* [gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/
@ 2022-03-19 22:32 Quentin Retornaz
0 siblings, 0 replies; 4+ messages in thread
From: Quentin Retornaz @ 2022-03-19 22:32 UTC (permalink / raw
To: gentoo-commits
commit: 47a88659300993df0096c720dd93d9bb914ea5d2
Author: orbea <orbea <AT> riseup <DOT> net>
AuthorDate: Thu Mar 17 14:53:37 2022 +0000
Commit: Quentin Retornaz <gentoo <AT> retornaz <DOT> com>
CommitDate: Sat Mar 19 22:32:34 2022 +0000
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=47a88659
net-vpn/tor: Added
Signed-off-by: orbea <orbea <AT> riseup.net>
Closes: https://github.com/gentoo/libressl/pull/391
Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com>
net-vpn/tor/Manifest | 2 +
net-vpn/tor/files/0.4.6.7-libressl.patch | 123 +++++++++++++++++++++++
net-vpn/tor/files/README.gentoo | 8 ++
net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch | 31 ++++++
net-vpn/tor/files/tor.confd | 3 +
net-vpn/tor/files/tor.initd-r9 | 37 +++++++
net-vpn/tor/files/tor.service | 38 +++++++
net-vpn/tor/files/torrc-r2 | 7 ++
net-vpn/tor/metadata.xml | 13 +++
net-vpn/tor/tor-0.4.6.7.ebuild | 109 ++++++++++++++++++++
10 files changed, 371 insertions(+)
diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest
new file mode 100644
index 0000000..e10ad5e
--- /dev/null
+++ b/net-vpn/tor/Manifest
@@ -0,0 +1,2 @@
+DIST tor-0.4.6.7.tar.gz 7790727 BLAKE2B da6b0fe0de6a334713cf881dece6ef5a932b0f4374a7dde1e1cb78b4b43944fd6156d84bd98c8be734a7cf81b99cb36187544028c3e4800d38d11d7286d19e12 SHA512 e5f9e235fc4b96f5e63e0bfa4ca412d0d11299a31cb77cae1c199b276d0dfbf3656657ddf910b22625dd49eb726d487666e80e8889db78c9edebbab0d80d9e03
+DIST tor-0.4.6.7.tar.gz.asc 833 BLAKE2B 2054c094cc8ce28bfc8822fa6b0ac5a028b41c96160d135da53112c4fcb7ae048e8d48b58f164dd33c6c7dd851aaa71173b2aa36f70411fc7cc2b67d346ce00b SHA512 d45caaa4795d05f1f1a558192c5eedff608c74be0ef933e0ff7a4f68123a109e38e7fe26222c66dfc8966a07f458eeadf77d7f4731d88389595b59413140e9a3
diff --git a/net-vpn/tor/files/0.4.6.7-libressl.patch b/net-vpn/tor/files/0.4.6.7-libressl.patch
new file mode 100644
index 0000000..d481ae2
--- /dev/null
+++ b/net-vpn/tor/files/0.4.6.7-libressl.patch
@@ -0,0 +1,123 @@
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/tls/x509_openssl.c
+--- a/src/lib/tls/x509_openssl.c.orig
++++ b/src/lib/tls/x509_openssl.c
+@@ -329,7 +329,7 @@ tor_tls_cert_is_valid(int severity,
+ cert_key = X509_get_pubkey(cert->cert);
+ if (check_rsa_1024 && cert_key) {
+ RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ if (rsa && RSA_bits(rsa) == 1024) {
+ #else
+ if (rsa && BN_num_bits(rsa->n) == 1024) {
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/crypt_ops/crypto_rsa_openssl.c
+--- a/src/lib/crypt_ops/crypto_rsa_openssl.c.orig
++++ b/src/lib/crypt_ops/crypto_rsa_openssl.c
+@@ -47,7 +47,7 @@ struct crypto_pk_t
+ int
+ crypto_pk_key_is_private(const crypto_pk_t *k)
+ {
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ if (!k || !k->key)
+ return 0;
+
+@@ -212,7 +212,7 @@ crypto_pk_public_exponent_ok(const crypto_pk_t *env)
+
+ const BIGNUM *e;
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ const BIGNUM *n, *d;
+ RSA_get0_key(env->key, &n, &e, &d);
+ #else
+@@ -242,7 +242,7 @@ crypto_pk_cmp_keys(const crypto_pk_t *a, const crypto_
+ const BIGNUM *a_n, *a_e;
+ const BIGNUM *b_n, *b_e;
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ const BIGNUM *a_d, *b_d;
+ RSA_get0_key(a->key, &a_n, &a_e, &a_d);
+ RSA_get0_key(b->key, &b_n, &b_e, &b_d);
+@@ -279,7 +279,7 @@ crypto_pk_num_bits(crypto_pk_t *env)
+ tor_assert(env);
+ tor_assert(env->key);
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ /* It's so stupid that there's no other way to check that n is valid
+ * before calling RSA_bits().
+ */
+@@ -572,7 +572,7 @@ static bool
+ rsa_private_key_too_long(RSA *rsa, int max_bits)
+ {
+ const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp;
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+
+ #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1)
+ n = RSA_get0_n(rsa);
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/crypt_ops/crypto_dh_openssl.c
+--- a/src/lib/crypt_ops/crypto_dh_openssl.c.orig
++++ b/src/lib/crypt_ops/crypto_dh_openssl.c
+@@ -60,7 +60,7 @@ crypto_validate_dh_params(const BIGNUM *p, const BIGNU
+ /* Copy into a temporary DH object, just so that DH_check() can be called. */
+ if (!(dh = DH_new()))
+ goto out;
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ BIGNUM *dh_p, *dh_g;
+ if (!(dh_p = BN_dup(p)))
+ goto out;
+@@ -223,7 +223,7 @@ new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g)
+ goto err;
+ }
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+
+ if (!DH_set0_pqg(res_dh, dh_p, NULL, dh_g)) {
+ goto err;
+@@ -276,7 +276,7 @@ crypto_dh_get_bytes(crypto_dh_t *dh)
+ int
+ crypto_dh_generate_public(crypto_dh_t *dh)
+ {
+-#ifndef OPENSSL_1_1_API
++#if !defined(OPENSSL_1_1_API) && !defined(LIBRESSL_VERSION_NUMBER)
+ again:
+ #endif
+ if (!DH_generate_key(dh->dh)) {
+@@ -286,7 +286,7 @@ crypto_dh_generate_public(crypto_dh_t *dh)
+ return -1;
+ /* LCOV_EXCL_STOP */
+ }
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ /* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without
+ * recreating the DH object. I have no idea what sort of aliasing madness
+ * can occur here, so do the check, and just bail on failure.
+@@ -327,7 +327,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si
+
+ const BIGNUM *dh_pub;
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ const BIGNUM *dh_priv;
+ DH_get0_key(dh->dh, &dh_pub, &dh_priv);
+ #else
+@@ -338,7 +338,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si
+ if (crypto_dh_generate_public(dh)<0)
+ return -1;
+ else {
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ DH_get0_key(dh->dh, &dh_pub, &dh_priv);
+ #else
+ dh_pub = dh->dh->pub_key;
diff --git a/net-vpn/tor/files/README.gentoo b/net-vpn/tor/files/README.gentoo
new file mode 100644
index 0000000..35214ac
--- /dev/null
+++ b/net-vpn/tor/files/README.gentoo
@@ -0,0 +1,8 @@
+We created a configuration file for tor, /etc/tor/torrc, but you can
+change it according to your needs. Use the torrc.sample that is in
+that directory as a guide. Also, to have privoxy work with tor
+just add the following line
+
+forward-socks4a / localhost:9050 .
+
+to /etc/privoxy/config. Notice the . at the end!
diff --git a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
new file mode 100644
index 0000000..5f9e258
--- /dev/null
+++ b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
@@ -0,0 +1,31 @@
+diff -Nuar tor-0.2.7.4-rc.orig/src/config/torrc.sample.in tor-0.2.7.4-rc/src/config/torrc.sample.in
+--- tor-0.2.7.4-rc.orig/src/config/torrc.sample.in 2015-10-19 11:12:53.000000000 -0400
++++ tor-0.2.7.4-rc/src/config/torrc.sample.in 2015-10-21 21:18:49.151973113 -0400
+@@ -12,6 +12,11 @@
+ ## Tor will look for this file in various places based on your platform:
+ ## https://www.torproject.org/docs/faq#torrc
+
++## Default username and group the server will run as
++User tor
++
++PIDFile /run/tor/tor.pid
++
+ ## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
+ ## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
+ ## as a relay, and not make any local application connections yourself.
+@@ -42,6 +47,7 @@
+ #Log notice syslog
+ ## To send all messages to stderr:
+ #Log debug stderr
++Log warn syslog
+
+ ## Uncomment this to start the process in the background... or use
+ ## --runasdaemon 1 on the command line. This is ignored on Windows;
+@@ -51,6 +57,7 @@
+ ## The directory for keeping all the keys/etc. By default, we store
+ ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+ #DataDirectory @LOCALSTATEDIR@/lib/tor
++DataDirectory /var/lib/tor/data
+
+ ## The port on which Tor will listen for local connections from Tor
+ ## controller applications, as documented in control-spec.txt.
diff --git a/net-vpn/tor/files/tor.confd b/net-vpn/tor/files/tor.confd
new file mode 100644
index 0000000..4195bf3
--- /dev/null
+++ b/net-vpn/tor/files/tor.confd
@@ -0,0 +1,3 @@
+#
+# Set the file limit
+rc_ulimit="-n 30000"
diff --git a/net-vpn/tor/files/tor.initd-r9 b/net-vpn/tor/files/tor.initd-r9
new file mode 100644
index 0000000..c1639c2
--- /dev/null
+++ b/net-vpn/tor/files/tor.initd-r9
@@ -0,0 +1,37 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+command=/usr/bin/tor
+pidfile=/run/tor/tor.pid
+command_args="--hush --runasdaemon 1 --pidfile \"${pidfile}\""
+retry=${GRACEFUL_TIMEOUT:-60}
+stopsig=INT
+command_progress=yes
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+description="Anonymizing overlay network for TCP"
+description_checkconfig="Check for valid config file"
+description_reload="Reload the configuration"
+
+checkconfig() {
+ ${command} --verify-config --hush > /dev/null 2>&1
+ if [ $? -ne 0 ] ; then
+ eerror "Tor configuration (/etc/tor/torrc) is not valid."
+ eerror "Example is in /etc/tor/torrc.sample"
+ return 1
+ fi
+}
+
+start_pre() {
+ checkconfig || return 1
+ checkpath -d -m 0755 -o tor:tor /run/tor
+}
+
+reload() {
+ checkconfig || return 1
+ ebegin "Reloading Tor configuration"
+ start-stop-daemon -s HUP --pidfile ${pidfile}
+ eend $?
+}
diff --git a/net-vpn/tor/files/tor.service b/net-vpn/tor/files/tor.service
new file mode 100644
index 0000000..1663824
--- /dev/null
+++ b/net-vpn/tor/files/tor.service
@@ -0,0 +1,38 @@
+# tor.service -- this systemd configuration file for Tor sets up a
+# relatively conservative, hardened Tor service. You may need to
+# edit it if you are making changes to your Tor configuration that it
+# does not allow. Package maintainers: this should be a starting point
+# for your tor.service; it is not the last point.
