Log message:
p11-kit: Build fix for older Darwin.

Log message:
reallocarray exists in NetBSD's libc, so AC_CHECK_LIB will find it.
For some reason it is hidden in stdlib.h by _OPENBSD_SOURCE, so add
that to p11-kit's Makefile to avoid coredumps. Fixes PR pkg/53426.

Log message:
Update p11-kit to 0.23.12

0.23.12 (stable)
 * Fix compile error when PKCS#11 GNU calling convention is enabled [PR#160]
 * Fix getauxval() and secure_getenv() emulation on macOS and FreeBSD [PR#167]
 * Build and test fixes on macOS [PR#162, PR#168]

0.23.11 (stable)
 * trust: Add extractor for edk2/cacerts.bin [PR#139]
 * modules: Add option to control module visibility from proxy [PR#140]
 * trust: Prevent trust module being loaded by proxy module [PR#142]
 * library: Use dedicated locale object for printing error [PR#148]
 * Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly [PR#134]
 * Improve const correctness for P11KitUri [PR#152]
 * PKCS#11 URI scheme comparison is now case insensitive [PR#156]
 * Build and test fixes [PR#151, PR#149, PR#141, PR#138, PR#135]

Log message:
Fix PLIST on Darwin.

Log message:
p11-kit: update to 0.23.10.

This is a development release, but gnutls needs at least 0.23.x,
so take the latest development release.

0.23.10 (devel)
 * filter: Respect "write-protected" vendor-specific attribute in
   PKCS#11 URI [PR#129]
 * server: Improve shell integration and documentation [PR#107, PR#108]
 * proxy: Reuse existing slot ID mapping in after fork() [PR#120]
 * trust: Forcibly mark "Default Trust" read-only [PR#123]
 * New function p11_kit_override_system_files() which can be used for
   testing [PR#110]
 * trust: Filter out duplicate extensions [PR#69]
 * Update translations [PR#128]
 * Bug fixes [PR#125, PR#126]

0.23.9 (devel)
 * Fix p11-kit server regressions [PR#103, PR#104]
 * trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
 * Build fixes related to reallocarray [PR#96, PR#98, PR#100]

0.23.8 (devel)
 * Improve vendor query attributes handling in PKCS#11 URI [PR#92]
 * Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
 * New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
   configurations [PR#87]
 * Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]

0.23.7 (devel)
 * Fix memory issues with "p11-kit server" [PR#78]
 * Build fixes [PR#77 ...]

0.23.6 (devel)
 * Port "p11-kit server" to Windows and portability fixes of the RPC
   protocol [PR#67, PR#72, PR#74]
 * Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
 * Build fixes [PR#63 ...]

0.23.5 (devel)
 * Fix license notice of common/unix-peer.c [PR#58]
 * Remove systemd unit files for now [PR#60]
 * Build fixes for FreeBSD [PR#56]

0.23.4 (devel)
 * Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
   PR#37, PR#52]
 * The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
   attribute, used by Firefox [#99453, PR#46]
 * Add 'trust dump' command to dump all PKCS#11 objects in the
   persistence format [PR#44]
 * New experimental 'p11-kit server' command that allows PKCS#11
   forwarding through a Unix domain socket.  A client-side module
   p11-kit-client.so is also provided [PR#15]
 * Add systemd unit files for exporting the proxy module through a
   Unix domain socket [PR#35]
 * New P11KitIter API to iterate over slots, tokens, and modules in
   addition to objects [PR#28]
 * libffi dependency is now optional [PR#9]
 * Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]

0.23.3 (devel)
 * Install private executables in libexecdir [#98817]
 * Fix link error of proxy module on macOS [#98022]
 * Use new PKCS#11 URI specification for URIs [#97245]
 * Support x-init-reserved argument of C_Initialize() in remote modules [#80519]
 * Incorporate changes from PKCS#11 2.40 specification
 * Bump libtool library version
 * Documentation fixes
 * Build fixes [#87192 ...]

0.23.2 (devel)
 * Fix forking issues with libffi [#90289 ...]
 * Updated translations
 * Build fixes [#90827 #89081 #92434 #92520 #92445 #92551 #92843 #92842 #92807 \ 
#93211 ...]

0.23.1 (devel)
 * Use new PKCS#11 URI draft fields for URIs [#86474 #87582]
 * Add pem-directory-hash extract format
 * Build fixes

Log message:
Fix build on SunOS.  From Thomas Merkel in NetBSD/pkgsrc#13.

Log message:
Explicitly depend on the mozilla CA list for providing a trust anchor.
NetBSD doesn't ship a CA bundle by default.

