aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authororbea <orbea@riseup.net>2022-03-17 07:53:37 -0700
committerQuentin Retornaz <gentoo@retornaz.com>2022-03-19 23:32:34 +0100
commit47a88659300993df0096c720dd93d9bb914ea5d2 (patch)
tree0ae60226b7f605d976cedeb2e3aaf35bed9f5321 /net-vpn
parentdev-python/cryptography: Bump for version 36.0.2 (diff)
downloadlibressl-47a88659300993df0096c720dd93d9bb914ea5d2.tar.gz
libressl-47a88659300993df0096c720dd93d9bb914ea5d2.tar.bz2
libressl-47a88659300993df0096c720dd93d9bb914ea5d2.zip
net-vpn/tor: Added
Signed-off-by: orbea <orbea@riseup.net> Closes: https://github.com/gentoo/libressl/pull/391 Signed-off-by: Quentin Retornaz <gentoo@retornaz.com>
Diffstat (limited to 'net-vpn')
-rw-r--r--net-vpn/tor/Manifest2
-rw-r--r--net-vpn/tor/files/0.4.6.7-libressl.patch123
-rw-r--r--net-vpn/tor/files/README.gentoo8
-rw-r--r--net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch31
-rw-r--r--net-vpn/tor/files/tor.confd3
-rw-r--r--net-vpn/tor/files/tor.initd-r937
-rw-r--r--net-vpn/tor/files/tor.service38
-rw-r--r--net-vpn/tor/files/torrc-r27
-rw-r--r--net-vpn/tor/metadata.xml13
-rw-r--r--net-vpn/tor/tor-0.4.6.7.ebuild109
10 files changed, 371 insertions, 0 deletions
diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest
new file mode 100644
index 0000000..e10ad5e
--- /dev/null
+++ b/net-vpn/tor/Manifest
@@ -0,0 +1,2 @@
+DIST tor-0.4.6.7.tar.gz 7790727 BLAKE2B da6b0fe0de6a334713cf881dece6ef5a932b0f4374a7dde1e1cb78b4b43944fd6156d84bd98c8be734a7cf81b99cb36187544028c3e4800d38d11d7286d19e12 SHA512 e5f9e235fc4b96f5e63e0bfa4ca412d0d11299a31cb77cae1c199b276d0dfbf3656657ddf910b22625dd49eb726d487666e80e8889db78c9edebbab0d80d9e03
+DIST tor-0.4.6.7.tar.gz.asc 833 BLAKE2B 2054c094cc8ce28bfc8822fa6b0ac5a028b41c96160d135da53112c4fcb7ae048e8d48b58f164dd33c6c7dd851aaa71173b2aa36f70411fc7cc2b67d346ce00b SHA512 d45caaa4795d05f1f1a558192c5eedff608c74be0ef933e0ff7a4f68123a109e38e7fe26222c66dfc8966a07f458eeadf77d7f4731d88389595b59413140e9a3
diff --git a/net-vpn/tor/files/0.4.6.7-libressl.patch b/net-vpn/tor/files/0.4.6.7-libressl.patch
new file mode 100644
index 0000000..d481ae2
--- /dev/null
+++ b/net-vpn/tor/files/0.4.6.7-libressl.patch
@@ -0,0 +1,123 @@
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/tls/x509_openssl.c
+--- a/src/lib/tls/x509_openssl.c.orig
++++ b/src/lib/tls/x509_openssl.c
+@@ -329,7 +329,7 @@ tor_tls_cert_is_valid(int severity,
+ cert_key = X509_get_pubkey(cert->cert);
+ if (check_rsa_1024 && cert_key) {
+ RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ if (rsa && RSA_bits(rsa) == 1024) {
+ #else
+ if (rsa && BN_num_bits(rsa->n) == 1024) {
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/crypt_ops/crypto_rsa_openssl.c
+--- a/src/lib/crypt_ops/crypto_rsa_openssl.c.orig
++++ b/src/lib/crypt_ops/crypto_rsa_openssl.c
+@@ -47,7 +47,7 @@ struct crypto_pk_t
+ int
+ crypto_pk_key_is_private(const crypto_pk_t *k)
+ {
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ if (!k || !k->key)
+ return 0;
+
+@@ -212,7 +212,7 @@ crypto_pk_public_exponent_ok(const crypto_pk_t *env)
+
+ const BIGNUM *e;
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ const BIGNUM *n, *d;
+ RSA_get0_key(env->key, &n, &e, &d);
+ #else
+@@ -242,7 +242,7 @@ crypto_pk_cmp_keys(const crypto_pk_t *a, const crypto_
+ const BIGNUM *a_n, *a_e;
+ const BIGNUM *b_n, *b_e;
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ const BIGNUM *a_d, *b_d;
+ RSA_get0_key(a->key, &a_n, &a_e, &a_d);
+ RSA_get0_key(b->key, &b_n, &b_e, &b_d);
+@@ -279,7 +279,7 @@ crypto_pk_num_bits(crypto_pk_t *env)
+ tor_assert(env);
+ tor_assert(env->key);
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ /* It's so stupid that there's no other way to check that n is valid
+ * before calling RSA_bits().
