Hi,
Please find attached a patch updating net/tor to the latest stable version.
According to the release announcement [*], this is the first stable version of
the 0.4.9.x series. Among many changes, it brings two major features:
- A new cryptographic protocol named "Counter Galois Onion", which provides
improved resistance to several types of tagging attacks, as well as better
forward secrecy and stronger protection against forgery
- A feature called "Happy Families", which will enable a significant reduction
in bandwidth usage
Best regards.
--
[*] https://forum.torproject.org/t/stable-release-0-4-9-5/21227
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/tor/Makefile,v
diff -u -p -r1.176 Makefile
--- Makefile 30 Jan 2026 19:47:51 -0000 1.176
+++ Makefile 14 Feb 2026 22:40:50 -0000
@@ -1,6 +1,6 @@
COMMENT= anonymity service using onion routing
-DISTNAME= tor-0.4.8.22
+DISTNAME= tor-0.4.9.5
CATEGORIES= net
HOMEPAGE= https://www.torproject.org/
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/tor/distinfo,v
diff -u -p -r1.141 distinfo
--- distinfo 30 Jan 2026 19:47:51 -0000 1.141
+++ distinfo 14 Feb 2026 22:40:50 -0000
@@ -1,2 +1,2 @@
-SHA256 (tor-0.4.8.22.tar.gz) = yIYg2SeKJ549In/2CXW4SqQTWSEfjs/2hgGZI7mSkzI=
-SIZE (tor-0.4.8.22.tar.gz) = 10625231
+SHA256 (tor-0.4.9.5.tar.gz) = yUnC+Gs0jmSJGXb2seScF3ZVsj35cZMEm/G4zTCZ4Xk=
+SIZE (tor-0.4.9.5.tar.gz) = 10810648
Index: patches/patch-configure_ac
===================================================================
RCS file: /cvs/ports/net/tor/patches/patch-configure_ac,v
diff -u -p -r1.22 patch-configure_ac
--- patches/patch-configure_ac 11 Nov 2025 19:24:37 -0000 1.22
+++ patches/patch-configure_ac 14 Feb 2026 22:40:50 -0000
@@ -2,7 +2,7 @@ disable -fasynchronous-unwind-tables as
Index: configure.ac
--- configure.ac.orig
+++ configure.ac
-@@ -1483,13 +1483,6 @@ fi
+@@ -1499,13 +1499,6 @@ fi
CFLAGS="$saved_CFLAGS"
AC_SUBST(F_OMIT_FRAME_POINTER)
Index: patches/patch-src_lib_crypt_ops_crypto_dh_openssl_c
===================================================================
RCS file: patches/patch-src_lib_crypt_ops_crypto_dh_openssl_c
diff -N patches/patch-src_lib_crypt_ops_crypto_dh_openssl_c
--- patches/patch-src_lib_crypt_ops_crypto_dh_openssl_c 11 Mar 2022 19:47:53 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,59 +0,0 @@
-Fix build with opaque structs in LibreSSL 3.5
-
-Index: src/lib/crypt_ops/crypto_dh_openssl.c
---- src/lib/crypt_ops/crypto_dh_openssl.c.orig
-+++ src/lib/crypt_ops/crypto_dh_openssl.c
-@@ -60,7 +60,7 @@ crypto_validate_dh_params(const BIGNUM *p, const BIGNU
- /* Copy into a temporary DH object, just so that DH_check() can be called. */
- if (!(dh = DH_new()))
- goto out;
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- BIGNUM *dh_p, *dh_g;
- if (!(dh_p = BN_dup(p)))
- goto out;
-@@ -223,7 +223,7 @@ new_openssl_dh_from_params(BIGNUM *p, BIGNUM *g)
- goto err;
- }
-
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
-
- if (!DH_set0_pqg(res_dh, dh_p, NULL, dh_g)) {
- goto err;
-@@ -276,7 +276,7 @@ crypto_dh_get_bytes(crypto_dh_t *dh)
- int
- crypto_dh_generate_public(crypto_dh_t *dh)
- {
--#ifndef OPENSSL_1_1_API
-+#if !defined(OPENSSL_1_1_API) && !defined(LIBRESSL_VERSION_NUMBER)
- again:
- #endif
- if (!DH_generate_key(dh->dh)) {
-@@ -286,7 +286,7 @@ crypto_dh_generate_public(crypto_dh_t *dh)
- return -1;
- /* LCOV_EXCL_STOP */
- }
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- /* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without
- * recreating the DH object. I have no idea what sort of aliasing madness
- * can occur here, so do the check, and just bail on failure.