+
+[Unit]
+Description=Anonymizing overlay network for TCP
+After=syslog.target network.target nss-lookup.target
+
+[Service]
+Type=notify
+NotifyAccess=all
+ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
+ExecStart=/usr/bin/tor -f /etc/tor/torrc
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillSignal=SIGINT
+TimeoutSec=60
+Restart=on-failure
+WatchdogSec=1m
+LimitNOFILE=32768
+
+# Hardening
+Group=tor
+RuntimeDirectory=tor
+RuntimeDirectoryMode=0770
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/var/lib/tor
+ReadWriteDirectories=-/var/log/tor
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-vpn/tor/files/torrc-r2 b/net-vpn/tor/files/torrc-r2
new file mode 100644
index 0000000..b308104
--- /dev/null
+++ b/net-vpn/tor/files/torrc-r2
@@ -0,0 +1,7 @@
+#
+# Minimal torrc so tor will work out of the box
+#
+User tor
+PIDFile /run/tor/tor.pid
+Log notice syslog
+DataDirectory /var/lib/tor/data
diff --git a/net-vpn/tor/metadata.xml b/net-vpn/tor/metadata.xml
new file mode 100644
index 0000000..c1b2764
--- /dev/null
+++ b/net-vpn/tor/metadata.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="person">
+ <email>blueness@gentoo.org</email>
+ <name>Anthony G. Basile</name>
+ </maintainer>
+ <use>
+ <flag name="scrypt">Use <pkg>app-crypt/libscrypt</pkg> for the scrypt algorithm</flag>
+ <flag name="server">Enable tor's relay module so it can operate as a relay/bridge/authority</flag>
+ <flag name="tor-hardening">Compile tor with hardening on vanilla compilers/linkers</flag>
+ </use>
+</pkgmetadata>
diff --git a/net-vpn/tor/tor-0.4.6.7.ebuild b/net-vpn/tor/tor-0.4.6.7.ebuild
new file mode 100644
index 0000000..e29cdd7
--- /dev/null
+++ b/net-vpn/tor/tor-0.4.6.7.ebuild
@@ -0,0 +1,109 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+PYTHON_COMPAT=( python3_{8,9} )
+inherit flag-o-matic python-any-r1 readme.gentoo-r1 systemd verify-sig
+
+MY_PV="$(ver_rs 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="https://www.torproject.org/"
+SRC_URI="https://www.torproject.org/dist/${MY_PF}.tar.gz
+ https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
+ verify-sig? ( https://dist.torproject.org/${MY_PF}.tar.gz.asc )"
+S="${WORKDIR}/${MY_PF}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
+ KEYWORDS="amd64 arm arm64 ~mips ppc ppc64 ~riscv x86 ~ppc-macos"
+fi
+IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/torproject.org.asc
+
+BDEPEND="verify-sig? ( sec-keys/openpgp-keys-tor )"
+DEPEND="
+ dev-libs/libevent:=[ssl]
+ sys-libs/zlib
+ caps? ( sys-libs/libcap )
+ man? ( app-text/asciidoc )
+ dev-libs/openssl:0=[-bindist(-)]
+ lzma? ( app-arch/xz-utils )
+ scrypt? ( app-crypt/libscrypt )
+ seccomp? ( >=sys-libs/libseccomp-2.4.1 )
+ systemd? ( sys-apps/systemd )
+ zstd? ( app-arch/zstd )"
+RDEPEND="
+ acct-user/tor
+ acct-group/tor
+ ${DEPEND}
+ selinux? ( sec-policy/selinux-tor )"
+
+# bug #764260
+DEPEND+="
+ test? (
+ ${DEPEND}
+ ${PYTHON_DEPS}
+ )"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+ "${FILESDIR}"/${PV}-libressl.patch
+)
+
+DOCS=()
+
+RESTRICT="!test? ( test )"
+
+pkg_setup() {
+ use test && python-any-r1_pkg_setup
+}
+
+src_configure() {
+ use doc && DOCS+=( README ChangeLog ReleaseNotes doc/HACKING )
+ export ac_cv_lib_cap_cap_init=$(usex caps)
+ econf \
+ --localstatedir="${EPREFIX}/var" \
+ --disable-all-bugs-are-fatal \
+ --enable-system-torrc \
+ --disable-android \
+ --disable-html-manual \
+ --disable-libfuzzer \
+ --enable-missing-doc-warnings \
+ --disable-module-dirauth \
+ --enable-pic \
+ --disable-rust \
+ --disable-restart-debugging \
+ --disable-zstd-advanced-apis \
+ $(use_enable man asciidoc) \
+ $(use_enable man manpage) \
+ $(use_enable lzma) \
+ $(use_enable scrypt libscrypt) \
+ $(use_enable seccomp) \
+ $(use_enable server module-relay) \
+ $(use_enable systemd) \
+ $(use_enable tor-hardening gcc-hardening) \
+ $(use_enable tor-hardening linker-hardening) \
+ $(use_enable test unittests) \
+ $(use_enable test coverage) \
+ $(use_enable zstd)
+}
+
+src_install() {
+ default
+ readme.gentoo_create_doc
+
+ newconfd "${FILESDIR}"/tor.confd tor
+ newinitd "${FILESDIR}"/tor.initd-r9 tor
+ systemd_dounit "${FILESDIR}"/tor.service
+
+ keepdir /var/lib/tor
+
+ fperms 750 /var/lib/tor
+ fowners tor:tor /var/lib/tor
+
+ insinto /etc/tor/
+ newins "${FILESDIR}"/torrc-r2 torrc
+}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/
@ 2023-04-26 15:28 orbea
0 siblings, 0 replies; 4+ messages in thread
From: orbea @ 2023-04-26 15:28 UTC (permalink / raw
To: gentoo-commits
commit: 5443c47ba7bbf6a875fd5e5e02ae93d1a3f20128
Author: orbea <orbea <AT> riseup <DOT> net>
AuthorDate: Wed Apr 26 15:25:20 2023 +0000
Commit: orbea <orbea <AT> riseup <DOT> net>
CommitDate: Wed Apr 26 15:25:32 2023 +0000
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=5443c47b
net-vpn/tor: treeclean
Bug: https://bugs.gentoo.org/903001
Upstream-PR: https://github.com/gentoo/gentoo/pull/30622
Upstream-Commit: https://github.com/gentoo/gentoo/commit/93d2cce2f2111f1c219587443a1b676ce2ff561c
Signed-off-by: orbea <orbea <AT> riseup.net>
net-vpn/tor/Manifest | 3 -
net-vpn/tor/files/README.gentoo | 8 --
net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch | 31 -----
net-vpn/tor/files/tor-0.4.6.7-libressl.patch | 123 --------------------
net-vpn/tor/files/tor.confd | 3 -
net-vpn/tor/files/tor.initd-r9 | 37 ------
net-vpn/tor/files/tor.service | 38 -------
net-vpn/tor/files/torrc-r2 | 7 --
net-vpn/tor/metadata.xml | 17 ---
net-vpn/tor/tor-0.4.7.13-r1.ebuild | 138 -----------------------
10 files changed, 405 deletions(-)
diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest
deleted file mode 100644
index 05ebc39..0000000
--- a/net-vpn/tor/Manifest
+++ /dev/null
@@ -1,3 +0,0 @@
-DIST tor-0.4.7.13.tar.gz 8031948 BLAKE2B 338a0a541423f27f594a091307b5edeafc9826bb651c2bd050f3282c9355d9d43d1ef4791f3c98a37dc4c0f64bc40925ea1c1e32cbdff78b1a7308df501f279a SHA512 0900416887afbb24f7b72e6ef181b7b01308d1bb35c37736f3b13e06810a07febf9f47fadd9ff6c0e73204d93b49545e4e2516906eb3ba74398ad2b299f530be
-DIST tor-0.4.7.13.tar.gz.sha256sum 86 BLAKE2B 339db9869bfe485cbd328fe942cc23e60c08ad67fc2d9e7927ed3c9f3b606192e5efac34013c5bf0b0e8b26e957dcf8b586e1cc0a0c27756b8b3d823af37fdee SHA512 ec1d19fa662255df5dd575ba943f4ccb30d9dfa49ff656cdfa73df2d24248b52a3bfd715f4d3efe11d8129968b0e06e3c75e8d82416e1807020ebf65f65401a0
-DIST tor-0.4.7.13.tar.gz.sha256sum.asc 716 BLAKE2B 968a3852293ab9bcadac626862c9dc360b17de5afd00af7c46358fa2adfc03b55c02dfe029e9427efba999f553489a04388b395e8fb8fe16325e0895663c2deb SHA512 eb78e8369941d8de833e3616a9a1c1e59b0d3dde918353e2f4fa5eb5da09f038238c46f5e180844bd3cba1211a9daa6d60e9ddb5690998e27a6b7d1616aa20cc
diff --git a/net-vpn/tor/files/README.gentoo b/net-vpn/tor/files/README.gentoo
deleted file mode 100644
index 35214ac..0000000
--- a/net-vpn/tor/files/README.gentoo
+++ /dev/null
@@ -1,8 +0,0 @@
-We created a configuration file for tor, /etc/tor/torrc, but you can
-change it according to your needs. Use the torrc.sample that is in
-that directory as a guide. Also, to have privoxy work with tor
-just add the following line
-
-forward-socks4a / localhost:9050 .
-
-to /etc/privoxy/config. Notice the . at the end!
diff --git a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
deleted file mode 100644
index 5f9e258..0000000
--- a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-diff -Nuar tor-0.2.7.4-rc.orig/src/config/torrc.sample.in tor-0.2.7.4-rc/src/config/torrc.sample.in
---- tor-0.2.7.4-rc.orig/src/config/torrc.sample.in 2015-10-19 11:12:53.000000000 -0400
-+++ tor-0.2.7.4-rc/src/config/torrc.sample.in 2015-10-21 21:18:49.151973113 -0400
-@@ -12,6 +12,11 @@
- ## Tor will look for this file in various places based on your platform:
- ## https://www.torproject.org/docs/faq#torrc
-
-+## Default username and group the server will run as
-+User tor
-+
-+PIDFile /run/tor/tor.pid
-+
- ## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
- ## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
- ## as a relay, and not make any local application connections yourself.
-@@ -42,6 +47,7 @@
- #Log notice syslog
- ## To send all messages to stderr:
- #Log debug stderr
-+Log warn syslog
-
- ## Uncomment this to start the process in the background... or use
- ## --runasdaemon 1 on the command line. This is ignored on Windows;
-@@ -51,6 +57,7 @@
- ## The directory for keeping all the keys/etc. By default, we store
- ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
- #DataDirectory @LOCALSTATEDIR@/lib/tor
-+DataDirectory /var/lib/tor/data
-
- ## The port on which Tor will listen for local connections from Tor
- ## controller applications, as documented in control-spec.txt.
diff --git a/net-vpn/tor/files/tor-0.4.6.7-libressl.patch b/net-vpn/tor/files/tor-0.4.6.7-libressl.patch
deleted file mode 100644
index d481ae2..0000000
--- a/net-vpn/tor/files/tor-0.4.6.7-libressl.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-Fix build with opaque structs in LibreSSL 3.5
-
-Index: src/lib/tls/x509_openssl.c
---- a/src/lib/tls/x509_openssl.c.orig
-+++ b/src/lib/tls/x509_openssl.c
-@@ -329,7 +329,7 @@ tor_tls_cert_is_valid(int severity,
- cert_key = X509_get_pubkey(cert->cert);
- if (check_rsa_1024 && cert_key) {
- RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- if (rsa && RSA_bits(rsa) == 1024) {
- #else
- if (rsa && BN_num_bits(rsa->n) == 1024) {
-Fix build with opaque structs in LibreSSL 3.5
-
-Index: src/lib/crypt_ops/crypto_rsa_openssl.c
---- a/src/lib/crypt_ops/crypto_rsa_openssl.c.orig
-+++ b/src/lib/crypt_ops/crypto_rsa_openssl.c
-@@ -47,7 +47,7 @@ struct crypto_pk_t
- int
- crypto_pk_key_is_private(const crypto_pk_t *k)
- {
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- if (!k || !k->key)
- return 0;
-
-@@ -212,7 +212,7 @@ crypto_pk_public_exponent_ok(const crypto_pk_t *env)
-
- const BIGNUM *e;
-
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- const BIGNUM *n, *d;
- RSA_get0_key(env->key, &n, &e, &d);
- #else
-@@ -242,7 +242,7 @@ crypto_pk_cmp_keys(const crypto_pk_t *a, const crypto_
- const BIGNUM *a_n, *a_e;
- const BIGNUM *b_n, *b_e;
-
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- const BIGNUM *a_d, *b_d;
- RSA_get0_key(a->key, &a_n, &a_e, &a_d);
- RSA_get0_key(b->key, &b_n, &b_e, &b_d);
-@@ -279,7 +279,7 @@ crypto_pk_num_bits(crypto_pk_t *env)
- tor_assert(env);
- tor_assert(env->key);
-
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- /* It's so stupid that there's no other way to check that n is valid
- * before calling RSA_bits().
- */
-@@ -572,7 +572,7 @@ static bool
- rsa_private_key_too_long(RSA *rsa, int max_bits)
- {
- const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp;
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
-
- #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1)
- n = RSA_get0_n(rsa);
-Fix build with opaque structs in LibreSSL 3.5
-
-Index: src/lib/crypt_ops/crypto_dh_openssl.c
---- a/src/lib/crypt_ops/crypto_dh_openssl.c.orig
-+++ b/src/lib/crypt_ops/crypto_dh_openssl.c
-@@ -60,7 +60,7 @@ crypto_validate_dh_params(const BIGNUM *p, const BIGNU
- /* Copy into a temporary DH object, just so that DH_check() can be called. */
- if (!(dh = DH_new()))
- goto out;
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- BIGNUM *dh_p, *dh_g;
- if (!(dh_p = BN_dup(p)))
- goto out;
-@@ -223,7 +223,7 @@ new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g)
- goto err;
- }
-
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
-
- if (!DH_set0_pqg(res_dh, dh_p, NULL, dh_g)) {
- goto err;
-@@ -276,7 +276,7 @@ crypto_dh_get_bytes(crypto_dh_t *dh)
- int
- crypto_dh_generate_public(crypto_dh_t *dh)
- {
--#ifndef OPENSSL_1_1_API
-+#if !defined(OPENSSL_1_1_API) && !defined(LIBRESSL_VERSION_NUMBER)
- again:
- #endif
- if (!DH_generate_key(dh->dh)) {
-@@ -286,7 +286,7 @@ crypto_dh_generate_public(crypto_dh_t *dh)
- return -1;
- /* LCOV_EXCL_STOP */
- }
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- /* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without
- * recreating the DH object. I have no idea what sort of aliasing madness
- * can occur here, so do the check, and just bail on failure.