+ */
+@@ -572,7 +572,7 @@ static bool
+ rsa_private_key_too_long(RSA *rsa, int max_bits)
+ {
+ const BIGNUM *n, *e, *p, *q, *d, *dmp1, *dmq1, *iqmp;
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+
+ #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,1)
+ n = RSA_get0_n(rsa);
+Fix build with opaque structs in LibreSSL 3.5
+
+Index: src/lib/crypt_ops/crypto_dh_openssl.c
+--- a/src/lib/crypt_ops/crypto_dh_openssl.c.orig
++++ b/src/lib/crypt_ops/crypto_dh_openssl.c
+@@ -60,7 +60,7 @@ crypto_validate_dh_params(const BIGNUM *p, const BIGNU
+ /* Copy into a temporary DH object, just so that DH_check() can be called. */
+ if (!(dh = DH_new()))
+ goto out;
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ BIGNUM *dh_p, *dh_g;
+ if (!(dh_p = BN_dup(p)))
+ goto out;
+@@ -223,7 +223,7 @@ new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g)
+ goto err;
+ }
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+
+ if (!DH_set0_pqg(res_dh, dh_p, NULL, dh_g)) {
+ goto err;
+@@ -276,7 +276,7 @@ crypto_dh_get_bytes(crypto_dh_t *dh)
+ int
+ crypto_dh_generate_public(crypto_dh_t *dh)
+ {
+-#ifndef OPENSSL_1_1_API
++#if !defined(OPENSSL_1_1_API) && !defined(LIBRESSL_VERSION_NUMBER)
+ again:
+ #endif
+ if (!DH_generate_key(dh->dh)) {
+@@ -286,7 +286,7 @@ crypto_dh_generate_public(crypto_dh_t *dh)
+ return -1;
+ /* LCOV_EXCL_STOP */
+ }
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ /* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without
+ * recreating the DH object. I have no idea what sort of aliasing madness
+ * can occur here, so do the check, and just bail on failure.
+@@ -327,7 +327,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si
+
+ const BIGNUM *dh_pub;
+
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ const BIGNUM *dh_priv;
+ DH_get0_key(dh->dh, &dh_pub, &dh_priv);
+ #else
+@@ -338,7 +338,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si
+ if (crypto_dh_generate_public(dh)<0)
+ return -1;
+ else {
+-#ifdef OPENSSL_1_1_API
++#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
+ DH_get0_key(dh->dh, &dh_pub, &dh_priv);
+ #else
+ dh_pub = dh->dh->pub_key;
diff --git a/net-vpn/tor/files/README.gentoo b/net-vpn/tor/files/README.gentoo
new file mode 100644
index 0000000..35214ac
--- /dev/null
+++ b/net-vpn/tor/files/README.gentoo
@@ -0,0 +1,8 @@
+We created a configuration file for tor, /etc/tor/torrc, but you can
+change it according to your needs. Use the torrc.sample that is in
+that directory as a guide. Also, to have privoxy work with tor
+just add the following line
+
+forward-socks4a / localhost:9050 .
+
+to /etc/privoxy/config. Notice the . at the end!
diff --git a/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
new file mode 100644
index 0000000..5f9e258
--- /dev/null
+++ b/net-vpn/tor/files/tor-0.2.7.4-torrc.sample.patch
@@ -0,0 +1,31 @@
+diff -Nuar tor-0.2.7.4-rc.orig/src/config/torrc.sample.in tor-0.2.7.4-rc/src/config/torrc.sample.in
+--- tor-0.2.7.4-rc.orig/src/config/torrc.sample.in 2015-10-19 11:12:53.000000000 -0400
++++ tor-0.2.7.4-rc/src/config/torrc.sample.in 2015-10-21 21:18:49.151973113 -0400
+@@ -12,6 +12,11 @@
+ ## Tor will look for this file in various places based on your platform:
+ ## https://www.torproject.org/docs/faq#torrc
+
++## Default username and group the server will run as
++User tor
++
++PIDFile /run/tor/tor.pid
++
+ ## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
+ ## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
+ ## as a relay, and not make any local application connections yourself.
