From: Sergey Matveev <stargrave@stargrave.org>
Date: Tue, 10 Feb 2026 12:48:48 +0000 (+0300)
Subject: GnuTLS with PQ algorithms
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=a90ab75b7903ddc11430e612b07e19485d91d7f060ab809308910376344d005d;p=bass.git

GnuTLS with PQ algorithms
---

diff --git a/build/distfiles/.gitignore b/build/distfiles/.gitignore
index 66b957f..72ad59d 100644
--- a/build/distfiles/.gitignore
+++ b/build/distfiles/.gitignore
@@ -107,6 +107,7 @@
 /json-glib-1.10.6.tar.xz
 /lame-3.100.tar.gz
 /lcms2-2.16.tar.gz
+/leancrypto-1.6.0.tar.xz
 /less-692.tar.gz
 /lftp-4.9.3.tar.xz
 /libao-1.2.0.tar.gz
diff --git a/build/distfiles/leancrypto-1.6.0.tar.xz.meta4 b/build/distfiles/leancrypto-1.6.0.tar.xz.meta4
new file mode 100644
index 0000000..25065ce
--- /dev/null
+++ b/build/distfiles/leancrypto-1.6.0.tar.xz.meta4
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<metalink xmlns="urn:ietf:params:xml:ns:metalink">
+  <file name="leancrypto-1.6.0.tar.xz">
+    <hash type="blake3-256">66e42a841ead8cb12347c85fd54c23e203a9b31caaa5e575d430128dc04cd639</hash>
+    <hash type="blake2b-512">a7674e8111a633e2abeeb125d7fcba3bca8f4cd8beb9812675f08ab71b1277c2e8dc39500d1d44cf618c1eb65bd0a03e42f32a6ef9767688c0724f51fc54836d</hash>
+    <hash type="blake2b-256">a661202229cc9e9d0a8e40d1f5faac9e5d70a8e58c2ea65f9e159b4d141dd8c8</hash>
+    <hash type="skein-512">c17c1e4fd8e8ce6b2ea9713851a26891b0457496566b46febf1114d31b4193f10081add555431ef5f66c13cf39ddedf7a57691b8412f89b693e8ee3405e0e647</hash>
+    <hash type="shake128">0c07c7ee9424abf3b17698e506dab3f972ca6fe825471df3927b598158108095</hash>
+    <hash type="shake256">41c26dbee4393dcf18137a6fcc05007fe449c9d00b8e8d7b844c8fee81a4c9023deb1593257f73d184f9d1d2793773bef1af15e3f31ecef98a4302a7c1b7d24a</hash>
+    <hash type="sha-512">b1b677ef005497d513b72ced2f4186d97cad12f82817d7bc82d09bbc0e8c0f54ad9496ff95374d61dd3d677ca3bfadc55c29885d04421d20ff58dcab3fc01347</hash>
+    <hash type="sha-256">496188ea1652c83b54963bebb7b6a441564e7f75e5867ee9d3a29710ebc43421</hash>
+    <hash type="streebog-512">f1d317b95498f01e7ea5f5f7f19bd4d418665ee8259fc2e71df5a6103d2215d73d8e26bb15da4249da14ed0ce91a29cef31afe2000154e4f227653bd552629a9</hash>
+    <hash type="streebog-256">c77dbf66ba4c9b504777d83cbbf33e13ce2ce99514856d6832dd022a873fdcb9</hash>
+    <hash type="xxh3-128">d85b39d9494c1e7a2139fb4e443d96aa</hash>
+    <signature mediatype="application/pgp-signature"><![CDATA[
+-----BEGIN PGP SIGNATURE-----
+
+iJEEABMIADkWIQQ0LE46OepfGZCb44quXQ2j/QkjUwUCaPMjfBsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMSwzLDIACgkQrl0No/0JI1P3/QD7BnDVzb1nJCpy7f72K0F3
+uckN8MldQi4MD4PD3OGsg6wA/35z7loXAH7F9VYAXa6ualSDtuovA52qywisI+O5
+uhfr
+=qvfM
+-----END PGP SIGNATURE-----
+]]></signature>
+    <size>40197212</size>
+    <url>https://leancrypto.org/leancrypto/releases/leancrypto-1.6.0/leancrypto-1.6.0.tar.xz</url>
+  </file>
+</metalink>
diff --git a/build/skel/security/gnutls-3.8.12.do b/build/skel/security/gnutls-3.8.12.do
index 482b8cf..119847f 100644
--- a/build/skel/security/gnutls-3.8.12.do
+++ b/build/skel/security/gnutls-3.8.12.do
@@ -3,7 +3,12 @@ sname=$1.do . "$BASS_ROOT"/lib/rc
 . "$BASS_ROOT"/build/skel/common.rc
 