-@@ -327,7 +327,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si
-
- const BIGNUM *dh_pub;
-
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- const BIGNUM *dh_priv;
- DH_get0_key(dh->dh, &dh_pub, &dh_priv);
- #else
-@@ -338,7 +338,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si
- if (crypto_dh_generate_public(dh)<0)
- return -1;
- else {
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- DH_get0_key(dh->dh, &dh_pub, &dh_priv);
- #else
- dh_pub = dh->dh->pub_key;
diff --git a/net-vpn/tor/files/tor.confd b/net-vpn/tor/files/tor.confd
deleted file mode 100644
index 4195bf3..0000000
--- a/net-vpn/tor/files/tor.confd
+++ /dev/null
@@ -1,3 +0,0 @@
-#
-# Set the file limit
-rc_ulimit="-n 30000"
diff --git a/net-vpn/tor/files/tor.initd-r9 b/net-vpn/tor/files/tor.initd-r9
deleted file mode 100644
index c1639c2..0000000
--- a/net-vpn/tor/files/tor.initd-r9
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-command=/usr/bin/tor
-pidfile=/run/tor/tor.pid
-command_args="--hush --runasdaemon 1 --pidfile \"${pidfile}\""
-retry=${GRACEFUL_TIMEOUT:-60}
-stopsig=INT
-command_progress=yes
-
-extra_commands="checkconfig"
-extra_started_commands="reload"
-description="Anonymizing overlay network for TCP"
-description_checkconfig="Check for valid config file"
-description_reload="Reload the configuration"
-
-checkconfig() {
- ${command} --verify-config --hush > /dev/null 2>&1
- if [ $? -ne 0 ] ; then
- eerror "Tor configuration (/etc/tor/torrc) is not valid."
- eerror "Example is in /etc/tor/torrc.sample"
- return 1
- fi
-}
-
-start_pre() {
- checkconfig || return 1
- checkpath -d -m 0755 -o tor:tor /run/tor
-}
-
-reload() {
- checkconfig || return 1
- ebegin "Reloading Tor configuration"
- start-stop-daemon -s HUP --pidfile ${pidfile}
- eend $?
-}
diff --git a/net-vpn/tor/files/tor.service b/net-vpn/tor/files/tor.service
deleted file mode 100644
index 1663824..0000000
--- a/net-vpn/tor/files/tor.service
+++ /dev/null
@@ -1,38 +0,0 @@
-# tor.service -- this systemd configuration file for Tor sets up a
-# relatively conservative, hardened Tor service. You may need to
-# edit it if you are making changes to your Tor configuration that it
-# does not allow. Package maintainers: this should be a starting point
-# for your tor.service; it is not the last point.
-
-[Unit]
-Description=Anonymizing overlay network for TCP
-After=syslog.target network.target nss-lookup.target
-
-[Service]
-Type=notify
-NotifyAccess=all
-ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
-ExecStart=/usr/bin/tor -f /etc/tor/torrc
-ExecReload=/bin/kill -HUP ${MAINPID}
-KillSignal=SIGINT
-TimeoutSec=60
-Restart=on-failure
-WatchdogSec=1m
-LimitNOFILE=32768
-
-# Hardening
-Group=tor
-RuntimeDirectory=tor
-RuntimeDirectoryMode=0770
-PrivateTmp=yes
-PrivateDevices=yes
-ProtectHome=yes
-ProtectSystem=full
-ReadOnlyDirectories=/
-ReadWriteDirectories=-/var/lib/tor
-ReadWriteDirectories=-/var/log/tor
-NoNewPrivileges=yes
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
-
-[Install]
-WantedBy=multi-user.target
diff --git a/net-vpn/tor/files/torrc-r2 b/net-vpn/tor/files/torrc-r2
deleted file mode 100644
index b308104..0000000
--- a/net-vpn/tor/files/torrc-r2
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# Minimal torrc so tor will work out of the box
-#
-User tor
-PIDFile /run/tor/tor.pid
-Log notice syslog
-DataDirectory /var/lib/tor/data
diff --git a/net-vpn/tor/metadata.xml b/net-vpn/tor/metadata.xml
deleted file mode 100644
index fcc4644..0000000
--- a/net-vpn/tor/metadata.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
-<pkgmetadata>
- <maintainer type="person">
- <email>ajak@gentoo.org</email>
- <name>John Helmert III</name>
- </maintainer>
- <maintainer type="person">
- <email>sam@gentoo.org</email>
- <name>Sam James</name>
- </maintainer>
- <use>
- <flag name="scrypt">Use <pkg>app-crypt/libscrypt</pkg> for the scrypt algorithm</flag>
- <flag name="server">Enable tor's relay module so it can operate as a relay/bridge/authority</flag>
- <flag name="tor-hardening">Compile tor with hardening on vanilla compilers/linkers</flag>
- </use>
-</pkgmetadata>
diff --git a/net-vpn/tor/tor-0.4.7.13-r1.ebuild b/net-vpn/tor/tor-0.4.7.13-r1.ebuild
deleted file mode 100644
index f9b6f8e..0000000
--- a/net-vpn/tor/tor-0.4.7.13-r1.ebuild
+++ /dev/null
@@ -1,138 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{9..11} )
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/torproject.org.asc
-inherit python-any-r1 readme.gentoo-r1 systemd verify-sig
-
-MY_PV="$(ver_rs 4 -)"
-MY_PF="${PN}-${MY_PV}"
-DESCRIPTION="Anonymizing overlay network for TCP"
-HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"
-SRC_URI="
- https://www.torproject.org/dist/${MY_PF}.tar.gz
- https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
- verify-sig? (
- https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum
- https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc
- )
-"
-S="${WORKDIR}/${MY_PF}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
- KEYWORDS="amd64 arm arm64 ~hppa ~mips ppc ppc64 ~riscv ~sparc x86 ~ppc-macos"
-fi
-IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
-RESTRICT="!test? ( test )"
-
-DEPEND="
- >=dev-libs/libevent-2.1.12-r1:=[ssl]
- sys-libs/zlib
- caps? ( sys-libs/libcap )
- man? ( app-text/asciidoc )
- dev-libs/openssl:=[-bindist(-)]
- lzma? ( app-arch/xz-utils )
- scrypt? ( app-crypt/libscrypt )
- seccomp? ( >=sys-libs/libseccomp-2.4.1 )
- systemd? ( sys-apps/systemd )
- zstd? ( app-arch/zstd )
-"
-RDEPEND="
- acct-user/tor
- acct-group/tor
- ${DEPEND}
- selinux? ( sec-policy/selinux-tor )
-"
-DEPEND+="
- test? (
- ${DEPEND}
- ${PYTHON_DEPS}
- )
-"
-BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20221213 )"
-
-DOCS=()
-
-PATCHES=(
- "${FILESDIR}"/${PN}-0.4.6.7-libressl.patch
- "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
-)
-
-pkg_setup() {
- use test && python-any-r1_pkg_setup
-}
-
-src_unpack() {
- if use verify-sig; then
- cd "${DISTDIR}" || die
- verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc}
- verify-sig_verify_unsigned_checksums \
- ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz
- cd "${WORKDIR}" || die
- fi
-
- default
-}
-
-src_prepare() {
- default
-
- # Running shellcheck automagically isn't useful for ebuild testing.
- echo "exit 0" > scripts/maint/checkShellScripts.sh || die
-}
-
-src_configure() {
- use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING )
-
- export ac_cv_lib_cap_cap_init=$(usex caps)
- export tor_cv_PYTHON="${EPYTHON}"
-
- local myeconfargs=(
- --localstatedir="${EPREFIX}/var"
- --disable-all-bugs-are-fatal
- --enable-system-torrc
- --disable-android
- --disable-coverage
- --disable-html-manual
- --disable-libfuzzer
- --enable-missing-doc-warnings
- --disable-module-dirauth
- --enable-pic
- --disable-restart-debugging
- --disable-zstd-advanced-apis
- $(use_enable man asciidoc)
- $(use_enable man manpage)
- $(use_enable lzma)
- $(use_enable scrypt libscrypt)
- $(use_enable seccomp)
- $(use_enable server module-relay)
- $(use_enable systemd)
- $(use_enable tor-hardening gcc-hardening)
- $(use_enable tor-hardening linker-hardening)
- $(use_enable test unittests)
- $(use_enable zstd)
- )
-
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
- readme.gentoo_create_doc
-
- newconfd "${FILESDIR}"/tor.confd tor
- newinitd "${FILESDIR}"/tor.initd-r9 tor
- systemd_dounit "${FILESDIR}"/tor.service
-
- keepdir /var/lib/tor
-
- fperms 750 /var/lib/tor
- fowners tor:tor /var/lib/tor
-
- insinto /etc/tor/
- newins "${FILESDIR}"/torrc-r2 torrc
-}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/
@ 2023-12-29 14:54 orbea
0 siblings, 0 replies; 4+ messages in thread
From: orbea @ 2023-12-29 14:54 UTC (permalink / raw
To: gentoo-commits
commit: 208e5e41e74d60e416bffac4e9e71906203c7484
Author: orbea <orbea <AT> riseup <DOT> net>
AuthorDate: Fri Dec 29 14:24:27 2023 +0000
Commit: orbea <orbea <AT> riseup <DOT> net>
CommitDate: Fri Dec 29 14:24:27 2023 +0000
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=208e5e41
net-vpn/tor: add 0.4.7.16-r1
Signed-off-by: orbea <orbea <AT> riseup.net>
net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch | 337 +++++++++++++++++++++
net-vpn/tor/tor-0.4.7.16-r1.ebuild | 170 +++++++++++
2 files changed, 507 insertions(+)
diff --git a/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch
new file mode 100644
index 0000000..2b473bf
--- /dev/null
+++ b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch
@@ -0,0 +1,337 @@
+From https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/574
+Gentoo Bug: https://bugs.gentoo.org/920063
+From: Pierre Bourdon <delroth@gmail.com>
+Date: Sat, 30 Apr 2022 11:52:59 +0200
+Subject: [PATCH 1/4] sandbox: fix openat filtering on AArch64
+
+New glibc versions not sign-extending 32 bit negative constants seems to
+not be a thing on AArch64. I suspect that this might not be the only
+architecture where the sign-extensions is happening, and the correct fix
+might be instead to use a proper 32 bit comparison for the first openat
+parameter. For now, band-aid fix this so the sandbox can work again on
+AArch64.
+--- a/src/lib/sandbox/sandbox.c
++++ b/src/lib/sandbox/sandbox.c
+@@ -518,7 +518,12 @@ libc_uses_openat_for_opendir(void)
+ static int
+ libc_negative_constant_needs_cast(void)
+ {
++#if defined(__aarch64__) && defined(__LP64__)
++ /* Existing glibc versions always sign-extend to 64 bits on AArch64. */
++ return 0;
++#else
+ return is_libc_at_least(2, 27);
++#endif
+ }
+
+ /** Allow a single file to be opened. If <b>use_openat</b> is true,
+--
+GitLab
+
+
+From 8fd13f7a7bfd4efc02d888ce9d10bcb6a80a03c8 Mon Sep 17 00:00:00 2001
+From: Pierre Bourdon <delroth@gmail.com>
+Date: Sat, 30 Apr 2022 13:02:16 +0200
+Subject: [PATCH 2/4] sandbox: filter {chown,chmod,rename} via their *at
+ variant on Aarch64
+
+The chown/chmod/rename syscalls have never existed on AArch64, and libc
+implements the POSIX functions via the fchownat/fchmodat/renameat
+syscalls instead.
+
+Add new filter functions for fchownat/fchmodat/renameat, not made
+architecture specific since the syscalls exists everywhere else too.
+However, in order to limit seccomp filter space usage, we only insert
+rules for one of {chown, chown32, fchownat} depending on the
+architecture (resp. {chmod, fchmodat}, {rename, renameat}).