+@@ -42,6 +47,7 @@
+ #Log notice syslog
+ ## To send all messages to stderr:
+ #Log debug stderr
++Log warn syslog
+
+ ## Uncomment this to start the process in the background... or use
+ ## --runasdaemon 1 on the command line. This is ignored on Windows;
+@@ -51,6 +57,7 @@
+ ## The directory for keeping all the keys/etc. By default, we store
+ ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+ #DataDirectory @LOCALSTATEDIR@/lib/tor
++DataDirectory /var/lib/tor/data
+
+ ## The port on which Tor will listen for local connections from Tor
+ ## controller applications, as documented in control-spec.txt.
diff --git a/net-vpn/tor/files/tor.confd b/net-vpn/tor/files/tor.confd
new file mode 100644
index 0000000..4195bf3
--- /dev/null
+++ b/net-vpn/tor/files/tor.confd
@@ -0,0 +1,3 @@
+#
+# Set the file limit
+rc_ulimit="-n 30000"
diff --git a/net-vpn/tor/files/tor.initd-r9 b/net-vpn/tor/files/tor.initd-r9
new file mode 100644
index 0000000..c1639c2
--- /dev/null
+++ b/net-vpn/tor/files/tor.initd-r9
@@ -0,0 +1,37 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+command=/usr/bin/tor
+pidfile=/run/tor/tor.pid
+command_args="--hush --runasdaemon 1 --pidfile \"${pidfile}\""
+retry=${GRACEFUL_TIMEOUT:-60}
+stopsig=INT
+command_progress=yes
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+description="Anonymizing overlay network for TCP"
+description_checkconfig="Check for valid config file"
+description_reload="Reload the configuration"
+
+checkconfig() {
+ ${command} --verify-config --hush > /dev/null 2>&1
+ if [ $? -ne 0 ] ; then
+ eerror "Tor configuration (/etc/tor/torrc) is not valid."
+ eerror "Example is in /etc/tor/torrc.sample"
+ return 1
+ fi
+}
+
+start_pre() {
+ checkconfig || return 1
+ checkpath -d -m 0755 -o tor:tor /run/tor
+}
+
+reload() {
+ checkconfig || return 1
+ ebegin "Reloading Tor configuration"
+ start-stop-daemon -s HUP --pidfile ${pidfile}
+ eend $?
+}
diff --git a/net-vpn/tor/files/tor.service b/net-vpn/tor/files/tor.service
new file mode 100644
index 0000000..1663824
--- /dev/null
+++ b/net-vpn/tor/files/tor.service
@@ -0,0 +1,38 @@
+# tor.service -- this systemd configuration file for Tor sets up a
+# relatively conservative, hardened Tor service. You may need to
+# edit it if you are making changes to your Tor configuration that it
+# does not allow. Package maintainers: this should be a starting point
+# for your tor.service; it is not the last point.
