From fc336c3313058e982009da1b390d1d731019d1e7 Mon Sep 17 00:00:00 2001
From: Kevin Mihelich <kevin@archlinuxarm.org>
Date: Fri, 16 Aug 2024 14:01:03 +0000
Subject: [PATCH] core/gnutls to 3.8.7-1

---
 core/gnutls/.SRCINFO     | 12 +++---
 core/gnutls/MR1866.patch | 81 ++++++++++++++++++++++++++++++++++++++++
 core/gnutls/PKGBUILD     | 19 ++++++----
 3 files changed, 100 insertions(+), 12 deletions(-)
 create mode 100644 core/gnutls/MR1866.patch

diff --git a/core/gnutls/.SRCINFO b/core/gnutls/.SRCINFO
index cbfb6fc3a..4a50eef11 100644
--- a/core/gnutls/.SRCINFO
+++ b/core/gnutls/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = gnutls
 	pkgdesc = A library which provides a secure layer over a reliable transport layer
-	pkgver = 3.8.6
+	pkgver = 3.8.7
 	pkgrel = 1
 	url = https://www.gnutls.org/
 	arch = x86_64
@@ -25,14 +25,16 @@ pkgbase = gnutls
 	options = !zipman
 	backup = etc/gnutls/config
 	backup = etc/modules-load.d/gnutls.conf
-	source = https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.6.tar.xz
-	source = https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.6.tar.xz.sig
+	source = https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.7.1.tar.xz
+	source = https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/gnutls-3.8.7.1.tar.xz.sig
 	source = config
 	source = gnutls-ktls_disable_keyupdate_test.patch
-	validpgpkeys = 5D46CB0F763405A7053556F47A75A648B3F9220C
-	sha256sums = 2e1588aae53cb32d43937f1f4eca28febd9c0c7aa1734fc5dd61a7e81e0ebcdd
+	source = MR1866.patch
+	validpgpkeys = 462225C3B46F34879FC8496CD605848ED7E69871
+	sha256sums = 9ca0ddaccce28a74fa18d738744190afb3b0daebef74e6ad686bf7bef99abd60
 	sha256sums = SKIP
 	sha256sums = 22e614510fe52defe8c233ce3e5ead2205739fd967657ce3176ca121f3c562b5
 	sha256sums = 2a911615739cb327b6dced36b595ea10c89f40bb7274d062dab14a9ecfe89708
+	sha256sums = 4fe4b334d39eb0a845cda18da1cfdbcbd12ada5fffc9f41d400cee3d2695b509
 