Log message:
Update to 0.22.1

Changelog:
0.22.1 (stable)
 * Use SubjectKeyIdentifier for CKA_ID when available [#84761]
 * Allow 'BEGIN PuBLIC KEY' PEM blocks in .p11-kit files
 * Bump libtool library version
 * Build fixes [#84665 ...]

0.22.0 (stable)
 * Remove the 'isolated = yes' option due to unclear semantics
   replacement forth coming in later versions.
 * Use secure_getenv() where necessary
 * Run separate binary for 'p11-kit remote' command

0.21.3 (unstable)
 * New public pkcs11x.h header containing extensions [#83495]
 * Export necessary defines to lookup attached extensions [#83495]
 * Use term 'attached extensions' rather than 'stabled extensions'
 * Make proxy module respect 'critical = no' [#83651]
 * Show public-key-info in 'trust list --details'
 * Build fixes [#75674 ...]

0.21.2 (unstable)
 * Don't use invalid keys for looking up stapled extensions [#82328]
 * Better error messages when invalid certificate extensions
 * Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files
 * Fix some leaks, and memory issues
 * Silence some clang scanner warnings
 * Fix build against older pthread implementations [#82617]
 * Move to a non-recursive Makefile
 * Can now specify which tests to run on command line

0.21.1 (unstable)
 * Add new 'isolate' pkcs11 config option [#80472]
 * Add 'p11-kit remote' command for isolating modules [#54105]
 * Don't complain about C_Finalize after a fork
 * Other minor fixes

0.20.3 (stable)
 * Fix problems reinitializing managed modules after fork
 * Fix bad bookeeping when fail initializing one of the modules
 * Fix case where module would be unloaded while in use [#74919]
 * Remove assertions when module used before initialized [#74919]
 * Fix handling of mmap failure and mapping empty files [#74773]
 * Stable p11_kit_be_quiet() and p11_kit_be_loud() functions
 * Require automake 1.12 or later
 * Build fixes for Windows [#76594 #74149]

0.20.2 (stable)
 * Fix bug where blacklist didn't affect extracted ca-anchors if the anchor
   and blacklist were not in the same trust path (regression) [#73558]
 * Check for race in BasicConstraints stapled extension [#69314]
 * autogen.sh now runs configure as srcdir != builddir by default
 * Build fixes and cleanup

0.20.1 (stable)
 * Extract compat trust data after we've changes
 * Skip compat extraction if running as non-root
 * Better failure messages when removing anchors
 * Build cleanup

0.20.0 (stable)
 * Doc fixes

0.19.4 (unstable)
 * 'trust anchor' now adds/removes certificate anchors
 * 'trust list' lists trust policy stuff
 * 'p11-kit extract' is now 'trust extract'
 * 'p11-kit extract-trust' is now 'trust extract-compat'
 * Workarounds for working on broken zfsonlinux.org [#68525]
 * Add --with-module-config parameter to the configure script [#68122]
 * Add support for removing stored PKCS#11 objects in trust module
 * Various debugging tweaks

0.19.3 (unstable)
 * Fix up problems with automake testing
 * Fix a bunch of memory leaks in newly refactored code
 * Don't use _GNU_SOURCE and the unportability it brings
 * Testing fixes

0.19.2 (unstable)
 * Add basic 'trust anchor' command to store a new anchor
 * Support for writing out trust token objects
 * Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec
 * Add option to use freebl for hashing
 * Implement reloading of token data
 * Fix warnings and possible minor bugs higlighted by code scanners
 * Don't load configs in home directories when running setuid or setgid
 * Support treating ~/.config as $XDG_CONFIG_HOME
 * Use $XDG_DATA_HOME/pkcs11 as default user config directory
 * Use $TMPDIR instead of $TEMP while testing
 * Open files and fds with O_CLOEXEC
 * Abort initialization if a critical module fails to load
 * Don't use thread-unsafe functions: strerror, getpwuid
 * Fix p11_kit_space_strlen() result when empty string
 * Refactoring of where various components live
 * Build fixes

0.19.1 (unstable)
 * Refactor API to be able to handle managed modules
 * Deprecate much of old p11-kit API
 * Implement concept of managed modules
 * Make C_CloseAllSessions function work for multiple callers
 * New dependency on libffi
 * Fix possible threading problems reported by hellgrind
 * Add log-calls option
 * Mark p11_kit_message() as a stable function
 * Use our own unit testing framework

0.18.3 (stable)
 * Fix reinitialization of trust module [#65401]
 * Fix crash in trust module C_Initialize
 * Mac OS fixes [#57714]

0.18.2 (stable)
 * Build fixes [#64378 ...]