+
+[Unit]
+Description=Anonymizing overlay network for TCP
+After=syslog.target network.target nss-lookup.target
+
+[Service]
+Type=notify
+NotifyAccess=all
+ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
+ExecStart=/usr/bin/tor -f /etc/tor/torrc
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillSignal=SIGINT
+TimeoutSec=60
+Restart=on-failure
+WatchdogSec=1m
+LimitNOFILE=32768
+
+# Hardening
+Group=tor
+RuntimeDirectory=tor
+RuntimeDirectoryMode=0770
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/var/lib/tor
+ReadWriteDirectories=-/var/log/tor
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-vpn/tor/files/torrc-r2 b/net-vpn/tor/files/torrc-r2
new file mode 100644
index 0000000..b308104
--- /dev/null
+++ b/net-vpn/tor/files/torrc-r2
@@ -0,0 +1,7 @@
+#
+# Minimal torrc so tor will work out of the box
+#
+User tor
+PIDFile /run/tor/tor.pid
+Log notice syslog
+DataDirectory /var/lib/tor/data
diff --git a/net-vpn/tor/metadata.xml b/net-vpn/tor/metadata.xml
new file mode 100644
index 0000000..c1b2764
--- /dev/null
+++ b/net-vpn/tor/metadata.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="person">
+ <email>blueness@gentoo.org</email>
+ <name>Anthony G. Basile</name>
+ </maintainer>
+ <use>
+ <flag name="scrypt">Use <pkg>app-crypt/libscrypt</pkg> for the scrypt algorithm</flag>
+ <flag name="server">Enable tor's relay module so it can operate as a relay/bridge/authority</flag>
+ <flag name="tor-hardening">Compile tor with hardening on vanilla compilers/linkers</flag>
+ </use>
+</pkgmetadata>
diff --git a/net-vpn/tor/tor-0.4.6.7.ebuild b/net-vpn/tor/tor-0.4.6.7.ebuild
new file mode 100644
index 0000000..e29cdd7
--- /dev/null
+++ b/net-vpn/tor/tor-0.4.6.7.ebuild
@@ -0,0 +1,109 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+PYTHON_COMPAT=( python3_{8,9} )
+inherit flag-o-matic python-any-r1 readme.gentoo-r1 systemd verify-sig
+
+MY_PV="$(ver_rs 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="https://www.torproject.org/"
+SRC_URI="https://www.torproject.org/dist/${MY_PF}.tar.gz
+ https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
+ verify-sig? ( https://dist.torproject.org/${MY_PF}.tar.gz.asc )"
+S="${WORKDIR}/${MY_PF}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
+ KEYWORDS="amd64 arm arm64 ~mips ppc ppc64 ~riscv x86 ~ppc-macos"
+fi
+IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/torproject.org.asc
+
+BDEPEND="verify-sig? ( sec-keys/openpgp-keys-tor )"
+DEPEND="
+ dev-libs/libevent:=[ssl]
+ sys-libs/zlib
+ caps? ( sys-libs/libcap )
+ man? ( app-text/asciidoc )
+ dev-libs/openssl:0=[-bindist(-)]
+ lzma? ( app-arch/xz-utils )
+ scrypt? ( app-crypt/libscrypt )
+ seccomp? ( >=sys-libs/libseccomp-2.4.1 )
+ systemd? ( sys-apps/systemd )
+ zstd? ( app-arch/zstd )"
+RDEPEND="
+ acct-user/tor
+ acct-group/tor
+ ${DEPEND}
+ selinux? ( sec-policy/selinux-tor )"
+
+# bug #764260
+DEPEND+="
+ test? (
+ ${DEPEND}
+ ${PYTHON_DEPS}
+ )"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+ "${FILESDIR}"/${PV}-libressl.patch
+)
+
+DOCS=()
+
+RESTRICT="!test? ( test )"
+
+pkg_setup() {
+ use test && python-any-r1_pkg_setup
+}
+
+src_configure() {
+ use doc && DOCS+=( README ChangeLog ReleaseNotes doc/HACKING )
+ export ac_cv_lib_cap_cap_init=$(usex caps)
+ econf \
+ --localstatedir="${EPREFIX}/var" \
+ --disable-all-bugs-are-fatal \
+ --enable-system-torrc \
+ --disable-android \
+ --disable-html-manual \
+ --disable-libfuzzer \
+ --enable-missing-doc-warnings \
+ --disable-module-dirauth \
+ --enable-pic \
+ --disable-rust \
+ --disable-restart-debugging \
+ --disable-zstd-advanced-apis \
+ $(use_enable man asciidoc) \
+ $(use_enable man manpage) \
+ $(use_enable lzma) \
+ $(use_enable scrypt libscrypt) \
+ $(use_enable seccomp) \
+ $(use_enable server module-relay) \
+ $(use_enable systemd) \
+ $(use_enable tor-hardening gcc-hardening) \
+ $(use_enable tor-hardening linker-hardening) \
+ $(use_enable test unittests) \
+ $(use_enable test coverage) \
+ $(use_enable zstd)
+}
+
+src_install() {
+ default
+ readme.gentoo_create_doc
+
+ newconfd "${FILESDIR}"/tor.confd tor
+ newinitd "${FILESDIR}"/tor.initd-r9 tor
+ systemd_dounit "${FILESDIR}"/tor.service
+
+ keepdir /var/lib/tor
+
+ fperms 750 /var/lib/tor
+ fowners tor:tor /var/lib/tor
+
+ insinto /etc/tor/
+ newins "${FILESDIR}"/torrc-r2 torrc
+}