+--- a/src/lib/sandbox/sandbox.c
++++ b/src/lib/sandbox/sandbox.c
+@@ -614,6 +614,32 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ return 0;
+ }
+
++static int
++sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
++{
++ int rc;
++ sandbox_cfg_t *elem = NULL;
++
++ // for each dynamic parameter filters
++ for (elem = filter; elem != NULL; elem = elem->next) {
++ smp_param_t *param = elem->param;
++
++ if (param != NULL && param->prot == 1 && param->syscall
++ == SCMP_SYS(fchmodat)) {
++ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
++ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
++ if (rc != 0) {
++ log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received "
++ "libseccomp error %d", rc);
++ return rc;
++ }
++ }
++ }
++
++ return 0;
++}
++
+ #ifdef __i386__
+ static int
+ sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+@@ -666,6 +692,32 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ }
+ #endif /* defined(__i386__) */
+
++static int
++sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
++{
++ int rc;
++ sandbox_cfg_t *elem = NULL;
++
++ // for each dynamic parameter filters
++ for (elem = filter; elem != NULL; elem = elem->next) {
++ smp_param_t *param = elem->param;
++
++ if (param != NULL && param->prot == 1 && param->syscall
++ == SCMP_SYS(fchownat)) {
++ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
++ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
++ if (rc != 0) {
++ log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
++ "libseccomp error %d", rc);
++ return rc;
++ }
++ }
++ }
++
++ return 0;
++}
++
+ /**
+ * Function responsible for setting up the rename syscall for
+ * the seccomp filter sandbox.
+@@ -697,6 +749,39 @@ sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ return 0;
+ }
+
++/**
++ * Function responsible for setting up the renameat syscall for
++ * the seccomp filter sandbox.
++ */
++static int
++sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
++{
++ int rc;
++ sandbox_cfg_t *elem = NULL;
++
++ // for each dynamic parameter filters
++ for (elem = filter; elem != NULL; elem = elem->next) {
++ smp_param_t *param = elem->param;
++
++ if (param != NULL && param->prot == 1 &&
++ param->syscall == SCMP_SYS(renameat)) {
++
++ rc = seccomp_rule_add_4(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat),
++ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
++ SCMP_CMP_NEG(2, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2));
++ if (rc != 0) {
++ log_err(LD_BUG,"(Sandbox) failed to add renameat syscall, received "
++ "libseccomp error %d", rc);
++ return rc;
++ }
++ }
++ }
++
++ return 0;
++}
++
+ /**
+ * Function responsible for setting up the openat syscall for
+ * the seccomp filter sandbox.
+@@ -1317,7 +1402,9 @@ static sandbox_filter_func_t filter_func[] = {
+ #else
+ sb_chown,
+ #endif
++ sb_fchownat,
+ sb_chmod,
++ sb_fchmodat,
+ sb_open,
+ sb_openat,
+ sb_opendir,
+@@ -1325,6 +1412,7 @@ static sandbox_filter_func_t filter_func[] = {
+ sb_ptrace,
+ #endif
+ sb_rename,
++ sb_renameat,
+ #ifdef __NR_fcntl64
+ sb_fcntl64,
+ #endif
+@@ -1592,10 +1680,24 @@ new_element(int syscall, char *value)
+
+ #ifdef __i386__
+ #define SCMP_chown SCMP_SYS(chown32)
++#elif defined(__aarch64__) && defined(__LP64__)
++#define SCMP_chown SCMP_SYS(fchownat)
+ #else
+ #define SCMP_chown SCMP_SYS(chown)
+ #endif
+
++#if defined(__aarch64__) && defined(__LP64__)
++#define SCMP_chmod SCMP_SYS(fchmodat)
++#else
++#define SCMP_chmod SCMP_SYS(chmod)
++#endif
++
++#if defined(__aarch64__) && defined(__LP64__)
++#define SCMP_rename SCMP_SYS(renameat)
++#else
++#define SCMP_rename SCMP_SYS(rename)
++#endif
++
+ #ifdef __NR_stat64
+ #define SCMP_stat SCMP_SYS(stat64)
+ #else
+@@ -1633,7 +1735,7 @@ sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
+ {
+ sandbox_cfg_t *elem = NULL;
+
+- elem = new_element(SCMP_SYS(chmod), file);
++ elem = new_element(SCMP_chmod, file);
+
+ elem->next = *cfg;
+ *cfg = elem;
+@@ -1659,7 +1761,7 @@ sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
+ {
+ sandbox_cfg_t *elem = NULL;
+
+- elem = new_element2(SCMP_SYS(rename), file1, file2);
++ elem = new_element2(SCMP_rename, file1, file2);
+
+ elem->next = *cfg;
+ *cfg = elem;
+--
+GitLab
+
+
+From eb0749d64917fee6ff74c3810dbec8cd063f546c Mon Sep 17 00:00:00 2001
+From: Pierre Bourdon <delroth@gmail.com>
+Date: Wed, 4 May 2022 07:19:40 +0200
+Subject: [PATCH 3/4] sandbox: replace SCMP_CMP_NEG with masked equality checks
+
+For some syscalls the kernel ABI uses 32 bit signed integers. Whether
+these 32 bit integer values are sign extended or zero extended to the
+native 64 bit register sizes is undefined and dependent on the {arch,
+compiler, libc} being used. Instead of trying to detect which cases
+zero-extend and which cases sign-extend, this commit uses a masked
+equality check on the lower 32 bits of the value.
+--- a/src/lib/sandbox/sandbox.c
++++ b/src/lib/sandbox/sandbox.c
+@@ -141,10 +141,12 @@ static sandbox_cfg_t *filter_dynamic = NULL;
+ * the high bits of the value might get masked out improperly. */
+ #define SCMP_CMP_MASKED(a,b,c) \
+ SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
+-/* For negative constants, the rule to add depends on the glibc version. */
+-#define SCMP_CMP_NEG(a,op,b) (libc_negative_constant_needs_cast() ? \
+- (SCMP_CMP((a), (op), (unsigned int)(b))) : \
+- (SCMP_CMP_STR((a), (op), (b))))
++/* Negative constants aren't consistently sign extended or zero extended.
++ * Different compilers, libc, and architectures behave differently. For cases
++ * where the kernel ABI uses a 32 bit integer, this macro can be used to
++ * mask-compare only the lower 32 bits of the value. */
++#define SCMP_CMP_LOWER32_EQ(a,b) \
++ SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, (unsigned int)(b))
+
+ /** Variable used for storing all syscall numbers that will be allowed with the
+ * stage 1 general Tor sandbox.
+@@ -513,19 +515,6 @@ libc_uses_openat_for_opendir(void)
+ (is_libc_at_least(2, 15) && !is_libc_at_least(2, 22));
+ }
+
+-/* Return true if we think we're running with a libc that needs to cast
+- * negative arguments like AT_FDCWD for seccomp rules. */
+-static int
+-libc_negative_constant_needs_cast(void)
+-{
+-#if defined(__aarch64__) && defined(__LP64__)
+- /* Existing glibc versions always sign-extend to 64 bits on AArch64. */
+- return 0;
+-#else
+- return is_libc_at_least(2, 27);
+-#endif
+-}
+-
+ /** Allow a single file to be opened. If <b>use_openat</b> is true,
+ * we're using a libc that remaps all the opens into openats. */
+ static int
+@@ -533,7 +522,7 @@ allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file)
+ {
+ if (use_openat) {
+ return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
+- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+ SCMP_CMP_STR(1, SCMP_CMP_EQ, file));
+ } else {
+ return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
+@@ -627,7 +616,7 @@ sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ if (param != NULL && param->prot == 1 && param->syscall
+ == SCMP_SYS(fchmodat)) {
+ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
+- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
+ if (rc != 0) {
+ log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received "
+@@ -705,7 +694,7 @@ sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ if (param != NULL && param->prot == 1 && param->syscall
+ == SCMP_SYS(fchownat)) {
+ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
+- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
+ if (rc != 0) {
+ log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
+@@ -767,9 +756,9 @@ sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ param->syscall == SCMP_SYS(renameat)) {
+
+ rc = seccomp_rule_add_4(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat),
+- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
+- SCMP_CMP_NEG(2, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_LOWER32_EQ(2, AT_FDCWD),
+ SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2));
+ if (rc != 0) {
+ log_err(LD_BUG,"(Sandbox) failed to add renameat syscall, received "
+@@ -799,7 +788,7 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ if (param != NULL && param->prot == 1 && param->syscall
+ == SCMP_SYS(openat)) {
+ rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
+- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
+ SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
+ O_CLOEXEC));
+--
+GitLab
+
+
+From 42034ae9da2866c67ce8cb8522d6a619d8b21170 Mon Sep 17 00:00:00 2001
+From: Pierre Bourdon <delroth@gmail.com>
+Date: Wed, 4 May 2022 07:31:06 +0200
+Subject: [PATCH 4/4] changes: add entry for MR !574
+
+--- /dev/null
++++ b/changes/aarch64_sandbox
+@@ -0,0 +1,5 @@
++ o Minor bugfixes (sandbox):
++ - Fix sandbox support on AArch64 systems. More "*at" variants of syscalls
++ are now supported. Signed 32 bit syscall parameters are checked more
++ precisely, which should lead to lower likelihood of breakages with future
++ compiler and libc releases. Fixes bug 40599; bugfix on 0.4.4.3-alpha.
+--
+GitLab
+
diff --git a/net-vpn/tor/tor-0.4.7.16-r1.ebuild b/net-vpn/tor/tor-0.4.7.16-r1.ebuild
new file mode 100644
index 0000000..f681742
--- /dev/null
+++ b/net-vpn/tor/tor-0.4.7.16-r1.ebuild
@@ -0,0 +1,170 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..12} )
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/torproject.org.asc
+inherit edo python-any-r1 readme.gentoo-r1 systemd verify-sig
+
+MY_PV="$(ver_rs 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"
+
+if [[ ${PV} == 9999 ]] ; then
+ EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor"
+ inherit autotools git-r3
+else
+ SRC_URI="
+ https://www.torproject.org/dist/${MY_PF}.tar.gz
+ https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
+ verify-sig? (
+ https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum
+ https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc
+ )
+ "
+
+ S="${WORKDIR}/${MY_PF}"
+
+ if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
+ KEYWORDS="~amd64 ~arm arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~ppc-macos"
+ fi
+
+ BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20230727 )"
+fi
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+ >=dev-libs/libevent-2.1.12-r1:=[ssl]
+ dev-libs/openssl:=[-bindist(-)]
+ sys-libs/zlib
+ caps? ( sys-libs/libcap )
+ man? ( app-text/asciidoc )
+ lzma? ( app-arch/xz-utils )
+ scrypt? ( app-crypt/libscrypt )
+ seccomp? ( >=sys-libs/libseccomp-2.4.1 )
+ systemd? ( sys-apps/systemd:= )
+ zstd? ( app-arch/zstd:= )
+"
+RDEPEND="
+ acct-user/tor
+ acct-group/tor
+ ${DEPEND}
+ selinux? ( sec-policy/selinux-tor )
+"
+DEPEND+="
+ test? (
+ ${DEPEND}
+ ${PYTHON_DEPS}
+ )
+"
+
+DOCS=()
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+ "${FILESDIR}"/${PN}-0.4.7.13-libressl.patch
+ "${FILESDIR}"/${PN}-0.4.7.13-opensslconf.patch
+ "${FILESDIR}"/${P}-arm64-sandbox.patch
+)
+
+pkg_setup() {
+ use test && python-any-r1_pkg_setup
+}
+
+src_unpack() {
+ if [[ ${PV} == 9999 ]] ; then
+ git-r3_src_unpack
+ else
+ if use verify-sig; then
+ cd "${DISTDIR}" || die
+ verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc}
+ verify-sig_verify_unsigned_checksums \
+ ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz
+ cd "${WORKDIR}" || die
+ fi
+
+ default
+ fi
+}
+
+src_prepare() {
+ default
+
+ # Running shellcheck automagically isn't useful for ebuild testing.