 bdeps="rc-paths stow archivers/zstd devel/pkgconf-2.1.1"
-rdeps="dns/libidn2-2.3.7 math/gmp-6.3.0 security/nettle-3.10.1"
+rdeps="
+dns/libidn2-2.3.7
+math/gmp-6.3.0
+security/nettle-3.10.1
+security/leancrypto-1.6.0
+"
 redo-ifchange $bdeps "$DISTFILES"/$NAME.tar.xz $rdeps
 hsh=$("$BASS_ROOT"/build/bin/cksum $BASS_REV $SPATH)
 . "$BASS_ROOT"/build/lib/create-tmp-for-build.rc
@@ -16,10 +21,12 @@ cd $NAME
 if uname -s | grep -q -i freebsd ; then
     patch <"$BASS_ROOT"/build/skel/security/gnutls-3.8.12-crau-fix.patch >&2
 fi
+priority="NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:+GROUP-X25519-MLKEM768"
 ./configure --prefix="$SKELBINS"/$ARCH/$NAME-$hsh \
     --without-tpm --without-p11-kit --enable-static \
     --with-included-unistring --with-included-libtasn1 \
-    --disable-crypto-auditing >&2
+    --disable-crypto-auditing --with-leancrypto \
+    --with-default-priority-string=$priority >&2
 make -j$MAKE_JOBS >&2
 make install >&2
 
diff --git a/build/skel/security/leancrypto-1.6.0.do b/build/skel/security/leancrypto-1.6.0.do
new file mode 100644
index 0000000..067f461
--- /dev/null
+++ b/build/skel/security/leancrypto-1.6.0.do
@@ -0,0 +1,33 @@
+[ -n "$BASS_ROOT" ] || BASS_ROOT="$(dirname "$(realpath -- "$0")")"/../../../..
+sname=$1.do . "$BASS_ROOT"/lib/rc
+. "$BASS_ROOT"/build/skel/common.rc
+
+bdeps="
+rc-paths
+stow
+archivers/zstd
+devel/pkgconf-2.1.1
+devel/ninja-v1.12.1
+lang/Python-3.7.3
+"
+meson=meson-1.7.2
+redo-ifchange $bdeps "$DISTFILES"/$NAME.tar.xz "$DISTFILES"/$meson.tar.gz
+hsh=$("$BASS_ROOT"/build/bin/cksum $BASS_REV $SPATH)
+. "$BASS_ROOT"/build/lib/create-tmp-for-build.rc
+"$BASS_ROOT"/build/bin/pkg-inst $bdeps $rdeps
+. ./rc
+$TAR xf "$DISTFILES"/$meson.tar.gz
+$TAR xf "$DISTFILES"/$NAME.tar.xz
+"$BASS_ROOT"/bin/rm-r "$SKELBINS"/$ARCH/$NAME-$hsh
+
+cd $NAME
+perl -i -npe "s/bash/sh/" addon/generate_header.sh
+for opt in x509_parser x509_generator pkcs7_parser pkcs7_generator ; do
+    perl -i -npe "s/enabled/disabled/ if /$opt/" meson_options.txt
+done
+../$meson/meson.py build --prefix="$SKELBINS"/$ARCH/$NAME-$hsh >&2
+../$meson/meson.py compile -C build >&2
+../$meson/meson.py install -C build >&2
+
+cd "$SKELBINS"/$ARCH
+"$BASS_ROOT"/build/lib/mk-pkg $NAME-$hsh