-@@ -327,7 +327,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si
-
- const BIGNUM *dh_pub;
-
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- const BIGNUM *dh_priv;
- DH_get0_key(dh->dh, &dh_pub, &dh_priv);
- #else
-@@ -338,7 +338,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, si
- if (crypto_dh_generate_public(dh)<0)
- return -1;
- else {
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- DH_get0_key(dh->dh, &dh_pub, &dh_priv);
- #else
- dh_pub = dh->dh->pub_key;
Index: patches/patch-src_lib_crypt_ops_crypto_rsa_openssl_c
===================================================================
RCS file: patches/patch-src_lib_crypt_ops_crypto_rsa_openssl_c
diff -N patches/patch-src_lib_crypt_ops_crypto_rsa_openssl_c
--- patches/patch-src_lib_crypt_ops_crypto_rsa_openssl_c 29 Aug 2023 20:25:19 -0000 1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,41 +0,0 @@
-Fix build with opaque structs in LibreSSL 3.5
-
-Index: src/lib/crypt_ops/crypto_rsa_openssl.c
---- src/lib/crypt_ops/crypto_rsa_openssl.c.orig
-+++ src/lib/crypt_ops/crypto_rsa_openssl.c
-@@ -47,7 +47,7 @@ struct crypto_pk_t
- int
- crypto_pk_key_is_private(const crypto_pk_t *k)
- {
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- if (!k || !k->key)
- return 0;
-
-@@ -212,7 +212,7 @@ crypto_pk_public_exponent_ok(const crypto_pk_t *env)
-
- const BIGNUM *e;
-
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- const BIGNUM *n, *d;
- RSA_get0_key(env->key, &n, &e, &d);
- #else
-@@ -242,7 +242,7 @@ crypto_pk_cmp_keys(const crypto_pk_t *a, const crypto_
- const BIGNUM *a_n, *a_e;
- const BIGNUM *b_n, *b_e;
-
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- const BIGNUM *a_d, *b_d;
- RSA_get0_key(a->key, &a_n, &a_e, &a_d);
- RSA_get0_key(b->key, &b_n, &b_e, &b_d);
-@@ -279,7 +279,7 @@ crypto_pk_num_bits(crypto_pk_t *env)
- tor_assert(env);
- tor_assert(env->key);
-
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- /* It's so stupid that there's no other way to check that n is valid
- * before calling RSA_bits().
- */
Index: patches/patch-src_lib_tls_x509_openssl_c
===================================================================
RCS file: patches/patch-src_lib_tls_x509_openssl_c
diff -N patches/patch-src_lib_tls_x509_openssl_c
--- patches/patch-src_lib_tls_x509_openssl_c 11 Mar 2022 19:47:53 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-Fix build with opaque structs in LibreSSL 3.5
-
-Index: src/lib/tls/x509_openssl.c
---- src/lib/tls/x509_openssl.c.orig
-+++ src/lib/tls/x509_openssl.c
-@@ -329,7 +329,7 @@ tor_tls_cert_is_valid(int severity,
- cert_key = X509_get_pubkey(cert->cert);
- if (check_rsa_1024 && cert_key) {
- RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- if (rsa && RSA_bits(rsa) == 1024) {
- #else
- if (rsa && BN_num_bits(rsa->n) == 1024) {
Index: patches/patch-src_test_test_crypto_c
===================================================================
RCS file: patches/patch-src_test_test_crypto_c
diff -N patches/patch-src_test_test_crypto_c
--- patches/patch-src_test_test_crypto_c 29 Aug 2023 20:25:19 -0000 1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-Fix build with opaque structs in LibreSSL 3.5
-
-Index: src/test/test_crypto.c
---- src/test/test_crypto.c.orig
-+++ src/test/test_crypto.c
-@@ -187,7 +187,7 @@ test_crypto_dh(void *arg)
- dh4 = crypto_dh_new_openssl_tls();
- tt_assert(DH_generate_key(dh4));
- const BIGNUM *pk=NULL;
--#ifdef OPENSSL_1_1_API
-+#if defined(OPENSSL_1_1_API) || defined(LIBRESSL_VERSION_NUMBER)
- const BIGNUM *sk=NULL;
- DH_get0_key(dh4, &pk, &sk);
- #else
Index: patches/patch-src_test_test_crypto_openssl_c
===================================================================
RCS file: patches/patch-src_test_test_crypto_openssl_c
diff -N patches/patch-src_test_test_crypto_openssl_c
--- patches/patch-src_test_test_crypto_openssl_c 11 Mar 2022 19:47:53 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-Fix build with opaque structs in LibreSSL 3.5
-
-Index: src/test/test_crypto_openssl.c
---- src/test/test_crypto_openssl.c.orig
-+++ src/test/test_crypto_openssl.c
-@@ -49,7 +49,7 @@ test_crypto_rng_engine(void *arg)
- ;
- }
-
--#ifndef OPENSSL_1_1_API
-+#if !defined(OPENSSL_1_1_API) && !defined(LIBRESSL_VERSION_NUMBER)
- #define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX))
- #define EVP_ENCODE_CTX_free(ctx) tor_free(ctx)
- #endif