+ echo "exit 0" > scripts/maint/checkShellScripts.sh || die
+
+ if [[ ${PV} == 9999 ]] ; then
+ eautoreconf
+ fi
+}
+
+src_configure() {
+ use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING )
+
+ export ac_cv_lib_cap_cap_init=$(usex caps)
+ export tor_cv_PYTHON="${EPYTHON}"
+
+ local myeconfargs=(
+ --localstatedir="${EPREFIX}/var"
+ --disable-all-bugs-are-fatal
+ --enable-system-torrc
+ --disable-android
+ --disable-coverage
+ --disable-html-manual
+ --disable-libfuzzer
+ --enable-missing-doc-warnings
+ --disable-module-dirauth
+ --enable-pic
+ --disable-restart-debugging
+
+ $(use_enable man asciidoc)
+ $(use_enable man manpage)
+ $(use_enable lzma)
+ $(use_enable scrypt libscrypt)
+ $(use_enable seccomp)
+ $(use_enable server module-relay)
+ $(use_enable systemd)
+ $(use_enable tor-hardening gcc-hardening)
+ $(use_enable tor-hardening linker-hardening)
+ $(use_enable test unittests)
+ $(use_enable zstd)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_test() {
+ local skip_tests=(
+ # Fails in sandbox
+ :sandbox/open_filename
+ :sandbox/openat_filename
+ )
+
+ # The makefile runs these by parallel by chunking them with a script
+ # but that means we lose verbosity and can't skip individual tests easily
+ # either.
+ edo ./src/test/test --verbose "${skip_tests[@]}"
+}
+
+src_install() {
+ default
+ readme.gentoo_create_doc
+
+ newconfd "${FILESDIR}"/tor.confd tor
+ newinitd "${FILESDIR}"/tor.initd-r9 tor
+ systemd_dounit "${FILESDIR}"/tor.service
+
+ keepdir /var/lib/tor
+
+ fperms 750 /var/lib/tor
+ fowners tor:tor /var/lib/tor
+
+ insinto /etc/tor/
+ newins "${FILESDIR}"/torrc-r2 torrc
+}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/
@ 2024-07-21 2:27 orbea
0 siblings, 0 replies; 4+ messages in thread
From: orbea @ 2024-07-21 2:27 UTC (permalink / raw
To: gentoo-commits
commit: b426b33ef724ac7f3b1db2e9500ba74d3d50418e
Author: orbea <orbea <AT> riseup <DOT> net>
AuthorDate: Sun Jul 21 02:21:10 2024 +0000
Commit: orbea <orbea <AT> riseup <DOT> net>
CommitDate: Sun Jul 21 02:21:10 2024 +0000
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=b426b33e
net-vpn/tor: drop 0.4.7.13-r1, 0.4.7.16, 0.4.7.16-r1, 0.4.8.10
Signed-off-by: orbea <orbea <AT> riseup.net>
net-vpn/tor/Manifest | 9 -
net-vpn/tor/files/tor-0.4.7.13-libressl.patch | 202 ------------
net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch | 337 ---------------------
net-vpn/tor/tor-0.4.7.13-r1.ebuild | 150 ---------
net-vpn/tor/tor-0.4.7.16-r1.ebuild | 182 -----------
net-vpn/tor/tor-0.4.7.16.ebuild | 169 -----------
net-vpn/tor/tor-0.4.8.10.ebuild | 190 ------------
7 files changed, 1239 deletions(-)
diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest
index 9f37505..b85c581 100644
--- a/net-vpn/tor/Manifest
+++ b/net-vpn/tor/Manifest
@@ -1,12 +1,3 @@
-DIST tor-0.4.7.13.tar.gz 8031948 BLAKE2B 338a0a541423f27f594a091307b5edeafc9826bb651c2bd050f3282c9355d9d43d1ef4791f3c98a37dc4c0f64bc40925ea1c1e32cbdff78b1a7308df501f279a SHA512 0900416887afbb24f7b72e6ef181b7b01308d1bb35c37736f3b13e06810a07febf9f47fadd9ff6c0e73204d93b49545e4e2516906eb3ba74398ad2b299f530be
-DIST tor-0.4.7.13.tar.gz.sha256sum 86 BLAKE2B 339db9869bfe485cbd328fe942cc23e60c08ad67fc2d9e7927ed3c9f3b606192e5efac34013c5bf0b0e8b26e957dcf8b586e1cc0a0c27756b8b3d823af37fdee SHA512 ec1d19fa662255df5dd575ba943f4ccb30d9dfa49ff656cdfa73df2d24248b52a3bfd715f4d3efe11d8129968b0e06e3c75e8d82416e1807020ebf65f65401a0
-DIST tor-0.4.7.13.tar.gz.sha256sum.asc 716 BLAKE2B 968a3852293ab9bcadac626862c9dc360b17de5afd00af7c46358fa2adfc03b55c02dfe029e9427efba999f553489a04388b395e8fb8fe16325e0895663c2deb SHA512 eb78e8369941d8de833e3616a9a1c1e59b0d3dde918353e2f4fa5eb5da09f038238c46f5e180844bd3cba1211a9daa6d60e9ddb5690998e27a6b7d1616aa20cc
-DIST tor-0.4.7.16.tar.gz 8120424 BLAKE2B 59b7cf6b69cf552caac09ab000732bf6fa6cd5a171f00e86bea5a89ba9ce548e404fa7adb25d3aebed9f500b15ae2ca5272b07f61921f19bc5bc71b3f42a88e6 SHA512 4b1e08f158369dfd51f72a45b67fccb42095980c674e94c7a917f44996783296544b15ec1cbb7506f78d2a1473679326a128501d4341bb0251966770cf6a3d1b
-DIST tor-0.4.7.16.tar.gz.sha256sum 86 BLAKE2B 8468b7728bb47ee1e27b2895f264f1fbbb4e21a20532da76bf7b5de139b7d1c5307a9016159ee834b4f696f156acfb6f252c95d094e62480ce36a7414815cc71 SHA512 858bb461c4d7a10b32aa4088c5e75eaa6527211314bfa02197578dfb8837cc263abe06ea565a352e6255eb0b1c7c1b80807713b1906f52c2bf883b6c945345d2
-DIST tor-0.4.7.16.tar.gz.sha256sum.asc 716 BLAKE2B 108bf2ba3c5678da0be72e6816b3ebe981d56733ddae00bcc79ecae050753580df3da2c2aef179310efc426e7caa5e6df991ac9e4b87d4a7aaa53556e00fb8ce SHA512 9595dbedef35fabdd0b19bf055329580326447cefd269c21c8e73c9f65f2f02ec70fdf3431255b4b3356d3d82175c8a5c99d0368bf733c63d87d81ca9f7ce4a3
-DIST tor-0.4.8.10.tar.gz 8272740 BLAKE2B ef470664d85e019f6cac2366e934d5dc31b8ae92f121a2b4c8c95f8267abce5ce4413d30a24affa40a069d587212364ae5a7c3cd114488e50a535f01c54c6e77 SHA512 3827902541a0289ed1bfcae9bb0ac8bf8dee7bedacbfdf9c703bb38c3c586d1cfe5eeb20a477664e10a2b81b90a7fd5d623e556f3ee32aad4f8a9f828bc4dd83
-DIST tor-0.4.8.10.tar.gz.sha256sum 86 BLAKE2B 1410a5e7e486c7c33b6b217a53d250bc3e1d76c87e74ad29f6c6a67cbdacb3627521cc8936f7e8e8d72c3333078cede222d13c825b8d66df7c1d50721043f89e SHA512 853a88b75ecd195e6b155361c8321b575c5fd526f5d73da8b5de99ac875b2f22f2b8668f7c9a68a8e599170290041533345fd324dd56a0102d5cd5ddf8020461
-DIST tor-0.4.8.10.tar.gz.sha256sum.asc 716 BLAKE2B 0154ef1defa1a8227813ef3589f1fd4215f5bd305447fec1404f7950c0b89e6d9fcb6686900e4819d0f1a635d3b08e60cdc9c96a4f74e603185afb6eb1e29279 SHA512 aaeee664c9342a6cddaacfeea6e6974ce374d746153a28943dee1db3db48a8e08f36a076856358819cae8ea2f8b7d912d0e6dc2dc772465dba3283b553f43b91
DIST tor-0.4.8.11.tar.gz 9690074 BLAKE2B b7f5bb855a6f8fe7dfd0e0efe7b48798e9d4642e401641c83554ed0f98fe238a5f303e9466e9e24a7ade63488a745b3c957ed6cc53a2f5e21f5f9c3f78f7fa78 SHA512 186fb690a751b4c0dda87afc741627a4c8c9b1a781b295dcf25b767c40c3b62664c08c63fc98f80095af76dfa1060b42e19936941528d091db50fafdce88be6e
DIST tor-0.4.8.11.tar.gz.sha256sum 86 BLAKE2B 062077991dc4ca70c457a7c1a70c815d288b5afcd54246a51dd86685454fb0cf52aa8e12974e7909ef2c0b8e764c369278113c5b7d84e866fad0a66bdff93ebc SHA512 061411e2e5695fec84fcade7cf8ed36e14d5ea3ccfab7b0d7abdb53a57ca1d3647f73f416e5cc55c0d11f8d5405bba1a972d0b8ed05e6e20d088de57eac027bf
DIST tor-0.4.8.11.tar.gz.sha256sum.asc 1321 BLAKE2B fbb12fbef8ef2c33a0a1c40eefb7b180e63f1d0c97ef15352e209a55decdcbfee3ed82be0ce28e95e47dc22f85602ff53008d585b15c82e2b669f39d987c106a SHA512 9f35e5a17293f4e5175fb617de913ad2622a695461d0f5fb78ad8b942c6af1e8d1de782e6bb06796ce7e8acb70c0c9c75ff6d6ac605defb73526c26dbe313546
diff --git a/net-vpn/tor/files/tor-0.4.7.13-libressl.patch b/net-vpn/tor/files/tor-0.4.7.13-libressl.patch
deleted file mode 100644
index bba0c45..0000000
--- a/net-vpn/tor/files/tor-0.4.7.13-libressl.patch
+++ /dev/null
@@ -1,202 +0,0 @@
-Upstream-MR: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/598
-Upstream-Commit: https://gitlab.torproject.org/tpo/core/tor/-/commit/da52d7206a4a8e4fa8b5e80b5ed73de50fbe8692
-Upstream-MR: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/713
-Upstream-Commit: https://gitlab.torproject.org/tpo/core/tor/-/commit/9850dc59c0db5cbcadc314be8d324a992880fce1
-
-From f3dabd705f26c56076934323f24b5b05ecdfd39c Mon Sep 17 00:00:00 2001
-From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
-Date: Tue, 5 Jul 2022 11:37:30 -0400
-Subject: [PATCH 1/2] LibreSSL 3.5 compatibility
-
-LibreSSL is now closer to OpenSSL 1.1 than OpenSSL 1.0. According to
-https://undeadly.org/cgi?action=article;sid=20220116121253, this is the
-intention of OpenBSD developers.
-
-According to #40630, many special cases are needed to compile Tor against
-LibreSSL 3.5 when using Tor's OpenSSL 1.0 compatibility mode, whereas only a
-small number of #defines are required when using OpenSSL 1.1 compatibility
-mode. One additional workaround is required for LibreSSL 3.4 compatibility.
-
-Compiles and passes unit tests with LibreSSL 3.4.3 and 3.5.1.