 pkgname = gnutls
diff --git a/core/gnutls/MR1866.patch b/core/gnutls/MR1866.patch
new file mode 100644
index 000000000..b646d8fa1
--- /dev/null
+++ b/core/gnutls/MR1866.patch
@@ -0,0 +1,81 @@
+From b64e8e1f72a1c41d3df346c17efd49bcd65b1e8b Mon Sep 17 00:00:00 2001
+From: Andreas Metzler <ametzler@bebt.de>
+Date: Thu, 15 Aug 2024 12:42:56 +0200
+Subject: [PATCH 1/2] Also set ENABLE_DSA for tests in cert-tests subdirectory.
+
+Signed-off-by: Andreas Metzler <ametzler@bebt.de>
+---
+ tests/cert-tests/Makefile.am | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
+index ea5673d37e..5a695dbebc 100644
+--- a/tests/cert-tests/Makefile.am
++++ b/tests/cert-tests/Makefile.am
+@@ -180,6 +180,12 @@ if WINDOWS
+ TESTS_ENVIRONMENT += WINDOWS=1
+ endif
+ 
++if ENABLE_DSA
++TESTS_ENVIRONMENT += ENABLE_DSA=1
++else
++TESTS_ENVIRONMENT += ENABLE_DSA=0
++endif
++
+ if ENABLE_GOST
+ TESTS_ENVIRONMENT += ENABLE_GOST=1
+ else
+-- 
+GitLab
+
+
+From f3e8eac0586a19f4dafd89f68006a536b826e65a Mon Sep 17 00:00:00 2001
+From: Andreas Metzler <ametzler@bebt.de>
+Date: Thu, 15 Aug 2024 16:22:02 +0200
+Subject: [PATCH 2/2] revert back to datefudge for "openssl ocsp".
+
+openssl's -attime only changes the verification logic but not the
+generation.
+
+Broken by: d1bc7f644422c4d87edfcd9fafe7f292a1a3a6de
+
+Signed-off-by: Andreas Metzler <ametzler@bebt.de>
+---
+ tests/ocsp-tests/ocsp-must-staple-connection.sh | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/tests/ocsp-tests/ocsp-must-staple-connection.sh b/tests/ocsp-tests/ocsp-must-staple-connection.sh
+index bfa785e040..94d41ce245 100755
+--- a/tests/ocsp-tests/ocsp-must-staple-connection.sh
++++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh
+@@ -48,6 +48,8 @@ fi
+ 
+ . "${srcdir}/scripts/common.sh"
+ 
++skip_if_no_datefudge
++
+ eval "${GETPORT}"
+ # Port for gnutls-serv
+ TLS_SERVER_PORT=$PORT
+@@ -69,7 +71,6 @@ fi
+ 
+ CERTDATE="2016-04-28 00:00:00"
+ TESTDATE="2016-04-29 00:00:00"
+-EPOCHTESTDATE=1461888000
+ EXP_OCSP_DATE="2016-03-27 00:00:00"
+ 
+ OCSP_PID=""
+@@ -129,8 +130,8 @@ cp "${srcdir}/ocsp-tests/certs/ocsp_index.txt.attr" ${ATTRFILE}
+ # SO_REUSEADDR usage.
+ PORT=${OCSP_PORT}
+ launch_bare_server \
+-	  "${OPENSSL}" ocsp -attime "${EPOCHTESTDATE}" \
+-	  -index "${INDEXFILE}" -text \
++	  "$FAKETIME" "${TESTDATE}" \
++	  "${OPENSSL}" ocsp -index "${INDEXFILE}" -text \
+ 	  -port "${OCSP_PORT}" \
+ 	  -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \
+ 	  -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" \
+-- 
+GitLab
+
diff --git a/core/gnutls/PKGBUILD b/core/gnutls/PKGBUILD
index 3d9282f4e..7484f6d62 100644
--- a/core/gnutls/PKGBUILD
+++ b/core/gnutls/PKGBUILD
@@ -5,7 +5,7 @@
 #  - compile v7 with -D_TIME_BITS=64 -D_FILE_OFFSET_BITS=64
 
 pkgname=gnutls
-pkgver=3.8.6
+pkgver=3.8.7
 pkgrel=1
 pkgdesc="A library which provides a secure layer over a reliable transport layer"
 arch=('x86_64')
@@ -21,19 +21,24 @@ checkdepends=('net-tools' 'tpm2-tools')
 optdepends=('tpm2-tss: support for TPM2 wrapped keys')
 backup=(etc/gnutls/config
         etc/modules-load.d/gnutls.conf)
-source=(https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/${pkgname}-${pkgver}.tar.xz{,.sig}
+source=(#https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/${pkgname}-${pkgver}.tar.xz{,.sig}
+        https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/${pkgname}-${pkgver}.1.tar.xz{,.sig}
         config
-        gnutls-ktls_disable_keyupdate_test.patch)
-sha256sums=('2e1588aae53cb32d43937f1f4eca28febd9c0c7aa1734fc5dd61a7e81e0ebcdd'
+        gnutls-ktls_disable_keyupdate_test.patch
+        MR1866.patch)
+sha256sums=('9ca0ddaccce28a74fa18d738744190afb3b0daebef74e6ad686bf7bef99abd60'
             'SKIP'
             '22e614510fe52defe8c233ce3e5ead2205739fd967657ce3176ca121f3c562b5'
-            '2a911615739cb327b6dced36b595ea10c89f40bb7274d062dab14a9ecfe89708')
-#validpgpkeys=('462225C3B46F34879FC8496CD605848ED7E69871') # "Daiki Ueno <ueno@unixuser.org>"
-validpgpkeys=('5D46CB0F763405A7053556F47A75A648B3F9220C') # "Zoltan Fridrich <zfridric@redhat.com>"
+            '2a911615739cb327b6dced36b595ea10c89f40bb7274d062dab14a9ecfe89708'
+            '4fe4b334d39eb0a845cda18da1cfdbcbd12ada5fffc9f41d400cee3d2695b509')
+validpgpkeys=('462225C3B46F34879FC8496CD605848ED7E69871') # "Daiki Ueno <ueno@unixuser.org>"
+#validpgpkeys=('5D46CB0F763405A7053556F47A75A648B3F9220C') # "Zoltan Fridrich <zfridric@redhat.com>"
 
 prepare() {
   cd ${pkgname}-${pkgver}
   patch -Np1 -i ../gnutls-ktls_disable_keyupdate_test.patch
+  # fix broken test
+  patch -Np1 -i ../MR1866.patch
   autoreconf -vfi
 }