0.18.1 (stable)
 * Put the external tools in $libdir/p11-kit
 * Documentation build fixes

0.18.0 (stable)
 * Fix use of trust module with gcr and empathy [#62896]
 * Further tweaks to trust module date parsing
 * Fix unaligned memory reads [#62819]
 * Win32 fixes [#63062, #63046]
 * Debug and logging tweaks [#62874]
 * Other build fixes

0.17.5 (unstable)
 * Don't try to guess at overflowing time values on 32-bit systems [#62825]
 * Test fixes [#927394]

0.17.4 (unstable)
 * Check for duplicate certificates in a token, warn and discard [#62548]
 * Implement a proper index so we have decent load performance

0.17.3 (unstable)
 * Use descriptive labels for the trust module tokens [#62534]
 * Remove the temporary built in distrust objects
 * Make extracted output directories and files read-only [#61898]
 * Don't export unneccessary ABI
 * Build fixes [#62479]

0.17.2 (unstable)
 * Fix build on 32-bit linux
 * Fix several crashers

0.17.1 (unstable)
 * Support a p11-kit specific PKCS#11 attribute persistance format [#62156]
 * Use the SHA1 hash of SPKI as the CKA_ID in the trust module by default [#62329]
 * Refactor a trust builder which builds objects out of parsed data [#62329]
 * Combine trust policy when extracting certificates [#61497]
 * The extract --comment option adds comments to PEM bundles [#62029]
 * A new 'priority' config option for ordering modules [#61978]
 * Make each configured path its own trust module token [#61499]
 * Use --with-trust-paths to configure trust module [#62327]
 * Fix bug decoding some PEM files
 * Better debug output for trust module lookups
 * Work around bug in NSS when doing serial number lookups
 * Work around broken strndup() function in firefox
 * Fix the nickname for the distrusted attribute
 * Build fixes

0.16.4 (stable)
 * Display per command help again [#62153]
 * Don't always print tools debug output [#62152]

0.16.3 (stable)
 * When iterating don't skip tokens without the CKF_TOKEN_INITIALIZED flag
 * Hardcode some distrust records for NSS temporarily
 * Parse global options better in the p11-kit command
 * Better debugging

0.16.2 (stable)
 * Fix regression in 'p11-kit extract --purpose' option [#62009]
 * Documentation updates
 * Build fixes [#62001, ...]

0.16.1 (stable)
 * Don't break when cA field of BasicConstraints is missing [#61975]
 * Documentation fixes and updates
 * p11-kit extract-trust is a placeholder script now

0.16.0 (stable)
 * Update the pkcs11.h header for new mechanisms
 * Fix build and tests on mingw64 (ie: win32)
 * Relicense LGPL code to BSD license
 * Documentation tweaks
 * Pull translations from Transifex [#60792]
 * Build fixes [#61739, #60894, #61740]

0.15.2 (unstable)
 * Add German and Finish translations
 * Better define the libtasn1 dependency
 * Crasher and bug fixes
 * Build fixes

0.15.1 (unstable)
 * Fix some memory leaks
 * Add a location for packages to drop module configs
 * Documentation updates and fixes
 * Add command line tool manual page
 * Remove unused err() function and friends
 * Move more code into common/ directory and refactor
 * Add a system trust policy module
 * Refactor how the p11-kit command line tool works
 * Add p11-kit extract and extract-trust commands
 * Don't complain if we cannot access ~/.pkcs11/pkcs11.conf
 * Refuse to load the p11-kit-proxy.so as a registered module
 * Don't fail initialization if last initialized module fails

0.14
 * Change default for user-config to merge
 * Always URI-encode the 'id' attribute in PKCS#11 URIs
 * Expect a .module extension on module configs
 * Windows compatibility fixes
 * Testing fixes
 * Build fixes

0.13
 * Don't allow reading of PIN files larger than 4096 bytes
 * If a module is not marked as critical then ignore init failure
 * Use preconditions to check for input problems and out of memory
 * Add enable-in and disable-in options to module config
 * Fix the flags in pin.h
 * Use gcc extensions to check varargs during compile
 * Fix crasher when a duplicate module is present
 * Fix broken hashmap behavior
 * Testing fixes
 * Win32 build fixes
 * 'p11-kit -h' now works
 * Documentation fixes

0.12
 * Build fix

0.11
 * Remove automatic reinitialization of PKCS#11 after fork

Log message:
Add SHA512 digests for distfiles for security category

Problems found locating distfiles:
	Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
	Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
	Package libidea: missing distfile libidea-0.8.2b.tar.gz
	Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
	Package uvscan: missing distfile vlp4510e.tar.Z

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.

Log message:
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.