----
- configure.ac | 2 +-
- src/lib/crypt_ops/compat_openssl.h | 22 +++++++++++++---------
- src/lib/crypt_ops/crypto_openssl_mgt.h | 3 +--
- src/lib/crypt_ops/crypto_rsa_openssl.c | 8 +++++---
- 4 files changed, 20 insertions(+), 15 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 8baae007cf..6ab7903010 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1022,7 +1022,7 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
- AC_MSG_CHECKING([for OpenSSL < 1.0.1])
- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
- #include <openssl/opensslv.h>
--#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x1000100fL
-+#if OPENSSL_VERSION_NUMBER < 0x1000100fL
- #error "too old"
- #endif
- ]], [[]])],
-diff --git a/src/lib/crypt_ops/compat_openssl.h b/src/lib/crypt_ops/compat_openssl.h
-index 0f56f338b5..c5eccdb015 100644
---- a/src/lib/crypt_ops/compat_openssl.h
-+++ b/src/lib/crypt_ops/compat_openssl.h
-@@ -20,32 +20,36 @@
- * \brief compatibility definitions for working with different openssl forks
- **/
-
--#if !defined(LIBRESSL_VERSION_NUMBER) && \
-- OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1)
-+#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,1)
- #error "We require OpenSSL >= 1.0.1"
- #endif
-
--#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && \
-- ! defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
- /* We define this macro if we're trying to build with the majorly refactored
- * API in OpenSSL 1.1 */
- #define OPENSSL_1_1_API
- #endif /* OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) && ... */
-
--#ifndef OPENSSL_1_1_API
--#define OpenSSL_version(v) SSLeay_version(v)
--#define tor_OpenSSL_version_num() SSLeay()
-+/* LibreSSL claims to be OpenSSL 2.0 but lacks these OpenSSL 1.1 APIs */
-+#if !defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- #define RAND_OpenSSL() RAND_SSLeay()
- #define STATE_IS_SW_SERVER_HELLO(st) \
- (((st) == SSL3_ST_SW_SRVR_HELLO_A) || \
- ((st) == SSL3_ST_SW_SRVR_HELLO_B))
- #define OSSL_HANDSHAKE_STATE int
- #define CONST_IF_OPENSSL_1_1_API
--#else /* defined(OPENSSL_1_1_API) */
--#define tor_OpenSSL_version_num() OpenSSL_version_num()
-+#else
- #define STATE_IS_SW_SERVER_HELLO(st) \
- ((st) == TLS_ST_SW_SRVR_HELLO)
- #define CONST_IF_OPENSSL_1_1_API const
-+#endif
-+
-+/* OpenSSL 1.1 and LibreSSL both have these APIs */
-+#ifndef OPENSSL_1_1_API
-+#define OpenSSL_version(v) SSLeay_version(v)
-+#define tor_OpenSSL_version_num() SSLeay()
-+#else /* defined(OPENSSL_1_1_API) */
-+#define tor_OpenSSL_version_num() OpenSSL_version_num()
- #endif /* !defined(OPENSSL_1_1_API) */
-
- #endif /* defined(ENABLE_OPENSSL) */
-diff --git a/src/lib/crypt_ops/crypto_openssl_mgt.h b/src/lib/crypt_ops/crypto_openssl_mgt.h
-index c6f63ffa08..96a37721dd 100644
---- a/src/lib/crypt_ops/crypto_openssl_mgt.h
-+++ b/src/lib/crypt_ops/crypto_openssl_mgt.h
-@@ -54,8 +54,7 @@
- #define DISABLE_ENGINES
- #endif
-
--#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5) && \
-- !defined(LIBRESSL_VERSION_NUMBER)
-+#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
- /* OpenSSL as of 1.1.0pre4 has an "new" thread API, which doesn't require
- * setting up various callbacks.
- *
-diff --git a/src/lib/crypt_ops/crypto_rsa_openssl.c b/src/lib/crypt_ops/crypto_rsa_openssl.c
-index a21c4a65cf..544d72e6ca 100644
---- a/src/lib/crypt_ops/crypto_rsa_openssl.c
-+++ b/src/lib/crypt_ops/crypto_rsa_openssl.c
-@@ -572,7 +572,9 @@ static bool
- rsa_private_key_too_long(RSA *rsa, int max_bits)
- {
- const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp;
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) && \
-+ (!defined(LIBRESSL_VERSION_NUMBER) || \
-+ LIBRESSL_VERSION_NUMBER >= OPENSSL_V_SERIES(3,5,0))
-
- #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1)
- n = RSA_get0_n(rsa);
-@@ -591,7 +593,7 @@ rsa_private_key_too_long(RSA *rsa, int max_bits)
-
- if (RSA_bits(rsa) > max_bits)
- return true;
--#else /* !defined(OPENSSL_1_1_API) */
-+#else /* !defined(OPENSSL_1_1_API) && ... */
- n = rsa->n;
- e = rsa->e;
- p = rsa->p;
-@@ -600,7 +602,7 @@ rsa_private_key_too_long(RSA *rsa, int max_bits)
- dmp1 = rsa->dmp1;
- dmq1 = rsa->dmq1;
- iqmp = rsa->iqmp;
--#endif /* defined(OPENSSL_1_1_API) */
-+#endif /* defined(OPENSSL_1_1_API) && ... */
-
- if (n && BN_num_bits(n) > max_bits)
- return true;
---
-GitLab
-
-
-From b1545b6d18fbef6c790e2731a814fa54230d8857 Mon Sep 17 00:00:00 2001
-From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
-Date: Tue, 19 Jul 2022 16:18:29 -0400
-Subject: [PATCH 2/2] Changes file for #40630 (LibreSSL 3.5 compatibility)
-
----
- changes/issue40630 | 3 +++
- 1 file changed, 3 insertions(+)
- create mode 100644 changes/issue40630
-
-diff --git a/changes/issue40630 b/changes/issue40630
-new file mode 100644
-index 0000000000..faf04941b6
---- /dev/null
-+++ b/changes/issue40630
-@@ -0,0 +1,3 @@
-+ o Minor features (portability, compilation):
-+ - Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5 compatibility.
-+ Fixes issue 40630; patch by Alex Xu (Hello71).
---
-GitLab
-
-From 9850dc59c0db5cbcadc314be8d324a992880fce1 Mon Sep 17 00:00:00 2001
-From: orbea <orbea@riseup.net>
-Date: Mon, 29 May 2023 12:56:37 -0700
-Subject: [PATCH] tls: Disable a warning with LibreSSL >= 3.8.0
-
-Skip a warning using EC_GFp_nist_method() which was removed in LibreSSL
-3.8.
-
-Based on a patch from OpenBSD.
-
-https://github.com/openbsd/ports/commit/33fe251a08cb11f30ce6094a2e0759c3bb63ed16
-
-These functions are deprecated since OpenSSL 3.0.
-
-https://www.openssl.org/docs/man3.1/man3/EC_GFp_nist_method.html
----
- src/lib/tls/tortls_openssl.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
-index 12260c09d3..c0a89ac272 100644
---- a/src/lib/tls/tortls_openssl.c
-+++ b/src/lib/tls/tortls_openssl.c
-@@ -340,8 +340,10 @@ tor_tls_init(void)
- SSL_load_error_strings();
- #endif /* defined(OPENSSL_1_1_API) */
-
--#if (SIZEOF_VOID_P >= 8 && \
-- OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
-+#if (SIZEOF_VOID_P >= 8 && \
-+ OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1) && \
-+ (!defined(LIBRESSL_VERSION_NUMBER) || \
-+ LIBRESSL_VERSION_NUMBER < 0x3080000fL))
- long version = tor_OpenSSL_version_num();
-
- /* LCOV_EXCL_START : we can't test these lines on the same machine */
---
-GitLab
-
diff --git a/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch
deleted file mode 100644
index 2b473bf..0000000
--- a/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch
+++ /dev/null
@@ -1,337 +0,0 @@
-From https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/574
-Gentoo Bug: https://bugs.gentoo.org/920063
-From: Pierre Bourdon <delroth@gmail.com>
-Date: Sat, 30 Apr 2022 11:52:59 +0200
-Subject: [PATCH 1/4] sandbox: fix openat filtering on AArch64
-
-New glibc versions not sign-extending 32 bit negative constants seems to
-not be a thing on AArch64. I suspect that this might not be the only
-architecture where the sign-extensions is happening, and the correct fix
-might be instead to use a proper 32 bit comparison for the first openat
-parameter. For now, band-aid fix this so the sandbox can work again on
-AArch64.
---- a/src/lib/sandbox/sandbox.c
-+++ b/src/lib/sandbox/sandbox.c
-@@ -518,7 +518,12 @@ libc_uses_openat_for_opendir(void)
- static int
- libc_negative_constant_needs_cast(void)
- {
-+#if defined(__aarch64__) && defined(__LP64__)
-+ /* Existing glibc versions always sign-extend to 64 bits on AArch64. */
-+ return 0;
-+#else
- return is_libc_at_least(2, 27);
-+#endif
- }
-
- /** Allow a single file to be opened. If <b>use_openat</b> is true,
---
-GitLab
-
-
-From 8fd13f7a7bfd4efc02d888ce9d10bcb6a80a03c8 Mon Sep 17 00:00:00 2001
-From: Pierre Bourdon <delroth@gmail.com>
-Date: Sat, 30 Apr 2022 13:02:16 +0200
-Subject: [PATCH 2/4] sandbox: filter {chown,chmod,rename} via their *at
- variant on Aarch64
-
-The chown/chmod/rename syscalls have never existed on AArch64, and libc
-implements the POSIX functions via the fchownat/fchmodat/renameat
-syscalls instead.
-
-Add new filter functions for fchownat/fchmodat/renameat, not made
-architecture specific since the syscalls exists everywhere else too.
-However, in order to limit seccomp filter space usage, we only insert
-rules for one of {chown, chown32, fchownat} depending on the
-architecture (resp. {chmod, fchmodat}, {rename, renameat}).
---- a/src/lib/sandbox/sandbox.c
-+++ b/src/lib/sandbox/sandbox.c
-@@ -614,6 +614,32 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
- return 0;
- }
-
-+static int
-+sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
-+{
-+ int rc;
-+ sandbox_cfg_t *elem = NULL;
-+
-+ // for each dynamic parameter filters
-+ for (elem = filter; elem != NULL; elem = elem->next) {
-+ smp_param_t *param = elem->param;
-+
-+ if (param != NULL && param->prot == 1 && param->syscall
-+ == SCMP_SYS(fchmodat)) {
-+ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
-+ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
-+ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
-+ if (rc != 0) {
-+ log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received "
-+ "libseccomp error %d", rc);
-+ return rc;
-+ }
-+ }
-+ }
-+
-+ return 0;
-+}
-+
- #ifdef __i386__
- static int
- sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
-@@ -666,6 +692,32 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
- }
- #endif /* defined(__i386__) */
-
-+static int
-+sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
-+{
-+ int rc;
-+ sandbox_cfg_t *elem = NULL;
-+
-+ // for each dynamic parameter filters
-+ for (elem = filter; elem != NULL; elem = elem->next) {
-+ smp_param_t *param = elem->param;
-+
-+ if (param != NULL && param->prot == 1 && param->syscall
-+ == SCMP_SYS(fchownat)) {
-+ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
-+ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
-+ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
-+ if (rc != 0) {
-+ log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
-+ "libseccomp error %d", rc);
-+ return rc;
-+ }
-+ }
-+ }
-+
-+ return 0;
-+}
-+
- /**
- * Function responsible for setting up the rename syscall for
- * the seccomp filter sandbox.
-@@ -697,6 +749,39 @@ sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
- return 0;
- }
-
-+/**
-+ * Function responsible for setting up the renameat syscall for
-+ * the seccomp filter sandbox.
-+ */
-+static int
-+sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
-+{
-+ int rc;
-+ sandbox_cfg_t *elem = NULL;
-+
-+ // for each dynamic parameter filters
-+ for (elem = filter; elem != NULL; elem = elem->next) {
-+ smp_param_t *param = elem->param;
-+
-+ if (param != NULL && param->prot == 1 &&
-+ param->syscall == SCMP_SYS(renameat)) {
-+
-+ rc = seccomp_rule_add_4(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat),
-+ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
-+ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
-+ SCMP_CMP_NEG(2, SCMP_CMP_EQ, AT_FDCWD),
-+ SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2));
-+ if (rc != 0) {
-+ log_err(LD_BUG,"(Sandbox) failed to add renameat syscall, received "
-+ "libseccomp error %d", rc);
-+ return rc;
-+ }
-+ }
-+ }
-+
-+ return 0;
-+}
-+
- /**
- * Function responsible for setting up the openat syscall for
- * the seccomp filter sandbox.
-@@ -1317,7 +1402,9 @@ static sandbox_filter_func_t filter_func[] = {
- #else
- sb_chown,
- #endif
-+ sb_fchownat,
- sb_chmod,
-+ sb_fchmodat,
- sb_open,
- sb_openat,
- sb_opendir,
-@@ -1325,6 +1412,7 @@ static sandbox_filter_func_t filter_func[] = {
- sb_ptrace,
- #endif
- sb_rename,
-+ sb_renameat,
- #ifdef __NR_fcntl64
- sb_fcntl64,
- #endif
-@@ -1592,10 +1680,24 @@ new_element(int syscall, char *value)
-
- #ifdef __i386__
- #define SCMP_chown SCMP_SYS(chown32)
-+#elif defined(__aarch64__) && defined(__LP64__)
-+#define SCMP_chown SCMP_SYS(fchownat)
- #else
- #define SCMP_chown SCMP_SYS(chown)
- #endif
-
-+#if defined(__aarch64__) && defined(__LP64__)
-+#define SCMP_chmod SCMP_SYS(fchmodat)
-+#else
-+#define SCMP_chmod SCMP_SYS(chmod)
-+#endif
-+
-+#if defined(__aarch64__) && defined(__LP64__)
-+#define SCMP_rename SCMP_SYS(renameat)
-+#else
-+#define SCMP_rename SCMP_SYS(rename)
-+#endif
-+
- #ifdef __NR_stat64
- #define SCMP_stat SCMP_SYS(stat64)
- #else
-@@ -1633,7 +1735,7 @@ sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
- {
- sandbox_cfg_t *elem = NULL;
-
-- elem = new_element(SCMP_SYS(chmod), file);
-+ elem = new_element(SCMP_chmod, file);
-
- elem->next = *cfg;
- *cfg = elem;
-@@ -1659,7 +1761,7 @@ sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
- {
- sandbox_cfg_t *elem = NULL;
-
-- elem = new_element2(SCMP_SYS(rename), file1, file2);
-+ elem = new_element2(SCMP_rename, file1, file2);
-
- elem->next = *cfg;
- *cfg = elem;
---
-GitLab
-
-
-From eb0749d64917fee6ff74c3810dbec8cd063f546c Mon Sep 17 00:00:00 2001
-From: Pierre Bourdon <delroth@gmail.com>
-Date: Wed, 4 May 2022 07:19:40 +0200
-Subject: [PATCH 3/4] sandbox: replace SCMP_CMP_NEG with masked equality checks
-
-For some syscalls the kernel ABI uses 32 bit signed integers. Whether
-these 32 bit integer values are sign extended or zero extended to the
-native 64 bit register sizes is undefined and dependent on the {arch,
-compiler, libc} being used. Instead of trying to detect which cases
-zero-extend and which cases sign-extend, this commit uses a masked
-equality check on the lower 32 bits of the value.
