
- myconf+=( --enable-run-gnupg-user-socket )
- fi
-
- # glib fails and picks up clang's internal stdint.h causing weird errors
- tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
-
- econf "${myconf[@]}"
-}
-
-my_src_compile() {
- default
-
- use doc && emake -C doc html
-}
-
-my_src_test() {
- export TESTFLAGS="--parallel=$(makeopts_jobs)"
-
- default
-}
-
-my_src_install() {
- emake DESTDIR="${D}" install
-
- use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
-
- dosym gpg /usr/bin/gpg2
- dosym gpgv /usr/bin/gpgv2
- echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
- echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
-
- dodir /etc/env.d
- echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
-
- use doc && dodoc doc/gnupg.html/*
-}
-
-my_src_install_all() {
- einstalldocs
-
- use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
- use doc && dodoc doc/*.png
-}
diff --git a/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild b/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild
@@ -0,0 +1,171 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should:
+# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
+# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
+# (find the one for the current release then subscribe to it +
+# any subsequent ones linked within so you're covered for a while.)
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
+# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
+inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
+
+MY_P="${P/_/-}"
+
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
+HOMEPAGE="https://gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-3+"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="test? ( tofu )"
+
+# Existence of executables is checked during configuration.
+# Note: On each bump, update dep bounds on each version from configure.ac!
+DEPEND="
+ >=dev-libs/libassuan-2.5.0
+ >=dev-libs/libgcrypt-1.9.1:=
+ >=dev-libs/libgpg-error-1.46
+ >=dev-libs/libksba-1.6.3
+ >=dev-libs/npth-1.2
+ >=net-misc/curl-7.10
+ sys-libs/zlib
+ bzip2? ( app-arch/bzip2 )
+ ldap? ( net-nds/openldap:= )
+ readline? ( sys-libs/readline:0= )
+ smartcard? ( usb? ( virtual/libusb:1 ) )
+ tofu? ( >=dev-db/sqlite-3.27 )
+ tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
+ ssl? ( >=net-libs/gnutls-3.2:0= )
+"
+RDEPEND="
+ ${DEPEND}
+ nls? ( virtual/libintl )
+ selinux? ( sec-policy/selinux-gpg )
+ wks-server? ( virtual/mta )
+"
+PDEPEND="
+ || (
+ app-crypt/pinentry
+ app-crypt/pinentry-dmenu
+ )
+"
+BDEPEND="
+ virtual/pkgconfig
+ doc? ( sys-apps/texinfo )
+ nls? ( sys-devel/gettext )
+ verify-sig? ( sec-keys/openpgp-keys-gnupg )
+"
+
+DOCS=(
+ ChangeLog NEWS README THANKS TODO VERSION
+ doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
+)
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+ "${FILESDIR}"/${P}-dirmngr-proxy.patch #924606
+)
+
+src_prepare() {
+ default
+}
+
+my_src_configure() {
+ # Upstream don't support LTO, bug #854222.
+ filter-lto
+
+ local myconf=(
+ $(use_enable bzip2)
+ $(use_enable nls)
+ $(use_enable smartcard scdaemon)
+ $(use_enable ssl gnutls)
+ $(use_enable test all-tests)
+ $(use_enable test tests)
+ $(use_enable tofu)
+ $(use_enable tofu keyboxd)
+ $(use_enable tofu sqlite)
+ $(usex tpm '--with-tss=intel' '--disable-tpm2d')
+ $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
+ $(use_enable wks-server wks-tools)
+ $(use_with ldap)
+ $(use_with readline)
+
+ # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
+ # As of GnuPG 2.3, the mailprog substitution is used for the binary called
+ # by wks-client & wks-server; and if it's autodetected but not not exist at
+ # build time, then then 'gpg-wks-client --send' functionality will not
+ # work. This has an unwanted side-effect in stage3 builds: there was a
+ # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
+ # the build where the install guide previously make the user chose the
+ # logger & mta early in the install.
+ --with-mailprog=/usr/libexec/sendmail
+
+ --disable-ntbtls
+ --enable-gpgsm
+ --enable-large-secmem
+
+ CC_FOR_BUILD="$(tc-getBUILD_CC)"
+ ac_cv_path_GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config"
+
+ $("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+ )
+
+ if use prefix && use usb; then
+ # bug #649598
+ append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
+ fi
+
+ # bug #663142
+ if use user-socket; then
+ myconf+=( --enable-run-gnupg-user-socket )
+ fi
+
+ # glib fails and picks up clang's internal stdint.h causing weird errors
+ tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
+
+ econf "${myconf[@]}"
+}
+
+my_src_compile() {
+ default
+
+ use doc && emake -C doc html
+}
+
+my_src_test() {
+ export TESTFLAGS="--parallel=$(makeopts_jobs)"
+
+ default
+}
+
+my_src_install() {
+ emake DESTDIR="${D}" install
+
+ use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
+
+ dosym gpg /usr/bin/gpg2
+ dosym gpgv /usr/bin/gpgv2
+ echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
+ echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
+
+ dodir /etc/env.d
+ echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
+
+ use doc && dodoc doc/gnupg.html/*
+}
+
+my_src_install_all() {
+ einstalldocs
+
+ use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
+ use doc && dodoc doc/*.png
+}