---- a/src/lib/sandbox/sandbox.c
-+++ b/src/lib/sandbox/sandbox.c
-@@ -141,10 +141,12 @@ static sandbox_cfg_t *filter_dynamic = NULL;
- * the high bits of the value might get masked out improperly. */
- #define SCMP_CMP_MASKED(a,b,c) \
- SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
--/* For negative constants, the rule to add depends on the glibc version. */
--#define SCMP_CMP_NEG(a,op,b) (libc_negative_constant_needs_cast() ? \
-- (SCMP_CMP((a), (op), (unsigned int)(b))) : \
-- (SCMP_CMP_STR((a), (op), (b))))
-+/* Negative constants aren't consistently sign extended or zero extended.
-+ * Different compilers, libc, and architectures behave differently. For cases
-+ * where the kernel ABI uses a 32 bit integer, this macro can be used to
-+ * mask-compare only the lower 32 bits of the value. */
-+#define SCMP_CMP_LOWER32_EQ(a,b) \
-+ SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, (unsigned int)(b))
-
- /** Variable used for storing all syscall numbers that will be allowed with the
- * stage 1 general Tor sandbox.
-@@ -513,19 +515,6 @@ libc_uses_openat_for_opendir(void)
- (is_libc_at_least(2, 15) && !is_libc_at_least(2, 22));
- }
-
--/* Return true if we think we're running with a libc that needs to cast
-- * negative arguments like AT_FDCWD for seccomp rules. */
--static int
--libc_negative_constant_needs_cast(void)
--{
--#if defined(__aarch64__) && defined(__LP64__)
-- /* Existing glibc versions always sign-extend to 64 bits on AArch64. */
-- return 0;
--#else
-- return is_libc_at_least(2, 27);
--#endif
--}
--
- /** Allow a single file to be opened. If <b>use_openat</b> is true,
- * we're using a libc that remaps all the opens into openats. */
- static int
-@@ -533,7 +522,7 @@ allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file)
- {
- if (use_openat) {
- return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
-- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
-+ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
- SCMP_CMP_STR(1, SCMP_CMP_EQ, file));
- } else {
- return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
-@@ -627,7 +616,7 @@ sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
- if (param != NULL && param->prot == 1 && param->syscall
- == SCMP_SYS(fchmodat)) {
- rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
-- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
-+ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
- SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
- if (rc != 0) {
- log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received "
-@@ -705,7 +694,7 @@ sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
- if (param != NULL && param->prot == 1 && param->syscall
- == SCMP_SYS(fchownat)) {
- rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
-- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
-+ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
- SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
- if (rc != 0) {
- log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
-@@ -767,9 +756,9 @@ sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
- param->syscall == SCMP_SYS(renameat)) {
-
- rc = seccomp_rule_add_4(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat),
-- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
-+ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
- SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
-- SCMP_CMP_NEG(2, SCMP_CMP_EQ, AT_FDCWD),
-+ SCMP_CMP_LOWER32_EQ(2, AT_FDCWD),
- SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2));
- if (rc != 0) {
- log_err(LD_BUG,"(Sandbox) failed to add renameat syscall, received "
-@@ -799,7 +788,7 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
- if (param != NULL && param->prot == 1 && param->syscall
- == SCMP_SYS(openat)) {
- rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
-- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
-+ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
- SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
- SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
- O_CLOEXEC));
---
-GitLab
-
-
-From 42034ae9da2866c67ce8cb8522d6a619d8b21170 Mon Sep 17 00:00:00 2001
-From: Pierre Bourdon <delroth@gmail.com>
-Date: Wed, 4 May 2022 07:31:06 +0200
-Subject: [PATCH 4/4] changes: add entry for MR !574
-
---- /dev/null
-+++ b/changes/aarch64_sandbox
-@@ -0,0 +1,5 @@
-+ o Minor bugfixes (sandbox):
-+ - Fix sandbox support on AArch64 systems. More "*at" variants of syscalls
-+ are now supported. Signed 32 bit syscall parameters are checked more
-+ precisely, which should lead to lower likelihood of breakages with future
-+ compiler and libc releases. Fixes bug 40599; bugfix on 0.4.4.3-alpha.
---
-GitLab
-
diff --git a/net-vpn/tor/tor-0.4.7.13-r1.ebuild b/net-vpn/tor/tor-0.4.7.13-r1.ebuild
deleted file mode 100644
index 8ffff91..0000000
--- a/net-vpn/tor/tor-0.4.7.13-r1.ebuild
+++ /dev/null
@@ -1,150 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/torproject.org.asc
-inherit autotools python-any-r1 readme.gentoo-r1 systemd verify-sig
-
-MY_PV="$(ver_rs 4 -)"
-MY_PF="${PN}-${MY_PV}"
-DESCRIPTION="Anonymizing overlay network for TCP"
-HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"
-SRC_URI="
- https://www.torproject.org/dist/${MY_PF}.tar.gz
- https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
- verify-sig? (
- https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum
- https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc
- )
-"
-S="${WORKDIR}/${MY_PF}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
- KEYWORDS="amd64 arm arm64 ~hppa ~mips ppc ppc64 ~riscv ~sparc x86 ~ppc-macos"
-fi
-IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
-RESTRICT="!test? ( test )"
-
-DEPEND="
- >=dev-libs/libevent-2.1.12-r1:=[ssl]
- sys-libs/zlib
- caps? ( sys-libs/libcap )
- man? ( app-text/asciidoc )
- dev-libs/openssl:=[-bindist(-)]
- lzma? ( app-arch/xz-utils )
- scrypt? ( app-crypt/libscrypt )
- seccomp? ( >=sys-libs/libseccomp-2.4.1 )
- systemd? ( sys-apps/systemd )
- zstd? ( app-arch/zstd )
-"
-RDEPEND="
- acct-user/tor
- acct-group/tor
- ${DEPEND}
- selinux? ( sec-policy/selinux-tor )
-"
-DEPEND+="
- test? (
- ${DEPEND}
- ${PYTHON_DEPS}
- )
-"
-BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20221213 )"
-
-DOCS=()
-
-PATCHES=(
- "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
- "${FILESDIR}"/${PN}-0.4.7.13-libressl.patch
- "${FILESDIR}"/${PN}-0.4.7.13-opensslconf.patch
-)
-
-pkg_setup() {
- use test && python-any-r1_pkg_setup
-}
-
-src_unpack() {
- if use verify-sig; then
- cd "${DISTDIR}" || die
- verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc}
- verify-sig_verify_unsigned_checksums \
- ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz
- cd "${WORKDIR}" || die
- fi
-
- default
-}
-
-src_prepare() {
- default
-
- # Running shellcheck automagically isn't useful for ebuild testing.
- echo "exit 0" > scripts/maint/checkShellScripts.sh || die
-
- # Only needed for libressl patch
- eautoreconf
-}
-
-src_configure() {
- use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING )
-
- export ac_cv_lib_cap_cap_init=$(usex caps)
- export tor_cv_PYTHON="${EPYTHON}"
-
- local myeconfargs=(
- --localstatedir="${EPREFIX}/var"
- --disable-all-bugs-are-fatal
- --enable-system-torrc
- --disable-android
- --disable-coverage
- --disable-html-manual
- --disable-libfuzzer
- --enable-missing-doc-warnings
- --disable-module-dirauth
- --enable-pic
- --disable-restart-debugging
-
- # This option is enabled by default upstream w/ zstd, surprisingly.
- # zstd upstream says this shouldn't be relied upon and it may
- # break API & ABI at any point, so Tor tries to fake static-linking
- # to make it work, but then requires a rebuild on any new zstd version
- # even when its standard ABI hasn't changed.
- # See bug #727406 and bug #905708.
- --disable-zstd-advanced-apis
-
- $(use_enable man asciidoc)
- $(use_enable man manpage)
- $(use_enable lzma)
- $(use_enable scrypt libscrypt)
- $(use_enable seccomp)
- $(use_enable server module-relay)
- $(use_enable systemd)
- $(use_enable tor-hardening gcc-hardening)
- $(use_enable tor-hardening linker-hardening)
- $(use_enable test unittests)
- $(use_enable zstd)
- )
-
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
- readme.gentoo_create_doc
-
- newconfd "${FILESDIR}"/tor.confd tor
- newinitd "${FILESDIR}"/tor.initd-r9 tor
- systemd_dounit "${FILESDIR}"/tor.service
-
- keepdir /var/lib/tor
-
- fperms 750 /var/lib/tor
- fowners tor:tor /var/lib/tor
-
- insinto /etc/tor/
- newins "${FILESDIR}"/torrc-r2 torrc
-}
diff --git a/net-vpn/tor/tor-0.4.7.16-r1.ebuild b/net-vpn/tor/tor-0.4.7.16-r1.ebuild
deleted file mode 100644
index d0ca8a1..0000000
--- a/net-vpn/tor/tor-0.4.7.16-r1.ebuild
+++ /dev/null
@@ -1,182 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/torproject.org.asc
-inherit edo python-any-r1 readme.gentoo-r1 systemd verify-sig
-
-MY_PV="$(ver_rs 4 -)"
-MY_PF="${PN}-${MY_PV}"
-DESCRIPTION="Anonymizing overlay network for TCP"
-HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"
-
-if [[ ${PV} == 9999 ]] ; then
- EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor"
- inherit autotools git-r3
-else
- SRC_URI="
- https://www.torproject.org/dist/${MY_PF}.tar.gz
- https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
- verify-sig? (
- https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum
- https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc
- )
- "
-
- S="${WORKDIR}/${MY_PF}"
-
- if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
- KEYWORDS="~amd64 arm arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc x86 ~ppc-macos"
- fi
-
- BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20230727 )"
-fi
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
-RESTRICT="!test? ( test )"
-
-DEPEND="
- >=dev-libs/libevent-2.1.12-r1:=[ssl]
- dev-libs/openssl:=[-bindist(-)]
- sys-libs/zlib
- caps? ( sys-libs/libcap )
- man? ( app-text/asciidoc )
- lzma? ( app-arch/xz-utils )
- scrypt? ( app-crypt/libscrypt )
- seccomp? ( >=sys-libs/libseccomp-2.4.1 )
- systemd? ( sys-apps/systemd:= )
- zstd? ( app-arch/zstd:= )
-"
-RDEPEND="
- acct-user/tor
- acct-group/tor
- ${DEPEND}
- selinux? ( sec-policy/selinux-tor )
-"
-DEPEND+="
- test? (
- ${DEPEND}
- ${PYTHON_DEPS}
- )
-"
-
-DOCS=()
-
-PATCHES=(
- "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
- "${FILESDIR}"/${PN}-0.4.7.13-libressl.patch
- "${FILESDIR}"/${PN}-0.4.7.13-opensslconf.patch
- "${FILESDIR}"/${P}-arm64-sandbox.patch
-)
-
-pkg_setup() {
- use test && python-any-r1_pkg_setup
-}
-
-src_unpack() {
- if [[ ${PV} == 9999 ]] ; then
- git-r3_src_unpack
- else
- if use verify-sig; then
- cd "${DISTDIR}" || die
- verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc}
- verify-sig_verify_unsigned_checksums \
- ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz
- cd "${WORKDIR}" || die
- fi
-
- default
- fi
-}
-
-src_prepare() {
- default
-
- # Running shellcheck automagically isn't useful for ebuild testing.
- echo "exit 0" > scripts/maint/checkShellScripts.sh || die
-
- if [[ ${PV} == 9999 ]] ; then
- eautoreconf
- fi
-}
-
-src_configure() {
- use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING )
-
- export ac_cv_lib_cap_cap_init=$(usex caps)
- export tor_cv_PYTHON="${EPYTHON}"
-
- local myeconfargs=(
- --localstatedir="${EPREFIX}/var"
- --disable-all-bugs-are-fatal
- --enable-system-torrc
- --disable-android
- --disable-coverage
- --disable-html-manual
- --disable-libfuzzer
- --enable-missing-doc-warnings
- --disable-module-dirauth
- --enable-pic
- --disable-restart-debugging
-
- $(use_enable man asciidoc)
- $(use_enable man manpage)
- $(use_enable lzma)
- $(use_enable scrypt libscrypt)
- $(use_enable seccomp)
- $(use_enable server module-relay)
- $(use_enable systemd)
- $(use_enable tor-hardening gcc-hardening)
- $(use_enable tor-hardening linker-hardening)
- $(use_enable test unittests)
- $(use_enable zstd)
- )
-
- econf "${myeconfargs[@]}"
-}
-
-src_test() {
- local skip_tests=(
- # Fails in sandbox
- :sandbox/open_filename
- :sandbox/openat_filename
- )
-
- if use arm ; then
- skip_tests+=(
- # bug #920905
- # https://gitlab.torproject.org/tpo/core/tor/-/issues/40912
- :sandbox/opendir_dirname
- :sandbox/openat_filename
- :sandbox/chmod_filename
- :sandbox/chown_filename
- :sandbox/rename_filename
- )
- fi
-
- # The makefile runs these by parallel by chunking them with a script
- # but that means we lose verbosity and can't skip individual tests easily
- # either.
- edo ./src/test/test --verbose "${skip_tests[@]}"
-}
-
-src_install() {
- default
- readme.gentoo_create_doc
-
- newconfd "${FILESDIR}"/tor.confd tor
- newinitd "${FILESDIR}"/tor.initd-r9 tor
- systemd_dounit "${FILESDIR}"/tor.service
-
- keepdir /var/lib/tor
-
- fperms 750 /var/lib/tor
- fowners tor:tor /var/lib/tor
-
- insinto /etc/tor/
- newins "${FILESDIR}"/torrc-r2 torrc
-}
diff --git a/net-vpn/tor/tor-0.4.7.16.ebuild b/net-vpn/tor/tor-0.4.7.16.ebuild
deleted file mode 100644
index 4ac7036..0000000
--- a/net-vpn/tor/tor-0.4.7.16.ebuild
+++ /dev/null
@@ -1,169 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/torproject.org.asc
-inherit edo python-any-r1 readme.gentoo-r1 systemd verify-sig
-
-MY_PV="$(ver_rs 4 -)"
-MY_PF="${PN}-${MY_PV}"
-DESCRIPTION="Anonymizing overlay network for TCP"
-HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"
-
-if [[ ${PV} == 9999 ]] ; then
- EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor"
- inherit autotools git-r3
-else
- SRC_URI="
- https://www.torproject.org/dist/${MY_PF}.tar.gz
- https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
- verify-sig? (
- https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum
- https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc
- )
- "
-
- S="${WORKDIR}/${MY_PF}"
-
- if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
- KEYWORDS="amd64 ~arm ~arm64 ~hppa ~mips ppc ppc64 ~riscv ~sparc ~x86 ~ppc-macos"
- fi
-
- BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20230727 )"
-fi
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
-RESTRICT="!test? ( test )"
-
-DEPEND="
- >=dev-libs/libevent-2.1.12-r1:=[ssl]
- dev-libs/openssl:=[-bindist(-)]
- sys-libs/zlib
- caps? ( sys-libs/libcap )
- man? ( app-text/asciidoc )
- lzma? ( app-arch/xz-utils )
- scrypt? ( app-crypt/libscrypt )
- seccomp? ( >=sys-libs/libseccomp-2.4.1 )
- systemd? ( sys-apps/systemd:= )
- zstd? ( app-arch/zstd:= )
-"
-RDEPEND="
- acct-user/tor
- acct-group/tor
- ${DEPEND}
- selinux? ( sec-policy/selinux-tor )
-"
-DEPEND+="
- test? (
- ${DEPEND}
- ${PYTHON_DEPS}
- )
-"
-
-DOCS=()
-
-PATCHES=(
- "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
- "${FILESDIR}"/${PN}-0.4.7.13-libressl.patch
- "${FILESDIR}"/${PN}-0.4.7.13-opensslconf.patch
-)
-
-pkg_setup() {
- use test && python-any-r1_pkg_setup
-}
-
-src_unpack() {
- if [[ ${PV} == 9999 ]] ; then
- git-r3_src_unpack
- else
- if use verify-sig; then
- cd "${DISTDIR}" || die
- verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc}
- verify-sig_verify_unsigned_checksums \
- ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz
- cd "${WORKDIR}" || die
- fi
-
- default
- fi
-}
-
-src_prepare() {
- default
-
- # Running shellcheck automagically isn't useful for ebuild testing.
- echo "exit 0" > scripts/maint/checkShellScripts.sh || die
-
- if [[ ${PV} == 9999 ]] ; then
- eautoreconf
- fi
-}
-
-src_configure() {
- use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING )
-
- export ac_cv_lib_cap_cap_init=$(usex caps)
- export tor_cv_PYTHON="${EPYTHON}"
-
- local myeconfargs=(
- --localstatedir="${EPREFIX}/var"
- --disable-all-bugs-are-fatal
- --enable-system-torrc
- --disable-android
- --disable-coverage
- --disable-html-manual
- --disable-libfuzzer
- --enable-missing-doc-warnings
- --disable-module-dirauth
- --enable-pic
- --disable-restart-debugging
-
- $(use_enable man asciidoc)
- $(use_enable man manpage)
- $(use_enable lzma)
- $(use_enable scrypt libscrypt)
- $(use_enable seccomp)
- $(use_enable server module-relay)
- $(use_enable systemd)
- $(use_enable tor-hardening gcc-hardening)
- $(use_enable tor-hardening linker-hardening)
- $(use_enable test unittests)
- $(use_enable zstd)
- )
-
- econf "${myeconfargs[@]}"
-}
-
-src_test() {
- local skip_tests=(
- # Fails in sandbox
- :sandbox/open_filename
- :sandbox/openat_filename
- )
-
- # The makefile runs these by parallel by chunking them with a script
- # but that means we lose verbosity and can't skip individual tests easily
- # either.
- edo ./src/test/test --verbose "${skip_tests[@]}"
-}
-
-src_install() {
- default
- readme.gentoo_create_doc
-
- newconfd "${FILESDIR}"/tor.confd tor
- newinitd "${FILESDIR}"/tor.initd-r9 tor
- systemd_dounit "${FILESDIR}"/tor.service
-
- keepdir /var/lib/tor
-
- fperms 750 /var/lib/tor
- fowners tor:tor /var/lib/tor
-
- insinto /etc/tor/
- newins "${FILESDIR}"/torrc-r2 torrc
-}
diff --git a/net-vpn/tor/tor-0.4.8.10.ebuild b/net-vpn/tor/tor-0.4.8.10.ebuild
deleted file mode 100644
index 47b432d..0000000
--- a/net-vpn/tor/tor-0.4.8.10.ebuild
+++ /dev/null
@@ -1,190 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/torproject.org.asc
-inherit edo python-any-r1 readme.gentoo-r1 systemd verify-sig
-
-MY_PV="$(ver_rs 4 -)"
-MY_PF="${PN}-${MY_PV}"
-DESCRIPTION="Anonymizing overlay network for TCP"
-HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"
-
-if [[ ${PV} == 9999 ]] ; then
- EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor"
- inherit autotools git-r3
-else
- SRC_URI="
- https://www.torproject.org/dist/${MY_PF}.tar.gz
- https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
- verify-sig? (
- https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum
- https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc
- )
- "
-
- S="${WORKDIR}/${MY_PF}"
-
- if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
- KEYWORDS="amd64 arm arm64 ~hppa ~mips ppc ppc64 ~riscv ~sparc x86 ~ppc-macos"
- fi
-
- BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20230727 )"
-fi
-
-# BSD in general, but for PoW, needs --enable-gpl (GPL-3 per --version)
-# We also already had GPL-2 listed here for the init script, but obviously
-# that's different from the actual binary.
-LICENSE="BSD GPL-2 GPL-3"
-SLOT="0"
-IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
-RESTRICT="!test? ( test )"
-
-DEPEND="
- >=dev-libs/libevent-2.1.12-r1:=[ssl]
- dev-libs/openssl:=[-bindist(-)]
- sys-libs/zlib
- caps? ( sys-libs/libcap )
- man? ( app-text/asciidoc )
- lzma? ( app-arch/xz-utils )
- scrypt? ( app-crypt/libscrypt )
- seccomp? ( >=sys-libs/libseccomp-2.4.1 )
- systemd? ( sys-apps/systemd:= )
- zstd? ( app-arch/zstd:= )
-"
-RDEPEND="
- acct-user/tor
- acct-group/tor
- ${DEPEND}
- selinux? ( sec-policy/selinux-tor )
-"
-DEPEND+="
- test? (
- ${DEPEND}
- ${PYTHON_DEPS}
- )
-"
-
-DOCS=()
-
-PATCHES=(
- "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
- "${FILESDIR}"/${PN}-0.4.7.13-opensslconf.patch
-)
-
-pkg_setup() {
- use test && python-any-r1_pkg_setup
-}
-
-src_unpack() {
- if [[ ${PV} == 9999 ]] ; then
- git-r3_src_unpack
- else
- if use verify-sig; then
- cd "${DISTDIR}" || die
- verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc}
- verify-sig_verify_unsigned_checksums \
- ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz
- cd "${WORKDIR}" || die
- fi
-
- default
- fi
-}
-
-src_prepare() {
- default
-
- # Running shellcheck automagically isn't useful for ebuild testing.
- echo "exit 0" > scripts/maint/checkShellScripts.sh || die
-
- if [[ ${PV} == 9999 ]] ; then
- eautoreconf
- fi
-}
-
-src_configure() {
- use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING )
-
- export ac_cv_lib_cap_cap_init=$(usex caps)
- export tor_cv_PYTHON="${EPYTHON}"
-
- local myeconfargs=(
- --localstatedir="${EPREFIX}/var"
- --disable-all-bugs-are-fatal
- --enable-system-torrc
- --disable-android
- --disable-coverage
- --disable-html-manual
- --disable-libfuzzer
- --enable-missing-doc-warnings
- --disable-module-dirauth
- --enable-pic
- --disable-restart-debugging
-
- # Unless someone asks & has a compelling reason, just always
- # build in GPL mode for pow, given we don't want yet another USE
- # flag combination to have to test just for the sake of it.
- # (PoW requires GPL.)
- --enable-gpl
- --enable-module-pow
-
- $(use_enable man asciidoc)
- $(use_enable man manpage)
- $(use_enable lzma)
- $(use_enable scrypt libscrypt)
- $(use_enable seccomp)
- $(use_enable server module-relay)
- $(use_enable systemd)
- $(use_enable tor-hardening gcc-hardening)
- $(use_enable tor-hardening linker-hardening)
- $(use_enable test unittests)
- $(use_enable zstd)
- )
-
- econf "${myeconfargs[@]}"
-}
-
-src_test() {
- local skip_tests=(
- # Fails in sandbox
- :sandbox/open_filename
- :sandbox/openat_filename
- )
-
- if use arm ; then
- skip_tests+=(
- # bug #920905
- # https://gitlab.torproject.org/tpo/core/tor/-/issues/40912
- :sandbox/opendir_dirname
- :sandbox/openat_filename
- :sandbox/chmod_filename
- :sandbox/chown_filename
- :sandbox/rename_filename
- )
- fi
-
- # The makefile runs these by parallel by chunking them with a script
- # but that means we lose verbosity and can't skip individual tests easily
- # either.
- edo ./src/test/test --verbose "${skip_tests[@]}"
-}
-
-src_install() {
- default
- readme.gentoo_create_doc
-
- newconfd "${FILESDIR}"/tor.confd tor
- newinitd "${FILESDIR}"/tor.initd-r9 tor
- systemd_dounit "${FILESDIR}"/tor.service
-
- keepdir /var/lib/tor
-
- fperms 750 /var/lib/tor
- fowners tor:tor /var/lib/tor
-
- insinto /etc/tor/
- newins "${FILESDIR}"/torrc-r2 torrc
-}
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-07-21 2:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-21 2:27 [gentoo-commits] repo/proj/libressl:master commit in: net-vpn/tor/files/, net-vpn/tor/ orbea
-- strict thread matches above, loose matches on Subject: below --
2023-12-29 14:54 orbea
2023-04-26 15:28 orbea
2022-03-19 22:32 Quentin Retornaz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox